Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Thursday, June 13, 2019
 
 

audit_warn(8)

Name

audit_warn - audit service warning script

Synopsis

/etc/security/audit_warn option [arguments]

Description

The audit_warn script processes warning and error messages from the audit service. When a problem is encountered, for example, during startup, configuration, processing, or shutdown, the audit service calls audit_warn with the appropriate arguments. The option argument specifies the type of problem.

The system administrator can specify a list of mail recipients to be notified when an audit_warn situation arises by defining a mail alias called audit_warn in aliases(5). The users that make up the audit_warn alias are typically the audit and root users.

The default action is to send mail to the audit_warn alias and send the mail message to syslog with a daemon.alert priority.

The system administrator can customize the audit_warn script for the site's specific needs. Care should be taken when updating to a new release to resolve any changes in the release.

Options

The following options are supported:

allhard count

Indicates that the hard limit for all audit_binfile(7) directory filesystems has been exceeded count times. To avoid filling the mail spool directory, mail is sent only if the count is 1.

allsoft

Indicates that the soft limit for all audit_binfile(7) directory filesystems has been exceeded.

ars message

Indicates that the Audit Remote Server experienced an error.

auditoff

Indicates that the kernel audit subsystem has failed while the audit service is running. The audit service exits in this case.

config message

Indicates the audit service detected a configuration error.

hard directory

Indicates that the hard limit for the audit_binfile(7) directory filesystem has been exceeded.

hostname

Indicates that the audit service could not find an IP address to associate with the local hostname. It has fallen back to using the “loopback” address. Audit trail translation tools might not translate the hostname properly. The audit service can be refreshed (audit –s) to retry to find an IP address.

nostart

Indicates that auditing could not be started because the audit subsystem system calls are reporting failure.

plugin name error count text

Indicates that an error occurred during execution of the audit service plugin name. To avoid filling the mail spool directory, mail is sent only if the count is 1. A separate count is kept for each error type. The text field provides the detailed error message passed from the plug-in. The error field is one of the following strings:

load_error

Unable to load the plugin name.

sys_error

The plugin name is not executing due to a system error such as a lack of resources.

config_error

No plug-ins loaded (including the binary file plug-in, audit_binfile(7)) due to configuration errors (see the –setplugin option of the auditconfig(8) command). The name string is --, to indicate that no plug-in name applies.

retry

The plugin name reports it has encountered a temporary failure. For example, the audit_binfree.so plugin uses retry to indicate that all directories are full.

no_memory

The plugin name reports a failure due to lack of memory.

invalid

The plugin name reports it received an invalid input.

failure

The plugin name has reported an error as described in text.

soft directory

Indicates that the soft limit for the audit_binfile(7) directory filesystem has been exceeded.

Files

/var/adm/messages

Additional information.

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
system/core-os
Interface Stability
See below

The command is Committed. The script content is Uncommitted. The presence and contents of /var/audit/debug is Not-an-Interface. The syslog and mail output is Not-an-Interface.

See Also

logger(1), mailx(1), aliases(5), audit.log(5), syslog.conf(5), attributes(7), audit_binfile(7), audit(8), auditconfig(8), auditd(8)

Notes

This functionality is available only when the audit service is enabled.

Hard and soft limits deal with the list of audit_binfile(7) and Audit Remote Server directories and the configured free space. When the currently active directory is filled beyond the configured free space, a “soft” limit is reached and the next directory in the list is tried. When the currently active directory space is exhausted a “hard” limit is reached and the next directory in the list is tried.

See the pkg(7) man page (not an Oracle Solaris page) for guidance on resolving changes across release updates.

If the perzone audit policy is set or perzone is not set and the Audit Remote Server is enabled, the /etc/security/audit_warn script for the local zone is used for notifications from the local zone's instance of the audit service. If the perzone policy is not set and Audit Remote Server is not enabled in the local zone, all audit service errors are generated by the global zone's copy of /etc/security/audit_warn.