audit_warn - audit service warning script
/etc/security/audit_warn option [arguments]
The audit_warn script processes warning and error messages from the audit service. When a problem is encountered, for example, during startup, configuration, processing, or shutdown, the audit service calls audit_warn with the appropriate arguments. The option argument specifies the type of problem.
The system administrator can specify a list of mail recipients to be notified when an audit_warn situation arises by defining a mail alias called audit_warn in aliases(5). The users that make up the audit_warn alias are typically the audit and root users.
The default action is to send mail to the audit_warn alias and send the mail message to syslog with a daemon.alert priority.
The system administrator can customize the audit_warn script for the site's specific needs. Care should be taken when updating to a new release to resolve any changes in the release.
The following options are supported:
Indicates that the hard limit for all audit_binfile(7) directory filesystems has been exceeded count times. To avoid filling the mail spool directory, mail is sent only if the count is 1.
Indicates that the soft limit for all audit_binfile(7) directory filesystems has been exceeded.
Indicates that the Audit Remote Server experienced an error.
Indicates that the kernel audit subsystem has failed while the audit service is running. The audit service exits in this case.
Indicates the audit service detected a configuration error.
Indicates that the hard limit for the audit_binfile(7) directory filesystem has been exceeded.
Indicates that the audit service could not find an IP address to associate with the local hostname. It has fallen back to using the “loopback” address. Audit trail translation tools might not translate the hostname properly. The audit service can be refreshed (audit –s) to retry to find an IP address.
Indicates that auditing could not be started because the audit subsystem system calls are reporting failure.
Indicates that an error occurred during execution of the audit service plugin name. To avoid filling the mail spool directory, mail is sent only if the count is 1. A separate count is kept for each error type. The text field provides the detailed error message passed from the plug-in. The error field is one of the following strings:
Unable to load the plugin name.
The plugin name is not executing due to a system error such as a lack of resources.
No plug-ins loaded (including the binary file plug-in, audit_binfile(7)) due to configuration errors (see the –setplugin option of the auditconfig(8) command). The name string is --, to indicate that no plug-in name applies.
The plugin name reports it has encountered a temporary failure. For example, the audit_binfree.so plugin uses retry to indicate that all directories are full.
The plugin name reports a failure due to lack of memory.
The plugin name reports it received an invalid input.
The plugin name has reported an error as described in text.
Indicates that the soft limit for the audit_binfile(7) directory filesystem has been exceeded.
See attributes(7) for descriptions of the following attributes:
The command is Committed. The script content is Uncommitted. The presence and contents of /var/audit/debug is Not-an-Interface. The syslog and mail output is Not-an-Interface.
This functionality is available only when the audit service is enabled.
Hard and soft limits deal with the list of audit_binfile(7) and Audit Remote Server directories and the configured free space. When the currently active directory is filled beyond the configured free space, a “soft” limit is reached and the next directory in the list is tried. When the currently active directory space is exhausted a “hard” limit is reached and the next directory in the list is tried.
See the pkg(7) man page (not an Oracle Solaris page) for guidance on resolving changes across release updates.
If the perzone audit policy is set or perzone is not set and the Audit Remote Server is enabled, the /etc/security/audit_warn script for the local zone is used for notifications from the local zone's instance of the audit service. If the perzone policy is not set and Audit Remote Server is not enabled in the local zone, all audit service errors are generated by the global zone's copy of /etc/security/audit_warn.