NAME

audit_warn - Script activating warning messages from the audit daemon

SYNOPSIS

/etc/security/audit_warn [ option [ arguments ] ]

AVAILABILITY

SUNWcsu

DESCRIPTION

The audit_warn script processes warning or error messages from the audit daemon. When a problem is encountered, the audit daemon, auditd(1MTSOL), calls audit_warn with the appropriate arguments. The option argument specifies the error type.

By defining a mail alias called audit_warn in aliases(4), the system administrator can specify a list of mail recipients to be notified when an audit-warning situation arises. The users that make up the audit_warn alias are typically the audit and root users.

OPTIONS

allhard count

Indicates that the hard limit for all file systems has been exceeded count times. The default action for this option is to send mail to the audit_warn alias only if the count is 1 ,and to write a message to the machine console every time. It is recommended that mail not be sent every time to avoid saturation of the file system that contains the mail spool directory.

allsoft

Indicates that the soft limit for all file systems has been exceeded. The default action for this option is to send mail to the audit_warn alias and to write a message to the machine console.

auditoff

Indicates that someone other than the audit daemon changed the system audit state to something other than AUC_AUDITING . The audit daemon will have exited in this case. The default action for this option is to send mail to the audit_warn alias and to write a message to the machine console.

ebusy

Indicates that the audit daemon is already running. The default action for this option is to send mail to the audit_warn alias and to write a message to the machine console.

getacdir count

Indicates that there is a problem getting the directory list from audit_control(4TSOL). The audit daemon will sleep until the file is fixed. The default action for this option is to send mail to the audit_warn alias only if count is 1 ,and to write a message to the machine console every time. It is recommended that mail not be sent every time to avoid saturation of the file system that contains the mail spool directory.

hard filename

Indicates that the hard limit for the file has been exceeded. The default action for this option is to send mail to the audit_warn alias and to write a message to the machine console.

nostart

Indicates that auditing could not be started. The default action for this option is to send mail to the audit_warn alias and to write a message to the machine console. Some administrators may prefer to modify audit_warn to reboot the system when this error occurs.

postsigterm

Indicates that an error occurred during the orderly shutdown of the

audit daemon. The default action for this option is to send mail to the audit_warn alias and to write a message to the machine console.

soft filename

Indicates that the soft limit for filename has been exceeded. The default action for this option is to send mail to the audit_warn alias and to write a message to the machine console.

tmpfile

Indicates that the temporary audit file already exists indicating a fatal error. The default action for this option is to send mail to the audit_warn alias and to write a message to the machine console.

SUMMARY OF TRUSTED

By default, the audit module is enabled in the Trusted Solaris environment. By default, the machine halts when audit files run out of disk space. The Trusted Solaris environment adds programming interfaces, audit classes, and audit events.

SOLARIS CHANGES

SEE ALSO

audit(1MTSOL), auditd(1MTSOL), aliases(4), audit.log(4TSOL), audit_control(4TSOL), Trusted Solaris Audit Administration Manual

NOTES

This functionality is active only if the audit module has been enabled. This functionality is active only if the audit module has been enabled. By default, auditing is enabled in the Trusted Solaris environment. See Trusted Solaris Audit Administration Manual for how to disable and enable auditing.