audit_warn - audit daemon warning script
/etc/security/audit_warn [option [arguments]]
The audit_warn utility processes warning or error messages
from the audit daemon. When a problem is encountered, the audit daemon,
auditd(8) calls audit_warn with the appropriate arguments. The
option argument specifies the error type.
The system administrator can specify a list of mail recipients to
be notified when an audit_warn situation arises by defining a mail alias
called audit_warn in aliases(5). The users that make up the
audit_warn alias are typically the audit and root
users.
The following options are supported:
allhard count
Indicates that the hard limit for all filesystems has
been exceeded count times. The default action for this option is to
send mail to the audit_warn alias only if the count is 1,
and to write a message to the machine console every time. It is recommended
that mail not be sent every time as this could result in a the
saturation of the file system that contains the mail spool directory.
allsoft
Indicates that the soft limit for all filesystems has
been exceeded. The default action for this option is to send mail to the
audit_warn alias and to write a message to the machine console.
auditoff
Indicates that someone other than the audit daemon
changed the system audit state to something other than
AUC_AUDITING. The audit daemon will have exited in this
case. The default action for this option is to send mail to the
audit_warn alias and to write a message to the machine console.
hard filename
Indicates that the hard limit for the file has been
exceeded. The default action for this option is to send mail to the
audit_warn alias and to write a message to the machine console.
nostart
Indicates that auditing could not be started. The default
action for this option is to send mail to the audit_warn alias and to
write a message to the machine console. Some administrators may prefer to
modify audit_warn to reboot the system when this error occurs.
plugin name error count
text
Indicates that an error occurred during execution of the
auditd plugin
name. The default action for this option is to
send mail to the
audit_warn alias only if
count is 1, and to
write a message to the machine console every time. (Separate counts are kept
for each error type.) It is recommended that mail not be sent every time as
this could result in the saturation of the file system that contains the mail
spool directory. The
text field provides the detailed error message
passed from the plugin. The
error field is one of the following
strings:
load_error
Unable to load the plugin name.
sys_error
The plugin name is not executing due to a system
error such as a lack of resources.
config_error
No plugins loaded (including the binary file plugin,
audit_binfile(7)) due to configuration errors. The name string is
-- to indicate that no plugin name applies.
retry
The plugin name reports it has encountered a
temporary failure.
no_memory
The plugin name reports a failure due to lack of
memory.
invalid
The plugin name reports it received an invalid
input.
failure
The plugin name has reported an error as described
in text.
soft filename
Indicates that the soft limit for filename has
been exceeded. The default action for this option is to send mail to the
audit_warn alias and to write a message to the machine console.
tmpfile
Indicates that there was a problem creating a symlink
from /var/run/.audit.log to the current audit log file.
See attributes(7) for descriptions of the following
attributes:
| ATTRIBUTE
TYPE |
ATTRIBUTE VALUE |
| Interface Stability |
Evolving |
The interface stability is evolving. The file content is
unstable.
If the audit policy perzone is set, the
/etc/security/audit_warn script for the local zone is used for
notifications from the local zone's instance of auditd. If the
perzone policy is not set, all auditd errors are generated by
the global zone's copy of /etc/security/audit_warn.