Tribblix: manual page: audit

AUDIT_WARN(8) Maintenance Commands and Procedures AUDIT_WARN(8)

NAME

audit_warn - audit daemon warning script

SYNOPSIS

/etc/security/audit_warn [option [arguments]]

DESCRIPTION

The audit_warn utility processes warning or error messages from the
audit daemon. When a problem is encountered, the audit daemon,
auditd(8) calls audit_warn with the appropriate arguments. The option
argument specifies the error type.

The system administrator can specify a list of mail recipients to be
notified when an audit_warn situation arises by defining a mail alias
called audit_warn in aliases(5). The users that make up the
audit_warn alias are typically the audit and root users.

OPTIONS

The following options are supported:

allhard count

Indicates that the hard limit for all filesystems has been
exceeded count times. The default action for this option is to
send mail to the audit_warn alias only if the count is 1, and to
write a message to the machine console every time. It is
recommended that mail not be sent every time as this could result
in a the saturation of the file system that contains the mail
spool directory.

allsoft

Indicates that the soft limit for all filesystems has been
exceeded. The default action for this option is to send mail to
the audit_warn alias and to write a message to the machine
console.

auditoff

Indicates that someone other than the audit daemon changed the
system audit state to something other than AUC_AUDITING. The
audit daemon will have exited in this case. The default action
for this option is to send mail to the audit_warn alias and to
write a message to the machine console.

hard filename

Indicates that the hard limit for the file has been exceeded. The
default action for this option is to send mail to the audit_warn
alias and to write a message to the machine console.

nostart

Indicates that auditing could not be started. The default action
for this option is to send mail to the audit_warn alias and to
write a message to the machine console. Some administrators may
prefer to modify audit_warn to reboot the system when this error
occurs.

plugin name error count text

Indicates that an error occurred during execution of the auditd
plugin name. The default action for this option is to send mail
to the audit_warn alias only if count is 1, and to write a
message to the machine console every time. (Separate counts are
kept for each error type.) It is recommended that mail not be
sent every time as this could result in the saturation of the
file system that contains the mail spool directory. The text
field provides the detailed error message passed from the plugin.
The error field is one of the following strings:

load_error
Unable to load the plugin name.

sys_error
The plugin name is not executing due to a system
error such as a lack of resources.

config_error
No plugins loaded (including the binary file
plugin, audit_binfile(7)) due to configuration
errors. The name string is -- to indicate that no
plugin name applies.

retry
The plugin name reports it has encountered a
temporary failure.

no_memory
The plugin name reports a failure due to lack of
memory.

invalid
The plugin name reports it received an invalid
input.

failure
The plugin name has reported an error as
described in text.

soft filename

Indicates that the soft limit for filename has been exceeded. The
default action for this option is to send mail to the audit_warn
alias and to write a message to the machine console.

tmpfile

Indicates that there was a problem creating a symlink from
/var/run/.audit.log to the current audit log file.

ATTRIBUTES

See attributes(7) for descriptions of the following attributes:

+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | Evolving |
+--------------------+-----------------+

The interface stability is evolving. The file content is unstable.

NOTES