'\" te
.\" Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
.TH audit_warn 1M "3 May 2012" "SunOS 5.11" "System Administration Commands"
.SH NAME
audit_warn \- audit service warning script
.SH SYNOPSIS
.LP
.nf
\fB/etc/security/audit_warn\fR \fIoption\fR [\fIarguments\fR]
.fi

.SH DESCRIPTION
.sp
.LP
The \fBaudit_warn\fR script processes warning and error messages from the audit service. When a problem is encountered, the audit service calls \fBaudit_warn\fR with the appropriate arguments. The option argument specifies the type of problem.
.sp
.LP
The system administrator can specify a list of mail recipients to be notified when an \fBaudit_warn\fR situation arises by defining a mail alias called \fBaudit_warn\fR in \fBaliases\fR(4). The users that make up the \fBaudit_warn\fR alias are typically the \fBaudit\fR and \fBroot\fR users.
.sp
.LP
The default action is to send mail to the \fBaudit_warn\fR alias and send the mail message to syslog with a \fBdaemon.alert\fR priority.
.sp
.LP
The system administrator can customize the \fBaudit_warn\fR script for the site's specific needs. Care should be taken when updating to a new release to resolve any changes in the release.
.SH OPTIONS
.sp
.LP
The following options are supported:
.sp
.ne 2
.mk
.na
\fB\fBallhard\fR \fIcount\fR\fR
.ad
.sp .6
.RS 4n
Indicates that the hard limit for all \fBaudit_binfile\fR(5) directory filesystems has been exceeded \fIcount\fR times. To avoid filling the mail spool directory, mail is sent only if the count is \fB1\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBallsoft\fR\fR
.ad
.sp .6
.RS 4n
Indicates that the soft limit for all \fBaudit_binfile\fR(5) directory filesystems has been exceeded.
.RE

.sp
.ne 2
.mk
.na
\fB\fBars message\fR\fR
.ad
.sp .6
.RS 4n
Indicates that the Audit Remote Server experienced an error.
.RE

.sp
.ne 2
.mk
.na
\fB\fBauditoff\fR\fR
.ad
.sp .6
.RS 4n
Indicates that the kernel audit subsystem has failed while the audit service is running. The audit service exits in this case.
.RE

.sp
.ne 2
.mk
.na
\fB\fBconfig message\fR\fR
.ad
.sp .6
.RS 4n
Indicates the audit service detected a configuration error.
.RE

.sp
.ne 2
.mk
.na
\fB\fBhard\fR \fIdirectory\fR\fR
.ad
.sp .6
.RS 4n
Indicates that the hard limit for the \fBaudit_binfile\fR(5) directory filesystem has been exceeded.
.RE

.sp
.ne 2
.mk
.na
\fB\fBhostname\fR\fR
.ad
.sp .6
.RS 4n
Indicates that the audit service could not find an IP address to associate with the local hostname. It has fallen back to using the "loopback" address. Audit trail translation tools might not translate the hostname properly. See \fB/var/audit/debug\fR for more information. The audit service can be refreshed (\fBaudit\fR \fB-s\fR) to retry to find an IP address.
.RE

.sp
.ne 2
.mk
.na
\fB\fBnostart\fR\fR
.ad
.sp .6
.RS 4n
Indicates that auditing could not be started because the audit subsystem system calls are reporting failure.
.RE

.sp
.ne 2
.mk
.na
\fB\fBplugin\fR \fIname\fR \fIerror\fR \fIcount\fR \fItext\fR\fR
.ad
.sp .6
.RS 4n
Indicates that an error occurred during execution of the audit service plugin \fIname\fR. To avoid filling the mail spool directory, mail is sent only if the count is \fB1\fR. A separate count is kept for each error type. The \fItext\fR field provides the detailed error message passed from the plug-in. The \fIerror\fR field is one of the following strings:
.sp
.ne 2
.mk
.na
\fB\fBload_error\fR\fR
.ad
.sp .6
.RS 4n
Unable to load the plugin \fIname\fR.
.RE

.sp
.ne 2
.mk
.na
\fB\fBsys_error\fR\fR
.ad
.sp .6
.RS 4n
The plugin \fIname\fR is not executing due to a system error such as a lack of resources.
.RE

.sp
.ne 2
.mk
.na
\fB\fBconfig_error\fR\fR
.ad
.sp .6
.RS 4n
No plug-ins loaded (including the binary file plug-in, \fBaudit_binfile\fR(5)) due to configuration errors (see the \fB-setplugin\fR option of the \fBauditconfig\fR(1M) command). The name string is \fB--\fR , to indicate that no plug-in name applies.
.RE

.sp
.ne 2
.mk
.na
\fB\fBretry\fR\fR
.ad
.sp .6
.RS 4n
The plugin \fIname\fR reports it has encountered a temporary failure. For example, the \fBaudit_binfree.so\fR plugin uses \fBretry\fR to indicate that all directories are full.
.RE

.sp
.ne 2
.mk
.na
\fB\fBno_memory\fR\fR
.ad
.sp .6
.RS 4n
The plugin \fIname\fR reports a failure due to lack of memory.
.RE

.sp
.ne 2
.mk
.na
\fB\fBinvalid\fR\fR
.ad
.sp .6
.RS 4n
The plugin \fIname\fR reports it received an invalid input.
.RE

.sp
.ne 2
.mk
.na
\fB\fBfailure\fR\fR
.ad
.sp .6
.RS 4n
The plugin \fIname\fR has reported an error as described in \fItext\fR.
.RE

.RE

.sp
.ne 2
.mk
.na
\fB\fBsoft\fR \fIdirectory\fR\fR
.ad
.sp .6
.RS 4n
Indicates that the soft limit for the \fBaudit_binfile\fR(5) directory filesystem has been exceeded.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
tab() box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPEATTRIBUTE VALUE
_
Availabilitysystem/core-os
_
Interface StabilitySee below
.TE

.sp
.LP
The command is Committed. The script content is Uncommitted. The presence and contents of \fB/var/audit/debug\fR is Not-an-Interface. The syslog and mail output is Not-an-Interface.
.SH SEE ALSO
.sp
.LP
\fBlogger\fR(1), \fBmailx\fR(1), \fBaudit\fR(1M), \fBauditconfig\fR(1M), \fBauditd\fR(1M), \fBaliases\fR(4), \fBaudit.log\fR(4), \fBsyslog.conf\fR(4), \fBattributes\fR(5), \fBaudit_binfile\fR(5)
.sp
.LP
See the section on Auditing in \fISecuring Systems and Attached Devices in Oracle Solaris 11.3\fR.
.SH NOTES
.sp
.LP
This functionality is available only when the audit service is enabled.
.sp
.LP
Hard and soft limits deal with the list of \fBaudit_binfile\fR(5) and Audit Remote Server directories and the configured free space. When the currently active directory is filled beyond the configured free space, a "soft" limit is reached and the next directory in the list is tried. When the currently active directory space is exhausted a "hard" limit is reached and the next directory in the list is tried.
.sp
.LP
See the pkg(5) man page (not a SunOS page) for guidance on resolving changes across release updates.
.sp
.LP
If the \fBperzone\fR audit policy is set or \fBperzone\fR is not set and the Audit Remote Server is enabled, the \fB/etc/security/audit_warn\fR script for the local zone is used for notifications from the local zone's instance of the audit service. If the \fBperzone\fR policy is not set and Audit Remote Server is not enabled in the local zone, all audit service errors are generated by the global zone's copy of \fB/etc/security/audit_warn\fR.