audit_binfile - generation of Solaris audit logs
The audit_binfile plugin module for Solaris audit, /usr/lib/security/audit_binfile.so, writes binary audit data to files as configured in auditconfig(8); it is the default plugin for the Solaris audit daemon auditd(8). Its output is described by audit.log(5).
The audit_binfile plugin is loaded by auditd if the plugin is configured as an active via auditconfig . Use the auditconfig –setplugin option to change all the plugin related configuration parameters.
The following attributes specify the configuration of audit_binfile plugin:
A list of directories, where the audit files will be created. Any valid writable directory can be specified.
A percentage, which indicates the amount of free space required on the target p_dir. If free space falls below this threshold, the audit daemon auditd(8) invokes the shell script audit_warn(8). If no threshold is specified, the default is 1%.
The p_fsize attribute defines the maximum size that an audit file can become before it is automatically closed and a new audit file is opened. This is equivalent to an administrator issuing an audit -ncommand when the audit file size equals the value specified by the administrator. The default size is zero (0), which allows the file to grow without bound. The value specified must be higher than 500KB and lower than 16 exabytes (EB). The used file system might further lower the limits. The format of the p_fsize value can be specified as an exact value in bytes or in a human-readable form with a suffix of B, K, M, G, T, P, E, Z (for bytes, kilobytes, megabytes, gigabytes, terabytes, petabytes, exabytes, or zettabytes, respectively). Suffixes of KB, MB, GB, TB, PB, EB, and ZB are also accepted.
The p_age attribute defines the maximum length of time that an audit file will remain open before it is automatically closed and a new audit file is opened. This is equivalent to an administrator issuing an audit -n command when the audit file has been open for the configured length of time. The default time is zero(0) which allows the file to remain open until some other action causes it to be closed. The format of the p_age values can be specified in a form with a suffix specifying the units of time: h, d, w, m, y (hours, days, weeks, months (30d), years (365d)).
The p_flags attribute defines the set of audit classes which are to be audited. The syntax for specifying audit flags is explained in audit_flags(7). The default value for p_flags in the audit_binfile plugin is all.
The following directives cause audit_binfile.so to be loaded, specify the directories for writing audit logs, specify the percentage of required free space per directory, the maximum size of a log file, and the maximum age of a log file.
auditconfig -setplugin audit_binfile active \ "p_dir=/var/audit/jedgar/eggplant,/var/audit/jedgar.aux/eggplant, /var/audit/global/eggplant;p_minfree=20;p_fsize=4.5GB;p_age=1w"
See attributes(7) for a description of the following attributes: