The audit_binfile plugin module for Solaris audit, /usr/lib/security/audit_binfile.so, writes binary audit data to files as configured in audit_control(4); it is the default plugin for the Solaris audit daemon auditd(1M). Its output is described by audit.log(4).
The audit_binfile plugin is loaded by auditd if audit_control contains one or more lines defining audit directories by means of the dir: specification or if audit_control has a plugin: specification of name=audit_binfile.so.
The p_dir and p_minfree attributes are equivalent to the dir: and minfree: lines described in audit_control. If both the dir: line and the p_dir attribute are used, the plugin combines all directories into a single list with those specified by means of dir: at the front of the list. If both the minfree and the p_minfree attributes are given, the p_minfree value is used.
The p_fsize attribute defines the maximum size in bytes that an audit file can become before it is automatically closed and a new audit file opened. This is equivalent to an administrator issuing an audit -n command when the audit file contains the specified number of bytes. The default size is zero (0), which allows the file to grow without bound. The value specified must be within the range of [512,000, 2,147,483,647].
The following directives cause audit_binfile.so to be loaded, specify the directories for writing audit logs, and specify the percentage of required free space per directory.
flags: lo,ad,-fm naflags: lo,ad plugin: name=audit_binfile.so;\ p_minfree=20;\ p_dir=/etc/security/jedgar/eggplant,\ /etc/security/jedgar.aux/eggplant,\ /etc/security/global/eggplant
See attributes(5) for a description of the following attributes:
auditd(1M), audit_control(4), syslog.conf(4), attributes(5)