How to stop and disable auditd on RHEL 7

How to stop and disable auditd on RHEL 7?

Solution Verified - Updated -


Red Hat Enterprise Linux 7


Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

How to stop and disable auditd on RHEL 7?


Disable auditd temporarily (this will disable logging instantly but will not survive a reboot):

auditctl -e0

Disable auditd permanently (this will require a reboot):

systemctl disable auditd


[root@dhcp182-79 ~]# auditctl -s
enabled 0     # <----- this means that auditd logging is disabled
failure 1
pid 478
rate_limit 0
backlog_limit 64
lost 0
backlog 0
loginuid_immutable 0 unlocked

Root Cause

auditd documentation

man auditd
       -e [0..2]
              Set  enabled  flag.  When  0  is passed, this can be used to temporarily disable
              auditing. When 1 is passed as an argument, it will enable auditing. To lock  the
              audit configuration so that it can't be changed, pass a 2 as the argument. Lock‐
              ing the configuration is intended to be the last command in audit.rules for any‐
              one  wishing  this feature to be active. Any attempt to change the configuration
              in this mode will be audited and denied. The configuration can only  be  changed
              by rebooting the machine.
5 (1)
Article Rating (1 Votes)
Rate this article
There are no attachments for this article.
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
RHEL: Manually encrypting a filesystem with LUKS
Viewed 1489 times since Sun, May 27, 2018
FIO (Flexible I/O) – a benchmark tool for any operating system
Viewed 861 times since Wed, Jul 25, 2018
Super Grub2 Disk
Viewed 1093 times since Wed, May 22, 2019
Using IOzone for Linux disk performance analysis
Viewed 4116 times since Wed, Jul 25, 2018
RHCS6: ’fencing’ basics
Viewed 1044 times since Sun, Jun 3, 2018
LVM: Create a new Logical Volume / Filesystem
Viewed 1042 times since Sat, Jun 2, 2018 gives you books for free to study Linux
Viewed 1128 times since Sat, Jun 2, 2018
Linux Linux Network Statistics Tools / Commands
Viewed 357 times since Mon, Sep 21, 2020
RHEL: Crash kernel dumps configuration and analysis on RHEL 6
Viewed 1903 times since Sat, Jun 2, 2018
A tcpdump Tutorial and Primer with Examples
Viewed 2172 times since Sun, Jun 17, 2018