How to stop and disable auditd on RHEL 7
Article Number: 632 | Rating: Unrated | Last Updated: Tue, Aug 6, 2019 3:23 PM
How to stop and disable auditd on RHEL 7?
Environment
Red Hat Enterprise Linux 7
Issue
Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.
How to stop and disable auditd on RHEL 7?
Resolution
Disable auditd temporarily (this will disable logging instantly but will not survive a reboot):
auditctl -e0
Disable auditd permanently (this will require a reboot):
systemctl disable auditd
Verification:
[root@dhcp182-79 ~]# auditctl -s
enabled 0 # <----- this means that auditd logging is disabled
failure 1
pid 478
rate_limit 0
backlog_limit 64
lost 0
backlog 0
loginuid_immutable 0 unlocked
Root Cause
auditd documentation
man auditd
(...)
-e [0..2]
Set enabled flag. When 0 is passed, this can be used to temporarily disable
auditing. When 1 is passed as an argument, it will enable auditing. To lock the
audit configuration so that it can't be changed, pass a 2 as the argument. Lock‐
ing the configuration is intended to be the last command in audit.rules for any‐
one wishing this feature to be active. Any attempt to change the configuration
in this mode will be audited and denied. The configuration can only be changed
by rebooting the machine.
Subscribe to Article
Print Article
Email Article to Friend
Export to PDF
Export to MS Word