How to stop and disable auditd on RHEL 7
Red Hat Enterprise Linux 7
Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.
How to stop and disable auditd on RHEL 7?
Disable auditd temporarily (this will disable logging instantly but will not survive a reboot):
Disable auditd permanently (this will require a reboot):
systemctl disable auditd
[root@dhcp182-79 ~]# auditctl -s enabled 0 # <----- this means that auditd logging is disabled failure 1 pid 478 rate_limit 0 backlog_limit 64 lost 0 backlog 0 loginuid_immutable 0 unlocked
man auditd (...) -e [0..2] Set enabled flag. When 0 is passed, this can be used to temporarily disable auditing. When 1 is passed as an argument, it will enable auditing. To lock the audit configuration so that it can't be changed, pass a 2 as the argument. Lock‐ ing the configuration is intended to be the last command in audit.rules for any‐ one wishing this feature to be active. Any attempt to change the configuration in this mode will be audited and denied. The configuration can only be changed by rebooting the machine.