How to stop and disable auditd on RHEL 7

How to stop and disable auditd on RHEL 7?

Solution Verified - Updated -

Environment

Red Hat Enterprise Linux 7

Issue

Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

How to stop and disable auditd on RHEL 7?

Resolution

Disable auditd temporarily (this will disable logging instantly but will not survive a reboot):

auditctl -e0

Disable auditd permanently (this will require a reboot):

systemctl disable auditd

Verification:

[root@dhcp182-79 ~]# auditctl -s
enabled 0     # <----- this means that auditd logging is disabled
failure 1
pid 478
rate_limit 0
backlog_limit 64
lost 0
backlog 0
loginuid_immutable 0 unlocked

Root Cause

auditd documentation

man auditd
(...)
       -e [0..2]
              Set  enabled  flag.  When  0  is passed, this can be used to temporarily disable
              auditing. When 1 is passed as an argument, it will enable auditing. To lock  the
              audit configuration so that it can't be changed, pass a 2 as the argument. Lock‐
              ing the configuration is intended to be the last command in audit.rules for any‐
              one  wishing  this feature to be active. Any attempt to change the configuration
              in this mode will be audited and denied. The configuration can only  be  changed
              by rebooting the machine.
5 (1)
Article Rating (1 Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
debian Debian/Ubuntu Linux: Find If Installed APT Package Includes a Fix/Patch Via CVE Number
Viewed 7135 times since Sun, Sep 23, 2018
ZPOOL: Verify/change properties of a zpool
Viewed 1010 times since Sun, Jun 3, 2018
Przekazywanie portów TCP rinetd
Viewed 40065 times since Thu, May 24, 2018
Enabling automatic updates in Centos 7 and RHEL 7
Viewed 1147 times since Wed, Oct 17, 2018
RHCS6: Reduce a Global Filesystem 2 (GFS2)
Viewed 1308 times since Sun, Jun 3, 2018
LOGROTATE – ARCHIWIAZACJA LOGÓW
Viewed 912 times since Fri, Nov 30, 2018
KONTO SFTP Z CHROOTEM Z UŻYCIEM OPENSSH-SERVER NA CENTOS/RHEL6
Viewed 804 times since Fri, Nov 30, 2018
PROCESSOR AND MEMORY INFORMATION
Viewed 4264 times since Sat, Jun 2, 2018
RHCS6: Show/Add GFS2/GFS journals
Viewed 11282 times since Sun, Jun 3, 2018
SYS: Configure a local repository. local repo
Viewed 9124 times since Mon, Oct 29, 2018