How to stop and disable auditd on RHEL 7

How to stop and disable auditd on RHEL 7?

Solution Verified - Updated -

Environment

Red Hat Enterprise Linux 7

Issue

Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

How to stop and disable auditd on RHEL 7?

Resolution

Disable auditd temporarily (this will disable logging instantly but will not survive a reboot):

auditctl -e0

Disable auditd permanently (this will require a reboot):

systemctl disable auditd

Verification:

[root@dhcp182-79 ~]# auditctl -s
enabled 0     # <----- this means that auditd logging is disabled
failure 1
pid 478
rate_limit 0
backlog_limit 64
lost 0
backlog 0
loginuid_immutable 0 unlocked

Root Cause

auditd documentation

man auditd
(...)
       -e [0..2]
              Set  enabled  flag.  When  0  is passed, this can be used to temporarily disable
              auditing. When 1 is passed as an argument, it will enable auditing. To lock  the
              audit configuration so that it can't be changed, pass a 2 as the argument. Lock‐
              ing the configuration is intended to be the last command in audit.rules for any‐
              one  wishing  this feature to be active. Any attempt to change the configuration
              in this mode will be audited and denied. The configuration can only  be  changed
              by rebooting the machine.
5 (1)
Article Rating (1 Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
Deskshare TLS over Stunnel
Viewed 923 times since Fri, Sep 28, 2018
Using etckeeper with git
Viewed 1492 times since Sun, Jun 3, 2018
Linux Customizing Bash
Viewed 236 times since Sun, Dec 6, 2020
RHCS6: ’fencing’ basics
Viewed 1045 times since Sun, Jun 3, 2018
How to manage Linux password expiry with the chage command
Viewed 776 times since Tue, Sep 11, 2018
List usernames instead of uids with the ps command for long usernames
Viewed 807 times since Wed, Jul 25, 2018
Extending Linux LVM partitions script
Viewed 732 times since Wed, Feb 6, 2019
Using Kerberos security with Server for NFS
Viewed 2195 times since Wed, Jun 27, 2018
ZFS: Snapshots and clones on zfs filesystems
Viewed 1336 times since Sun, Jun 3, 2018
Tilix: Advanced Tiling Terminal Emulator for Power Users
Viewed 2530 times since Thu, Apr 18, 2019