On 05/31/15 07:51, jd1008 wrote:
On 05/29/2015 08:40 PM, Ed Greshko wrote:
> On 05/30/15 10:19, jd1008 wrote:
>> How can we stop auditd ???
>>
> 2 choices
>
> 1. add audit=0 to the kernel command line in grub menu
>
> or
>
> 2. systemctl mask auditd.service
>
> reboot.
>
> You can't stop it manually in a running system due to the settings in the
auditd.service file.
>
>
Even though ran
systemctl mask auditd.service
systemctl disable auditd.service
and rebooted,
I am still seeing tons of audit messages in dmesg.
dmesg is simply the ring buffer of the kernel and the entries will be overwritten
in time. It is the task of auditd to process the audit message that end up in the
buffer.
But your stated goal wasn't to *never* see audit messages anywhere.
To do that, and you could have tried this yourself, is to simply add "audit=0"
to the kernel parameters.