auditd
Ed Greshko
ed.greshko at greshko.com
Sun May 31 00:40:03 UTC 2015
On 05/31/15 07:51, jd1008 wrote:
>
>
> On 05/29/2015 08:40 PM, Ed Greshko wrote:
>> On 05/30/15 10:19, jd1008 wrote:
>>> How can we stop auditd ???
>>>
>> 2 choices
>>
>> 1. add audit=0 to the kernel command line in grub menu
>>
>> or
>>
>> 2. systemctl mask auditd.service
>>
>> reboot.
>>
>> You can't stop it manually in a running system due to the settings in the auditd.service file.
>>
>>
> Even though ran
> systemctl mask auditd.service
> systemctl disable auditd.service
> and rebooted,
> I am still seeing tons of audit messages in dmesg.
>
>
dmesg is simply the ring buffer of the kernel and the entries will be overwritten in time. It is the task of auditd to process the audit message that end up in the buffer.
But your stated goal wasn't to *never* see audit messages anywhere.
To do that, and you could have tried this yourself, is to simply add "audit=0" to the kernel parameters.
More information about the users
mailing list