Managing the audit daemon (
Starting with the first release based on Fedora 39, Fedora CoreOS includes the audit daemon (
auditd) to load and manage audit rules.
Like all system daemons on Fedora CoreOS, the audit daemon is managed by systemd but with an exception: it can not be stopped or restarted via
systemctl stop auditd or
systemctl restart auditd for compliance reasons.
"The reason for this unusual handling of restart/stop requests is that auditd is treated specially by the kernel: the credentials of a process that sends a killing signal to auditd are saved to the audit log. The audit developers do not want to see the credentials of PID 1 logged there. They want to see the login UID of the user who initiated the action."
To stop and restart the audit daemon, you should use the following commands:
$ sudo auditctl --signal stop
$ sudo systemctl start # Only if you want it started again
You may also use the following commands to reload the rules, rotate the logs, resume logging or dump the daemon state:
$ sudo auditctl --signal reload
$ sudo auditctl --signal rotate
$ sudo auditctl --signal resume
$ sudo auditctl --signal state
Want to help? Learn how to contribute to Fedora Docs ›