The execution of auditoff while auditing is enabled results in a flush of the audit buffer(s) to the audit log file. Additionally, a record indicating auditing has been disabled is written to the audit log file via the auditdmp system call. If the Linux Kernel Personality (LKP) is installed, but disabled, executing an auditoff command enables LKP. When auditing is disabled the auditable events currently in progress will not have a record written to the audit log file since they did not complete while auditing was enabled.
When the auditoff command is invoked and returns success, the following message will be displayed:
Auditing disabled
usage: auditoff
Invalid command syntax.
system service not installed
The audit package is not installed.
Permission denied
Failure because of insufficient privilege.
auditctl() failed ASTATUS, errno =
error
Failure occurred while retrieving the status of auditing.
auditctl() failed AUDITOFF, errno =
error
Failure occurred while attempting to disable auditing.
argvtostr() failed
Auditing already disabled