diff --git a/man/journald.conf.xml b/man/journald.conf.xml
index e24c420ab0..8058f36e75 100644
--- a/man/journald.conf.xml
+++ b/man/journald.conf.xml
@@ -402,6 +402,18 @@
this option is enabled by default, it is disabled in all others.
+
+ Audit=
+
+ Takes a boolean value. If enabled systemd-journal will turn on
+ kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor
+ disable it, leaving the previous state unchanged. Note that this option does not control whether
+ systemd-journald collects generated audit records, it just controls whether it
+ tells the kernel to generate them. This means if another tool turns on auditing even if
+ systemd-journald left it off, it will still collect the generated
+ messages. Defaults to on.
+
+
TTYPath=
diff --git a/src/journal/journald-audit.c b/src/journal/journald-audit.c
index 339e091dfd..5c31c43705 100644
--- a/src/journal/journald-audit.c
+++ b/src/journal/journald-audit.c
@@ -539,10 +539,16 @@ int server_open_audit(Server *s) {
if (r < 0)
return log_error_errno(r, "Failed to add audit fd to event loop: %m");
- /* We are listening now, try to enable audit */
- r = enable_audit(s->audit_fd, true);
- if (r < 0)
- log_warning_errno(r, "Failed to issue audit enable call: %m");
+ if (s->set_audit >= 0) {
+ /* We are listening now, try to enable audit if configured so */
+ r = enable_audit(s->audit_fd, s->set_audit);
+ if (r < 0)
+ log_warning_errno(r, "Failed to issue audit enable call: %m");
+ else if (s->set_audit > 0)
+ log_debug("Auditing in kernel turned on.");
+ else
+ log_debug("Auditing in kernel turned off.");
+ }
return 0;
}
diff --git a/src/journal/journald-gperf.gperf b/src/journal/journald-gperf.gperf
index 0774444e8d..c70ac9a5b6 100644
--- a/src/journal/journald-gperf.gperf
+++ b/src/journal/journald-gperf.gperf
@@ -22,6 +22,7 @@ Journal.Storage, config_parse_storage, 0, offsetof(Server, storage
Journal.Compress, config_parse_compress, 0, offsetof(Server, compress)
Journal.Seal, config_parse_bool, 0, offsetof(Server, seal)
Journal.ReadKMsg, config_parse_bool, 0, offsetof(Server, read_kmsg)
+Journal.Audit, config_parse_tristate, 0, offsetof(Server, set_audit)
Journal.SyncIntervalSec, config_parse_sec, 0, offsetof(Server, sync_interval_usec)
# The following is a legacy name for compatibility
Journal.RateLimitInterval, config_parse_sec, 0, offsetof(Server, ratelimit_interval)
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index b7875dec1f..64cb3279f6 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -2208,6 +2208,8 @@ int server_init(Server *s, const char *namespace) {
.compress.threshold_bytes = (uint64_t) -1,
.seal = true,
+ .set_audit = true,
+
.watchdog_usec = USEC_INFINITY,
.sync_interval_usec = DEFAULT_SYNC_INTERVAL_USEC,
diff --git a/src/journal/journald-server.h b/src/journal/journald-server.h
index f3405e967c..b01ade5aee 100644
--- a/src/journal/journald-server.h
+++ b/src/journal/journald-server.h
@@ -108,6 +108,7 @@ struct Server {
JournalCompressOptions compress;
bool seal;
bool read_kmsg;
+ int set_audit;
bool forward_to_kmsg;
bool forward_to_syslog;
diff --git a/src/journal/journald.conf b/src/journal/journald.conf
index 2f1c661153..2e1aacd8c5 100644
--- a/src/journal/journald.conf
+++ b/src/journal/journald.conf
@@ -41,3 +41,4 @@
#MaxLevelWall=emerg
#LineMax=48K
#ReadKMsg=yes
+#Audit=yes