--- audit-1.6.2.orig/docs/auditd.8
+++ audit-1.6.2/docs/auditd.8
@@ -3,7 +3,7 @@
 auditd \- The Linux Audit daemon
 .SH SYNOPSIS
 .B auditd
-.RB [ \-f ]\ [ \-l ]\ [ \-n ]
+.RB [ \-f ]\ [ \-l ]\ [ \-n ]\ [ \-s\ disable|enable|nochange ]
 .SH DESCRIPTION
 \fBauditd\fP is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the
 .B ausearch
@@ -24,6 +24,9 @@
 .TP
 .B \-n
 no fork. This is useful for running off of inittab
+.TP
+.B \-s=\fIENABLE_STATE\fR
+specify when starting if auditd should change the current value for the kernel enabled flag. Valid values for ENABLE_STATE are "disable", "enable" or "nochange". The default is to enable (and disable when auditd terminates). The value of the enabled flag may be changed during the lifetime of auditd using 'auditctl -e'.
 .SH SIGNALS
 .TP
 SIGHUP
--- audit-1.6.2.orig/src/auditd.c
+++ audit-1.6.2/src/auditd.c
@@ -36,6 +36,7 @@
 #include <sys/wait.h>
 #include <fcntl.h>
 #include <pthread.h>
+#include <getopt.h>
 
 #include "libaudit.h"
 #include "auditd-config.h"
@@ -65,13 +66,19 @@
 static void clean_exit(void);
 static int get_reply(int fd, struct audit_reply *rep, int seq);
 
+enum startup_state {startup_disable=0, startup_enable, startup_nochange, startup_INVALID};
+static const char *startup_states[] = {"disable", "enable", "nochange"};
 
 /*
  * Output a usage message
  */
 static void usage(void)
 {
-	puts("Usage: auditd [ -f -l -n ]");
+	fprintf(stderr, "Usage: auditd [-f] [-l] [-n] [-s %s|%s|%s]\n",
+		startup_states[startup_disable],
+		startup_states[startup_enable],
+		startup_states[startup_nochange]);
+
 	exit(2);
 }
 
@@ -308,26 +315,56 @@
 	struct rlimit limit;
 	int hup_info_requested = 0, usr1_info_requested = 0;
 	int i;
+	int opt_foreground = 0, opt_allow_links = 0;
+	enum startup_state opt_startup = startup_enable;
+	int c;
+	extern char *optarg;
+	extern int optind;
 
 	/* Get params && set mode */
-	config.daemonize = D_BACKGROUND;
-	if (argc > 1) {
-		for (i=1; i<argc; i++) {
-			if (strcmp(argv[i], "-f") == 0) 
-				config.daemonize = D_FOREGROUND;
-			else if (strcmp(argv[i], "-l") == 0)
-				set_allow_links(1);
-			else if (strcmp(argv[i], "-n") == 0)
-				do_fork = 0;
-			else
+	while ((c = getopt(argc, argv, "flns:")) != -1) {
+		switch (c) {
+		case 'f':
+			opt_foreground = 1;
+			break;
+		case 'l':
+			opt_allow_links=1;
+			break;
+		case 'n':
+			do_fork = 0;
+			break;
+		case 's':
+			for (i=0; i<startup_INVALID; i++) {
+				if (strncmp(optarg, startup_states[i],
+					strlen(optarg)) == 0) {
+					opt_startup = i;
+					break;
+				}
+			}
+			if (i == startup_INVALID) {
+				fprintf(stderr, "unknown startup mode '%s'\n",
+					optarg);
 				usage();
+			}
+			break;
+		default:
+			usage();
 		}
 	}
 
-	// Make paramemters take effect
-	if (config.daemonize == D_FOREGROUND)
+	/* check for trailing command line following options */
+	if (optind < argc) {
+		usage();
+	}
+
+	if (opt_allow_links)
+		set_allow_links(1);
+
+	if (opt_foreground) {
+		config.daemonize = D_FOREGROUND;
 		set_aumessage_mode(MSG_STDERR, DBG_YES);
-	else {
+	} else {
+		config.daemonize = D_BACKGROUND;
 		set_aumessage_mode(MSG_SYSLOG, DBG_NO);
 		(void) umask( umask( 077 ) | 022 );
 	}
@@ -472,8 +509,9 @@
 	/* Now tell parent that everything went OK */
 	tell_parent(SUCCESS);
 
-	/* Enable auditing just in case it was off */
-	if (audit_set_enabled(fd, 1) < 0) {
+	/* Depending on value of opt_startup (-s) set initial audit state */
+	if (opt_startup != startup_nochange &&
+	    audit_set_enabled(fd, (int)opt_startup) < 0) {
 		char emsg[DEFAULT_BUF_SZ];
 		snprintf(emsg, sizeof(emsg),
 			"auditd error halt, auid=%u pid=%d res=failed",
@@ -481,15 +519,19 @@
 		stop = 1;
 //FIXME add subj
 		send_audit_event(AUDIT_DAEMON_ABORT, emsg);
-		audit_msg(LOG_ERR, "Unable to enable auditing, exiting");
+		audit_msg(LOG_ERR,
+			"Unable to set intitial audit startup state to '%s', exiting",
+			startup_states[opt_startup]);
 		close_down();
 		if (pidfile)
 			unlink(pidfile);
 		shutdown_dispatcher();
 		return 1;
 	}
-	audit_msg(LOG_NOTICE, "Init complete, auditd %s listening for events",
-		VERSION);
+	audit_msg(LOG_NOTICE,
+		 "Init complete, auditd %s listening for events (startup state %s)",
+		VERSION,
+		startup_states[opt_startup]);
 
 	/* Parent should be gone by now...   */
 	if (do_fork)
@@ -603,6 +645,9 @@
 			/* Write message to log that we are going down */
 			int rc;
 
+			if (opt_startup == startup_enable) {
+				audit_set_enabled(fd, (int)startup_disable);
+			}
 			rc = audit_request_signal_info(fd);
 			if (rc > 0) {
 				struct audit_reply trep;