From: Enzo Matsumiya <ematsumiya@suse.de>
Subject: init.d/auditd.service: enable ExecStopPost directive in auditd.service
References: bsc#1190227

This has caused confusion for customers when relating stopping auditd service
is the same as stopping system auditing. This is completely understandable, but
it's by design, so kauditd can keep filling its queues for any other userspace
daemon to consume.

Disable audit when auditd.service stops, so kauditd stops logging/running.

Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>

---
 init.d/auditd.service |    4 ++++
 1 file changed, 4 insertions(+)

--- a/init.d/auditd.service
+++ b/init.d/auditd.service
@@ -22,6 +22,10 @@ Documentation=man:auditd(8) https://gith
 Type=forking
 PIDFile=/run/auditd.pid
 ExecStart=/sbin/auditd
+ExecStartPost=-/sbin/augenrules --load
+# By default we clear the rules on exit. To disable this, comment
+# the next line after copying the file to /etc/systemd/system/auditd.service
+ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
 Restart=on-failure
 # Do not restart for intentional exits. See EXIT CODES section in auditd(8).
 RestartPreventExitStatus=2 4 6