On RedHat/CentOS (I'm sure others have this config also), the audit rules have an enable flag: -e
0 = temporarily disable auditing
1 = enable auditing
2 = lock the audit configuration to prevent changes
To see what you system is set to, look in your rules file (/etc/audit/audit.rules) for the -e setting. Immutable (2), if set, should be at the end of the file.
Code:
sudo grep -e '^-e' /etc/audit/audit.rules
If -e is 2, you will NOT be able to stop the audit daemon with systemctl.
You can either kill the pid, or use the service command, as documented by 'n00b_noob'
Code:
sudo service auditd stop
Best practice is to set this to immutable (2) to prevent someone from changing the audit rules
in vitro