audit_is_enabled - Linux


audit_is_enabled is a command-line utility that checks whether the Linux Audit subsystem is enabled or disabled on the system. It’s primarily used in security-related auditing tasks to ensure that audit trails are being collected.


audit_is_enabled [OPTIONS]


  • -h, –help: Displays the help message and exits.
  • -V, –version: Prints the command’s version and exits.
  • -i, –inotify: Checks the status of inotify auditing.
  • -u, –user: Checks the status of user space auditing.
  • -k, –kernel: Checks the status of kernel auditing.


Check Overall Audit Status


Check Inotify Auditing Status

audit_is_enabled -i

Check User Space Auditing Status

audit_is_enabled -u

Check Kernel Auditing Status

audit_is_enabled -k

Common Issues

  • Permission Denied: Ensure you have root privileges to execute the command.
  • Audit Subsystem Not Found: The audit subsystem may not be installed or configured. Consult the system’s documentation for installation instructions.


audit_is_enabled can be integrated with auditd to manage audit settings. For example:

auditd -c /etc/audit/audit.rules
service auditd restart

Related Commands

  • auditctl: Controls audit settings.
  • ausearch: Searches audit logs.
  • auditd: The main Linux Audit daemon.