[Unit]
Description=Security Auditing Service
DefaultDependencies=no
After=local-fs.target systemd-tmpfiles-setup.service
Before=sysinit.target shutdown.target
Conflicts=shutdown.target
ConditionKernelCommandLine=!audit=0

[Service]
Type=forking
PIDFile=/run/auditd.pid
ExecStart=/sbin/auditd
## To use augenrules, uncomment the next line and comment/delete the auditctl line.
## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
#ExecStartPost=-/sbin/augenrules --load
ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
# By default we don't clear the rules on exit.
# To enable this, uncomment the next line.
#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules

### Security Settings ###
MemoryDenyWriteExecute=true
LockPersonality=true
ProtectControlGroups=true
ProtectKernelModules=true

[Install]
WantedBy=multi-user.target