> But I have a question: why was AUDIT enabled in the first place? I > thought it > was cosidered useless? AFAIK, it was considered slow (at least for syscalls), but after recent changes in kernel it doesn't matter anymore. You can read discussion here https://bugs.archlinux.org/task/42954