Why not always enable the audit subsystem at boot (if it's
configured)
always and then in rc.local or whatever, disable it via auditctl. That
way if you re-enable later, those processes can be audited.
Because right now if you enable and then disable auditing, there is
a measurable performance penalty even when you're not auditing.
If you fix the code so you don't get the performance penalty, then
you're probably in the same state as if auditing hadn't been enabled.
If you can fix the re-enable case, then you might as well fix the case
when auditing is initially enabled. That would solve the problem
when auditd is started at boot time and there could potentially be
interesting processes that started before auditd, and also solve
the case where auditd is started long after boot when there would
definitely be interesting processes started before it.
-- ljk