feat: add a kernel parameter to disable built-in auditd

Fixes #9907 Signed-off-by: Andrey Smirnov <[email protected]> (cherry picked from commit db4ca56)
siderolabs · Jan 16, 2025 · 244fd6e · 244fd6e
1 parent 28327e0
commit 244fd6e
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 1 deletion.
diff --git a/hack/release.toml b/hack/release.toml
@@ -52,6 +52,12 @@ cluster:
 ```
 
 Usage of `authorization-mode` CLI argument will not support this form of customization.
+"""
+
+    [notes.auditd]
+        title = "auditd"
+        description = """\
+Kernel parameter `talos.auditd.disabled=1` can be used to disable Talos built-in `auditd` service.
 """
 
 [make_deps]

diff --git a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
@@ -359,7 +359,18 @@ func StartSyslogd(r runtime.Sequence, _ any) (runtime.TaskExecutionFunc, string)
 
 // StartAuditd represents the task to start auditd.
 func StartAuditd(r runtime.Sequence, _ any) (runtime.TaskExecutionFunc, string) {
-	return func(_ context.Context, _ *log.Logger, r runtime.Runtime) error {
+	return func(_ context.Context, logger *log.Logger, r runtime.Runtime) error {
+		if !r.State().Platform().Mode().InContainer() {
+			disabledStr := procfs.ProcCmdline().Get(constants.KernelParamAuditdDisabled).First()
+			disabled, _ := strconv.ParseBool(pointer.SafeDeref(disabledStr)) //nolint:errcheck
+
+			if disabled {
+				logger.Printf("auditd is disabled by kernel parameter %s", constants.KernelParamAuditdDisabled)
+
+				return nil
+			}
+		}
+
 		system.Services(r).LoadAndStart(&services.Auditd{})
 
 		return nil

diff --git a/internal/pkg/install/install.go b/internal/pkg/install/install.go
@@ -182,6 +182,7 @@ func RunInstallerContainer(
 		constants.KernelParamEventsSink,
 		constants.KernelParamLoggingKernel,
 		constants.KernelParamEquinixMetalEvents,
+		constants.KernelParamAuditdDisabled,
 		constants.KernelParamDashboardDisabled,
 		constants.KernelParamNetIfnames,
 		constants.KernelParamSELinux,

diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go
@@ -80,6 +80,9 @@ const (
 	// cgroups version to use (default is cgroupsv2, setting this kernel arg to '0' forces cgroupsv1).
 	KernelParamCGroups = "talos.unified_cgroup_hierarchy"
 
+	// KernelParamAuditdDisabled is the kernel parameter name for disabling auditd service.
+	KernelParamAuditdDisabled = "talos.auditd.disabled"
+
 	// KernelParamDashboardDisabled is the kernel parameter name for disabling the dashboard.
 	KernelParamDashboardDisabled = "talos.dashboard.disabled"