From 244fd6e4327899458b659f023aa521015d6be443 Mon Sep 17 00:00:00 2001
From: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Date: Tue, 14 Jan 2025 14:24:50 +0400
Subject: [PATCH] feat: add a kernel parameter to disable built-in auditd

Fixes #9907

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
(cherry picked from commit db4ca5668ac0d85a98a5ea022f6546526d20aff1)
---
 hack/release.toml                                   |  6 ++++++
 .../runtime/v1alpha1/v1alpha1_sequencer_tasks.go    | 13 ++++++++++++-
 internal/pkg/install/install.go                     |  1 +
 pkg/machinery/constants/constants.go                |  3 +++
 4 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/hack/release.toml b/hack/release.toml
index 3ad472a1bc..f57f5c5e81 100644
--- a/hack/release.toml
+++ b/hack/release.toml
@@ -52,6 +52,12 @@ cluster:
 ```
 
 Usage of `authorization-mode` CLI argument will not support this form of customization.
+"""
+
+    [notes.auditd]
+        title = "auditd"
+        description = """\
+Kernel parameter `talos.auditd.disabled=1` can be used to disable Talos built-in `auditd` service.
 """
 
 [make_deps]
diff --git a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
index b84cb07325..55d54e7cd4 100644
--- a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
+++ b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
@@ -359,7 +359,18 @@ func StartSyslogd(r runtime.Sequence, _ any) (runtime.TaskExecutionFunc, string)
 
 // StartAuditd represents the task to start auditd.
 func StartAuditd(r runtime.Sequence, _ any) (runtime.TaskExecutionFunc, string) {
-	return func(_ context.Context, _ *log.Logger, r runtime.Runtime) error {
+	return func(_ context.Context, logger *log.Logger, r runtime.Runtime) error {
+		if !r.State().Platform().Mode().InContainer() {
+			disabledStr := procfs.ProcCmdline().Get(constants.KernelParamAuditdDisabled).First()
+			disabled, _ := strconv.ParseBool(pointer.SafeDeref(disabledStr)) //nolint:errcheck
+
+			if disabled {
+				logger.Printf("auditd is disabled by kernel parameter %s", constants.KernelParamAuditdDisabled)
+
+				return nil
+			}
+		}
+
 		system.Services(r).LoadAndStart(&services.Auditd{})
 
 		return nil
diff --git a/internal/pkg/install/install.go b/internal/pkg/install/install.go
index 1c262e9b65..d6cac8a51e 100644
--- a/internal/pkg/install/install.go
+++ b/internal/pkg/install/install.go
@@ -182,6 +182,7 @@ func RunInstallerContainer(
 		constants.KernelParamEventsSink,
 		constants.KernelParamLoggingKernel,
 		constants.KernelParamEquinixMetalEvents,
+		constants.KernelParamAuditdDisabled,
 		constants.KernelParamDashboardDisabled,
 		constants.KernelParamNetIfnames,
 		constants.KernelParamSELinux,
diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go
index 35e108bf28..1e8bdae3c9 100644
--- a/pkg/machinery/constants/constants.go
+++ b/pkg/machinery/constants/constants.go
@@ -80,6 +80,9 @@ const (
 	// cgroups version to use (default is cgroupsv2, setting this kernel arg to '0' forces cgroupsv1).
 	KernelParamCGroups = "talos.unified_cgroup_hierarchy"
 
+	// KernelParamAuditdDisabled is the kernel parameter name for disabling auditd service.
+	KernelParamAuditdDisabled = "talos.auditd.disabled"
+
 	// KernelParamDashboardDisabled is the kernel parameter name for disabling the dashboard.
 	KernelParamDashboardDisabled = "talos.dashboard.disabled"