feat: add a kernel parameter to disable built-in auditd

Fixes #9907 Signed-off-by: Andrey Smirnov <[email protected]>
siderolabs · Jan 14, 2025 · db4ca56 · db4ca56
1 parent faa1490
commit db4ca56
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 1 deletion.
diff --git a/hack/release.toml b/hack/release.toml
@@ -36,6 +36,12 @@ See the [documentation](https://www.talos.dev/v1.10/reference/configuration/hard
         description = """\
 Talos Linux no longer supports `cgroupsv1` when running in non-container mode.
 The kernel argument `talos.unified_cgroup_hierarchy` is now ignored.
+"""
+
+    [notes.auditd]
+        title = "auditd"
+        description = """\
+Kernel parameter `talos.auditd.disabled=1` can be used to disable Talos built-in `auditd` service.
 """
 
 [make_deps]

diff --git a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
@@ -359,7 +359,18 @@ func StartSyslogd(r runtime.Sequence, _ any) (runtime.TaskExecutionFunc, string)
 
 // StartAuditd represents the task to start auditd.
 func StartAuditd(r runtime.Sequence, _ any) (runtime.TaskExecutionFunc, string) {
-	return func(_ context.Context, _ *log.Logger, r runtime.Runtime) error {
+	return func(_ context.Context, logger *log.Logger, r runtime.Runtime) error {
+		if !r.State().Platform().Mode().InContainer() {
+			disabledStr := procfs.ProcCmdline().Get(constants.KernelParamAuditdDisabled).First()
+			disabled, _ := strconv.ParseBool(pointer.SafeDeref(disabledStr)) //nolint:errcheck
+
+			if disabled {
+				logger.Printf("auditd is disabled by kernel parameter %s", constants.KernelParamAuditdDisabled)
+
+				return nil
+			}
+		}
+
 		system.Services(r).LoadAndStart(&services.Auditd{})
 
 		return nil

diff --git a/internal/pkg/install/install.go b/internal/pkg/install/install.go
@@ -182,6 +182,7 @@ func RunInstallerContainer(
 		constants.KernelParamEventsSink,
 		constants.KernelParamLoggingKernel,
 		constants.KernelParamEquinixMetalEvents,
+		constants.KernelParamAuditdDisabled,
 		constants.KernelParamDashboardDisabled,
 		constants.KernelParamNetIfnames,
 	} {

diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go
@@ -79,6 +79,9 @@ const (
 	// KernelParamCGroups is the legacy kernel parameter not supported anymore.
 	KernelParamCGroups = "talos.unified_cgroup_hierarchy"
 
+	// KernelParamAuditdDisabled is the kernel parameter name for disabling auditd service.
+	KernelParamAuditdDisabled = "talos.auditd.disabled"
+
 	// KernelParamDashboardDisabled is the kernel parameter name for disabling the dashboard.
 	KernelParamDashboardDisabled = "talos.dashboard.disabled"
 

diff --git a/website/content/v1.10/reference/kernel.md b/website/content/v1.10/reference/kernel.md
@@ -231,6 +231,11 @@ Valid options are:
 * `system` resets system disk.
 * `system:EPHEMERAL,STATE` resets ephemeral and state partitions. Doing this reverts Talos into maintenance mode.
 
+#### `talos.auditd.disabled`
+
+By default, Talos runs `auditd` service capturing kernel audit events.
+If you set `talos.auditd.disabled=1`, this behavior will be disabled, and you can run your own `auditd` service.
+
 #### `talos.dashboard.disabled`
 
 By default, Talos redirects kernel logs to virtual console `/dev/tty1` and starts the dashboard on `/dev/tty2`,