From db4ca5668ac0d85a98a5ea022f6546526d20aff1 Mon Sep 17 00:00:00 2001
From: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Date: Tue, 14 Jan 2025 14:24:50 +0400
Subject: [PATCH] feat: add a kernel parameter to disable built-in auditd

Fixes #9907

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
---
 hack/release.toml                                   |  6 ++++++
 .../runtime/v1alpha1/v1alpha1_sequencer_tasks.go    | 13 ++++++++++++-
 internal/pkg/install/install.go                     |  1 +
 pkg/machinery/constants/constants.go                |  3 +++
 website/content/v1.10/reference/kernel.md           |  5 +++++
 5 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/hack/release.toml b/hack/release.toml
index c484800bcd..3420a800f8 100644
--- a/hack/release.toml
+++ b/hack/release.toml
@@ -36,6 +36,12 @@ See the [documentation](https://www.talos.dev/v1.10/reference/configuration/hard
         description = """\
 Talos Linux no longer supports `cgroupsv1` when running in non-container mode.
 The kernel argument `talos.unified_cgroup_hierarchy` is now ignored.
+"""
+
+    [notes.auditd]
+        title = "auditd"
+        description = """\
+Kernel parameter `talos.auditd.disabled=1` can be used to disable Talos built-in `auditd` service.
 """
 
 [make_deps]
diff --git a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
index b84cb07325..55d54e7cd4 100644
--- a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
+++ b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
@@ -359,7 +359,18 @@ func StartSyslogd(r runtime.Sequence, _ any) (runtime.TaskExecutionFunc, string)
 
 // StartAuditd represents the task to start auditd.
 func StartAuditd(r runtime.Sequence, _ any) (runtime.TaskExecutionFunc, string) {
-	return func(_ context.Context, _ *log.Logger, r runtime.Runtime) error {
+	return func(_ context.Context, logger *log.Logger, r runtime.Runtime) error {
+		if !r.State().Platform().Mode().InContainer() {
+			disabledStr := procfs.ProcCmdline().Get(constants.KernelParamAuditdDisabled).First()
+			disabled, _ := strconv.ParseBool(pointer.SafeDeref(disabledStr)) //nolint:errcheck
+
+			if disabled {
+				logger.Printf("auditd is disabled by kernel parameter %s", constants.KernelParamAuditdDisabled)
+
+				return nil
+			}
+		}
+
 		system.Services(r).LoadAndStart(&services.Auditd{})
 
 		return nil
diff --git a/internal/pkg/install/install.go b/internal/pkg/install/install.go
index 2e23626c82..68fb772f63 100644
--- a/internal/pkg/install/install.go
+++ b/internal/pkg/install/install.go
@@ -182,6 +182,7 @@ func RunInstallerContainer(
 		constants.KernelParamEventsSink,
 		constants.KernelParamLoggingKernel,
 		constants.KernelParamEquinixMetalEvents,
+		constants.KernelParamAuditdDisabled,
 		constants.KernelParamDashboardDisabled,
 		constants.KernelParamNetIfnames,
 	} {
diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go
index 418b9736dd..24cb42032e 100644
--- a/pkg/machinery/constants/constants.go
+++ b/pkg/machinery/constants/constants.go
@@ -79,6 +79,9 @@ const (
 	// KernelParamCGroups is the legacy kernel parameter not supported anymore.
 	KernelParamCGroups = "talos.unified_cgroup_hierarchy"
 
+	// KernelParamAuditdDisabled is the kernel parameter name for disabling auditd service.
+	KernelParamAuditdDisabled = "talos.auditd.disabled"
+
 	// KernelParamDashboardDisabled is the kernel parameter name for disabling the dashboard.
 	KernelParamDashboardDisabled = "talos.dashboard.disabled"
 
diff --git a/website/content/v1.10/reference/kernel.md b/website/content/v1.10/reference/kernel.md
index c0e8347c6b..71153c1821 100644
--- a/website/content/v1.10/reference/kernel.md
+++ b/website/content/v1.10/reference/kernel.md
@@ -231,6 +231,11 @@ Valid options are:
 * `system` resets system disk.
 * `system:EPHEMERAL,STATE` resets ephemeral and state partitions. Doing this reverts Talos into maintenance mode.
 
+#### `talos.auditd.disabled`
+
+By default, Talos runs `auditd` service capturing kernel audit events.
+If you set `talos.auditd.disabled=1`, this behavior will be disabled, and you can run your own `auditd` service.
+
 #### `talos.dashboard.disabled`
 
 By default, Talos redirects kernel logs to virtual console `/dev/tty1` and starts the dashboard on `/dev/tty2`,