auditd on talos 1.9

[stereobutter]

Feature Request

Provide a way to run user-provided auditd on talos v1.9.

Description

As per #9620 talos v1.9 comes with an auditd-like service. @frezbo told me the motivation for this feature is debugging SELinux policies. As the feature is implemented right now I believe this can not run in tandem with a user-provided auditd since IIRC only one application may bind to the kernel's audit socket.

Possible solutions:

• provide a control to disable talos auditd service
• apparently there is a way to run additional listeners on the audit socket (see Use netlink multicast group to receive audit logs elastic/beats#4850). Could talos auditd feature use this instead of binding the audit socket exclusively? Imho. it would also make sense to not call the talos audit feature auditd since it isn't a real instance (or 1:1 implementation) of auditd.

[smira]

Talos auditd runs before any other service might bind to the audit logs, so running as a multicast group might not be possible.

Do you have a reproducer showing that auditd when deployed as a pod (or whatever way you deploy it) no longer works? If you do, we can look into that.

[stereobutter]

From linux-audit/audit-kernel#102 it seems its possible to run as a listener without auditd (or another service binding the audit socket around)

[smira]

Please show us a way to reproduce the problem, and we can look for a solution, a solution without a problem doesn't quite work.

[stereobutter]

On talos v1.9.1 I get the following error when running my auditd workload:

type=DAEMON_START msg=audit(1736506698.047:7226): op=start ver=4.0.1 format=enriched kernel=6.12.6-talos auid=4294967295 pid=7590 uid=0 ses=4294967295 subj=kernel res=successAUID="unset" UID="root"
config_manager init complete
Error setting audit daemon pid (File exists)
Unable to set audit pid, exiting
type=DAEMON_ABORT msg=audit(1736506698.047:7227): op=set-pid auid=4294967295 pid=7590 uid=0 ses=4294967295 subj=kernel res=failedAUID="unset" UID="root"
The audit daemon is exiting.
Error setting audit daemon pid (Permission denied)

Stripped down manifests to reproduce this:

---
# Source: auditd/templates/namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: audit
  labels:
    pod-security.kubernetes.io/enforce: privileged
    app.kubernetes.io/part-of: auditd
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: auditd
  namespace: audit
  labels:
    app.kubernetes.io/name: auditd
    app.kubernetes.io/instance: auditd
    app.kubernetes.io/version: "4.0.1"
    app.kubernetes.io/part-of: auditd
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: auditd
      app.kubernetes.io/instance: auditd
  template:
    metadata:
      labels:
        app.kubernetes.io/name: auditd
        app.kubernetes.io/instance: auditd
        app.kubernetes.io/part-of: auditd
        app.kubernetes.io/version: "4.0.1"
    spec:
      hostPID: true
      containers:
      - name: auditd
        image: "stereobutter/auditd:latest"
        imagePullPolicy: "IfNotPresent"
        securityContext:
          runAsUser: 0
          capabilities:
            add:
              - AUDIT_CONTROL
              - AUDIT_WRITE
              - SYS_RESOURCE
              - SYS_NICE
        volumeMounts:
        - name: run
          mountPath: /var/run
        - name: rules
          mountPath: /etc/audit/rules.d
      volumes:
      - name: run
        hostPath:
          path: /var/run
          type: DirectoryOrCreate
      - name: rules
        emptyDir: {}