auditd on talos 1.9

[stereobutter]

Feature Request

Provide a way to run user-provided auditd on talos v1.9.

Description

As per #9620 talos v1.9 comes with an auditd-like service. @frezbo told me the motivation for this feature is debugging SELinux policies. As the feature is implemented right now I believe this can not run in tandem with a user-provided auditd since IIRC only one application may bind to the kernel's audit socket.

Possible solutions:

• provide a control to disable talos auditd service
• apparently there is a way to run additional listeners on the audit socket (see Use netlink multicast group to receive audit logs elastic/beats#4850). Could talos auditd feature use this instead of binding the audit socket exclusively? Imho. it would also make sense to not call the talos audit feature auditd since it isn't a real instance (or 1:1 implementation) of auditd.

[smira]

Talos auditd runs before any other service might bind to the audit logs, so running as a multicast group might not be possible.

Do you have a reproducer showing that auditd when deployed as a pod (or whatever way you deploy it) no longer works? If you do, we can look into that.

[stereobutter]

From linux-audit/audit-kernel#102 it seems its possible to run as a listener without auditd (or another service binding the audit socket around)

[smira]

Please show us a way to reproduce the problem, and we can look for a solution, a solution without a problem doesn't quite work.