Setting up the Linux Auditing System
On Flatcar Container Linux
audit-rules.service loads the audit rules to set up the logging filters for the kernel messages.
auditd.service daemon to collect these logs does not run by default.
Enabling the standard rules or custom rules
There is an ignore rule by default that suppresses the standard rules, which means that certain PAM audit messages are not shown. It is also important to remove this default ignore rule when setting up own rules, or otherwise they will be ignored, too. The following Butane Config will overwrite the default ignore rule:
variant: flatcar version: 1.0.0 storage: files: - path: /etc/audit/rules.d/99-default.rules overwrite: true contents: inline: | # custom rules may go here, can be empty to use only the standard rules
In addition to the above, it may make sense to enable
auditd.service, here a Butane Config snippet for that:
variant: flatcar version: 1.0.0 systemd: units: - name: auditd.service enabled: true