diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/changes/2022-02-15-auditd.md b/sdk_container/src/third_party/coreos-overlay/changelog/changes/2022-02-15-auditd.md
new file mode 100644
index 0000000000..155bbf5715
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/changelog/changes/2022-02-15-auditd.md
@@ -0,0 +1,2 @@
+- Added `auditd.service` but left it disabled by default, a custom configuration can be created by removing `/etc/audit/auditd.conf` and replacing it with an own file ([PR#1636](https://github.com/flatcar-linux/coreos-overlay/pull/1636))
+
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild
index 9b96ede524..bdc585b9f2 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild
@@ -42,17 +42,13 @@ src_prepare() {
 	# Disable installing sample rules so they can be installed as docs.
 	echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null
 
-	# Flatcar: Do not build daemon stuff.
-	sed -e '/^SUBDIRS =/s/audisp//' \
-		-i Makefile.am || die
 	# Flatcar: Some legacy stuff is being installed when systemd
 	# is enabled. Drop all the lines that try doing it.
 	sed -e '/${DESTDIR}${initdir}/d' \
 		-e '/${DESTDIR}${legacydir}/d' \
 		-i init.d/Makefile.am || die
 	# Flatcar: Do not build daemon stuff.
-	sed -e '/^sbin_PROGRAMS =/s/auditd//' \
-		-e '/^sbin_PROGRAMS =/s/aureport//' \
+	sed -e '/^sbin_PROGRAMS =/s/aureport//' \
 		-e '/^sbin_PROGRAMS =/s/ausearch//' \
 		-i src/Makefile.am || die
 
@@ -144,6 +140,11 @@ multilib_src_install_all() {
 	# newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd
 	# newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd
 
+	# Flatcar: install sample configuration
+	insinto /usr/share/auditd
+	doins "${S}"/init.d/auditd.conf
+
+
 	# Flatcar: We are not installing audisp too.
 	# [ -f "${ED}"/sbin/audisp-remote ] && \
 	# dodir /usr/sbin && \
@@ -151,7 +152,6 @@ multilib_src_install_all() {
 
 	# Flatcar: Do not install gentoo rules.
 	# Gentoo rules
-	# insinto /etc/audit
 	# newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules
 	# Flatcar: We are installing our own rules.
 	insinto /usr/share/audit/rules.d
@@ -160,15 +160,16 @@ multilib_src_install_all() {
 	# doins "${FILESDIR}"/audit.rules.stop*
 
 	# audit logs go here
-	# Flatcar: This is where auditd puts its logs. We don't have
-	# the daemon, so get rid of the unnecessary directory.
-	# keepdir /var/log/audit
+	keepdir /var/log/audit
 
 	find "${ED}" -type f -name '*.la' -delete || die
 
 	# Security
 	lockdown_perms "${ED}"
 
+	# Flatcar: We add the systemd unit but don't enable it.
+	systemd_dounit init.d/auditd.service
+
 	# Flatcar: Our systemd stuff.
 	newtmpfiles "${FILESDIR}"/audit-rules.tmpfiles audit-rules.conf
 	systemd_dounit "${FILESDIR}"/audit-rules.service
@@ -182,11 +183,13 @@ pkg_postinst() {
 lockdown_perms() {
 	# Upstream wants these to have restrictive perms.
 	# Should not || die as not all paths may exist.
-	# Flatcar: No lockdown of permissions - it's probably only
-	# related to auditd.
-	# local basedir="${1}"
+	# Flatcar: We don't include ausearch and aureport
+	# so they're removed from the hardening list
+	local basedir="${1}"
 	# chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null
-	# chmod 0750 "${basedir}"/var/log/audit 2>/dev/null
+	chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,trace} 2>/dev/null
+	chmod 0750 "${basedir}"/var/log/audit 2>/dev/null
 	# chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null
+	rm -f  "${basedir}"/etc/audit/auditd.conf 2>/dev/null
 	:
 }
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles
index 2c15b63d23..b7f9530cca 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles
@@ -1,5 +1,6 @@
-d   /etc/audit                          -   -   -   -   -
-d   /etc/audit/rules.d                  -   -   -   -   -
-L   /etc/audit/rules.d/00-clear.rules   -   -   -   -   /usr/share/audit/rules.d/00-clear.rules
-L   /etc/audit/rules.d/80-selinux.rules -   -   -   -   /usr/share/audit/rules.d/80-selinux.rules
-L   /etc/audit/rules.d/99-default.rules -   -   -   -   /usr/share/audit/rules.d/99-default.rules
+d   /etc/audit                          750   -   -   -   -
+C   /etc/audit/auditd.conf              640  -   -   -   /usr/share/auditd/auditd.conf
+d   /etc/audit/rules.d                  750   -   -   -   -
+L   /etc/audit/rules.d/00-clear.rules   640   -   -   -   /usr/share/audit/rules.d/00-clear.rules
+L   /etc/audit/rules.d/80-selinux.rules 640   -   -   -   /usr/share/audit/rules.d/80-selinux.rules
+L   /etc/audit/rules.d/99-default.rules 640   -   -   -   /usr/share/audit/rules.d/99-default.rules