diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/00-clear.rules b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/00-clear.rules
new file mode 100644
index 0000000000..f43e62771c
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/00-clear.rules
@@ -0,0 +1,3 @@
+# First rule - delete all
+# This is to clear out old rules, so we don't append to them.
+-D
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/80-selinux.rules b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/80-selinux.rules
new file mode 100644
index 0000000000..627b17db3f
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/80-selinux.rules
@@ -0,0 +1,4 @@
+# Enable all SELinux related events
+# 1400 to 1499 are for kernel SELinux use (see /include/uapi/linux/audit.h)
+
+-a exclude,never -F msgtype>=1400 -F msgtype<=1499
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/99-default.rules b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/99-default.rules
new file mode 100644
index 0000000000..cc373d8406
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/99-default.rules
@@ -0,0 +1,5 @@
+# Always report changes to the audit subsystem itself.
+-a exclude,never -F msgtype=CONFIG_CHANGE
+
+# Ignore everything else.
+-a exclude,always -F msgtype>0
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/audit-rules.service b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/audit-rules.service
new file mode 100644
index 0000000000..8c54802fb5
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/audit-rules.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=Load Security Auditing Rules
+DefaultDependencies=no
+After=local-fs.target systemd-tmpfiles-setup.service
+Conflicts=shutdown.target
+Before=sysinit.target shutdown.target
+ConditionSecurity=audit
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/sbin/augenrules --load
+ExecStop=-/sbin/auditctl -D
+
+[Install]
+WantedBy=multi-user.target
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild
index fd9bf07386..e0688455e7 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild
@@ -12,7 +12,7 @@ HOMEPAGE='https://www.flatcar.org/'
 LICENSE='Apache-2.0'
 SLOT='0'
 KEYWORDS='amd64 arm64'
-IUSE="openssh ntp policycoreutils"
+IUSE="audit ntp openssh policycoreutils"
 
 # No source directory.
 S="${WORKDIR}"
@@ -33,6 +33,7 @@ RDEPEND="
         >=app-shells/bash-5.2_p15-r2
         ntp? ( >=net-misc/ntp-4.2.8_p17 )
         policycoreutils? ( >=sys-apps/policycoreutils-3.6 )
+        audit? ( >=sys-process/audit-3.1.1 )
 "
 
 declare -A CORE_BASH_SYMLINKS
@@ -99,10 +100,12 @@ src_install() {
         ['/usr/lib/selinux/mcs']='/usr/share/flatcar/etc/selinux/mcs'
         ['/usr/lib/selinux/semanage.conf']='/usr/share/flatcar/etc/selinux/semanage.conf'
     )
-    if use openssh; then
+    if use audit; then
         compat_symlinks+=(
-            ['/usr/share/ssh/ssh_config']='/usr/share/flatcar/etc/ssh/ssh_config.d/50-flatcar-ssh.conf'
-            ['/usr/share/ssh/sshd_config']='/usr/share/flatcar/etc/ssh/sshd_config.d/50-flatcar-sshd.conf'
+            ['/usr/share/audit/rules.d/00-clear.rules']='/usr/share/flatcar/etc/audit/rules.d/00-clear.rules'
+            ['/usr/share/audit/rules.d/80-selinux.rules']='/usr/share/flatcar/etc/audit/rules.d/80-selinux.rules'
+            ['/usr/share/audit/rules.d/99-default.rules']='/usr/share/flatcar/etc/audit/rules.d/99-default.rules'
+            ['/usr/share/auditd/auditd.conf']='/usr/share/flatcar/etc/audit/auditd.conf'
         )
     fi
     if use ntp; then
@@ -110,6 +113,12 @@ src_install() {
             ['/usr/share/ntp/ntp.conf']='/usr/share/flatcar/etc/ntp.conf'
         )
     fi
+    if use openssh; then
+        compat_symlinks+=(
+            ['/usr/share/ssh/ssh_config']='/usr/share/flatcar/etc/ssh/ssh_config.d/50-flatcar-ssh.conf'
+            ['/usr/share/ssh/sshd_config']='/usr/share/flatcar/etc/ssh/sshd_config.d/50-flatcar-sshd.conf'
+        )
+    fi
 
     local link target
     for link in "${!compat_symlinks[@]}"; do
@@ -149,6 +158,21 @@ src_install() {
         fowners --no-dereference 500:500 "${link}"
     done
 
+    if use audit; then
+        # Install our rules.
+        insinto /etc/audit/rules.d
+        for name in 00-clear.rules 80-selinux.rules 99-default.rules; do
+            doins "${FILESDIR}/audit/${name}"
+            # Upstream wants these to have restrictive perms.
+            fperms 0640 "/etc/audit/rules.d/${name}"
+        done
+        # Install a service that loads the rules (it's possibly
+        # something that a deamon does, but in our case the daemon is
+        # disabled by default).
+        systemd_dounit "${FILESDIR}/audit/audit-rules.service"
+        systemd_enable_service multi-user.target audit-rules.service
+    fi
+
     if use ntp; then
         insinto /etc
         doins "${FILESDIR}/ntp/ntp.conf"