mirror of
https://github.com/flatcar/scripts.git
synced 2025-10-14 00:41:18 +02:00
de263591ff
This includes the `auditd` binary and systemd unit as part of the distro. While journald is also able to handle logs from the linux audit subsystem, auditd provides audit-specific capabilities that are necessary in deployments subject to regulatory compliance. For one, an administrator is able to configure audit log writing policy to ensure that logs land on disk and nothing is missed (`flush`). We wouldn't want such policy through journald as it woudl sync and ensure all logs which might be undesirable and too resource intensive. In short, this allows us to configure different management policies for audit logs compared to general logs. It allows us to explicitly configure the node's reaction to errors such as the disk beign full, the disk having other issues or space constraints. While Flatcar is not Common Criteria certified which would require the system to shut down if audit logs present issues (not written or collected), some FedRAMP environments do require actions such as notifications (which could be achieved via syslog). This can be explicitly done with auditd as well. Co-authored-by: Kai Lüke <pothos@users.noreply.github.com>