From 696cc0144fe7954e7ecd42f49853b6e77396cef7 Mon Sep 17 00:00:00 2001
From: Evgenii Ianiuk <eianiuk@google.com>
Date: Mon, 9 Feb 2026 20:07:06 +0000
Subject: [PATCH] add a daemonset yaml for disabling auditd logging

fixes: #66
---
 troubleshooting/os-audit/README.md            | 36 ++++++++-
 .../os-audit/cos-auditd-logging-disable.yaml  | 78 +++++++++++++++++++
 .../os-audit/cos-auditd-logging.yaml          |  7 +-
 3 files changed, 115 insertions(+), 6 deletions(-)
 create mode 100644 troubleshooting/os-audit/cos-auditd-logging-disable.yaml

diff --git a/troubleshooting/os-audit/README.md b/troubleshooting/os-audit/README.md
index 09c5156..56be163 100644
--- a/troubleshooting/os-audit/README.md
+++ b/troubleshooting/os-audit/README.md
@@ -1,4 +1,32 @@
-The os-audit tool is the example code for
-[enabling Linux auditd logs on GKE nodes](https://cloud.google.com/kubernetes-engine/docs/how-to/linux-auditd-logging),
-which documents how to enable verbose operating system audit logs on Google
-Kubernetes Engine nodes running Container-Optimized OS.
+The os-audit tools provide example code for
+[managing Linux auditd logs on GKE nodes](https://cloud.google.com/kubernetes-engine/docs/how-to/linux-auditd-logging),
+which documents how to enable and disable verbose operating system audit logs on
+Google Kubernetes Engine nodes running Container-Optimized OS.
+
+#### Available Tools
+
+-   `cos-auditd-logging.yaml`: A DaemonSet that enables and starts the
+    `cloud-audit-setup` and `audit-rules` services on the host.
+
+    Deployment:
+
+    ```sh
+    export CLUSTER_NAME=<CLUSTER_NAME> # e.g. 'cluster-1'
+    export CLUSTER_LOCATION=<CLUSTER_LOCATION> # e.g. 'us-central1-c'
+
+    envsubst '$CLUSTER_NAME,$CLUSTER_LOCATION' < cos-auditd-logging.yaml | kubectl apply -f -
+    ```
+
+-   `cos-auditd-logging-disable.yaml`: A DaemonSet that disables these services
+    to revert changes and restore the default node logging state.
+
+    **Note**: Before deploying this DaemonSet, delete the `cos-auditd-logging`
+    DaemonSet and wait for all associated Pods to be deleted. Once the
+    `cleanup-auditd` DaemonSet (`cos-auditd-logging-disable.yaml`) has
+    successfully rolled out to all nodes, it can be deleted.
+
+    Deployment:
+
+    ```sh
+    kubectl apply -f cos-auditd-logging-disable.yaml
+    ```
diff --git a/troubleshooting/os-audit/cos-auditd-logging-disable.yaml b/troubleshooting/os-audit/cos-auditd-logging-disable.yaml
new file mode 100644
index 0000000..3d38afd
--- /dev/null
+++ b/troubleshooting/os-audit/cos-auditd-logging-disable.yaml
@@ -0,0 +1,78 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cos-auditd
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: cleanup-auditd
+  namespace: cos-auditd
+  annotations:
+    kubernetes.io/description: 'DaemonSet that disables Linux auditd logging on non-Autopilot COS nodes.'
+spec:
+  selector:
+    matchLabels:
+      name: cleanup-auditd
+  template:
+    metadata:
+      labels:
+        name: cleanup-auditd
+    spec:
+      hostPID: true
+      initContainers:
+      - name: auditd-disabler
+        image: gke.gcr.io/gke-distroless/bash
+        command:
+          - /bin/bash
+          - -c
+          - |
+            echo "Disabling auditd services..."
+            chroot /host systemctl disable --now cloud-audit-setup.service || echo "cloud-audit-setup already disabled or not found."
+            chroot /host systemctl disable --now audit-rules.service || echo "audit-rules already disabled or not found."
+            echo "Auditd configuration complete."
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: host
+          mountPath: /host
+        resources:
+          requests:
+            memory: 10Mi
+            cpu: 10m
+          limits:
+            cpu: 50m
+            memory: 32Mi
+      containers:
+      - name: pause
+        image: gke.gcr.io/pause:3.8
+        resources:
+          requests:
+            cpu: 10m
+            memory: 10Mi
+          limits:
+            cpu: 10m
+            memory: 10Mi
+      volumes:
+      - name: host
+        hostPath:
+          path: /
+      tolerations:
+      - effect: NoSchedule
+        operator: Exists
+      - effect: NoExecute
+        operator: Exists
diff --git a/troubleshooting/os-audit/cos-auditd-logging.yaml b/troubleshooting/os-audit/cos-auditd-logging.yaml
index 7356161..46f86aa 100644
--- a/troubleshooting/os-audit/cos-auditd-logging.yaml
+++ b/troubleshooting/os-audit/cos-auditd-logging.yaml
@@ -39,8 +39,11 @@ spec:
       dnsPolicy: Default
       initContainers:
       - name: cos-auditd-setup
-        image: ubuntu
-        command: ["chroot", "/host", "systemctl", "start", "cloud-audit-setup"]
+        image: gke.gcr.io/gke-distroless/bash
+        command:
+          - /bin/bash
+          - -c
+          - "chroot /host systemctl enable --now cloud-audit-setup.service"
         securityContext:
           privileged: true
         volumeMounts: