veilor-os/overlay/etc/audit/plugins.d/veilor-remote.conf

# veilor-os audit remote shipping (DISABLED by default)
#
# IMPORTANT: enabling remote audit shipping leaks security events off-device.
# Only enable if you have a trusted log collector (Loki / Wazuh / Splunk).
# The remote endpoint will see every privileged syscall, file watch hit,
# auth event, and sudoers change. Treat the collector with the same trust
# level as the host root account.
#
# Enable:
#   1. Edit `active = yes` below.
#   2. Configure /etc/audisp/audisp-remote.conf (see audisp-remote.conf.disabled).
#   3. systemctl restart auditd.
#   4. Verify with: auditctl -s | grep enabled
#
# Plugin pipes audit events out of auditd via a UNIX socket; audisp-remote
# reads from that socket and forwards to the configured remote_server.

active = no
direction = out
path = builtin_af_unix
type = builtin
args = /var/run/audit_events
format = string
sec: AppArmor profile skeletons + audit shipping draft + veilor-firstboot SELinux module (#3) Co-authored-by: veilor-org <admin@veilor.org> 2026-05-02 04:39:39 +01:00			`# veilor-os audit remote shipping (DISABLED by default)`
			`#`
			`# IMPORTANT: enabling remote audit shipping leaks security events off-device.`
			`# Only enable if you have a trusted log collector (Loki / Wazuh / Splunk).`
			`# The remote endpoint will see every privileged syscall, file watch hit,`
			`# auth event, and sudoers change. Treat the collector with the same trust`
			`# level as the host root account.`
			`#`
			`# Enable:`
			# 1. Edit `active = yes` below.
			`# 2. Configure /etc/audisp/audisp-remote.conf (see audisp-remote.conf.disabled).`
			`# 3. systemctl restart auditd.`
			`# 4. Verify with: auditctl -s \| grep enabled`
			`#`
			`# Plugin pipes audit events out of auditd via a UNIX socket; audisp-remote`
			`# reads from that socket and forwards to the configured remote_server.`

			`active = no`
			`direction = out`
			`path = builtin_af_unix`
			`type = builtin`
			`args = /var/run/audit_events`
			`format = string`