diff --git a/pkg/auditd/Dockerfile b/pkg/auditd/Dockerfile
new file mode 100644
index 000000000..7b2e3170e
--- /dev/null
+++ b/pkg/auditd/Dockerfile
@@ -0,0 +1,29 @@
+FROM linuxkit/alpine:cdb4e4d12ada4071a6c6a60bf4c14d35171ffae8 AS build
+RUN apk add abuild gcc git
+
+ADD build.sh /
+RUN adduser -D -G abuild builder && sudo -u builder /build.sh
+
+FROM linuxkit/alpine:cdb4e4d12ada4071a6c6a60bf4c14d35171ffae8 AS mirror
+COPY --from=build /home/builder/*apk /
+
+RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
+RUN apk add --initdb -p /out alpine-baselayout tini
+RUN apk add --allow-untrusted -p /out /*apk
+
+# Remove apk residuals. We have a read-only rootfs, so apk is of no use.
+RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
+
+FROM scratch
+ENTRYPOINT []
+CMD []
+WORKDIR /
+COPY --from=mirror /out/ /
+
+COPY auditd.conf /etc/audit
+COPY audit.rules /etc/audit
+COPY runaudit.sh /usr/bin
+
+CMD ["/sbin/tini", "/usr/bin/runaudit.sh"]
+
+LABEL org.mobyproject.config='{"pid": "host", "binds": ["/var/log:/var/log"], "capabilities": ["CAP_AUDIT_CONTROL", "CAP_AUDIT_READ", "CAP_AUDIT_WRITE", "CAP_SYS_NICE"]}'
diff --git a/pkg/auditd/Makefile b/pkg/auditd/Makefile
new file mode 100644
index 000000000..170e09f0f
--- /dev/null
+++ b/pkg/auditd/Makefile
@@ -0,0 +1,3 @@
+include ../package.mk
+
+IMAGE?=auditd
diff --git a/pkg/auditd/audit.rules b/pkg/auditd/audit.rules
new file mode 100644
index 000000000..5bc172212
--- /dev/null
+++ b/pkg/auditd/audit.rules
@@ -0,0 +1,12 @@
+## First rule - delete all
+-D
+
+## Increase the buffers to survive stress events.
+## Make this bigger for busy systems
+-b 8192
+
+## This determine how long to wait in burst of events
+--backlog_wait_time 0
+
+## Set failure mode to syslog
+-f 1
diff --git a/pkg/auditd/auditd.conf b/pkg/auditd/auditd.conf
new file mode 100644
index 000000000..a9bf4c9db
--- /dev/null
+++ b/pkg/auditd/auditd.conf
@@ -0,0 +1,32 @@
+#
+# This file controls the configuration of the audit daemon
+#
+
+local_events = yes
+write_logs = no
+log_format = RAW
+flush = INCREMENTAL_ASYNC
+freq = 50
+priority_boost = 4
+disp_qos = lossy
+dispatcher = /sbin/audispd
+name_format = NONE
+##name = mydomain
+max_log_file_action = ROTATE
+space_left = 75
+space_left_action = SYSLOG
+action_mail_acct = root
+admin_space_left = 50
+admin_space_left_action = SUSPEND
+disk_full_action = SUSPEND
+disk_error_action = SUSPEND
+use_libwrap = yes
+##tcp_listen_port = 
+tcp_listen_queue = 5
+tcp_max_per_addr = 1
+##tcp_client_ports = 1024-65535
+tcp_client_max_idle = 0
+enable_krb5 = no
+krb5_principal = auditd
+##krb5_key_file = /etc/audit/audit.key
+distribute_network = no
diff --git a/pkg/auditd/runaudit.sh b/pkg/auditd/runaudit.sh
new file mode 100755
index 000000000..3bf1b9e92
--- /dev/null
+++ b/pkg/auditd/runaudit.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+# load the audit rules into the kernel
+auditctl -R /etc/audit/audit.rules
+exec /sbin/auditd -f