Container Linux includes auditctl and load /etc/audit/rules.d/* on boot. We are in the process of writing a guide for auditctl usage. Journal collects and stores audit data.
The default rules in /etc/rules.d that are loaded on boot filter out everything. Users need to run
auditctl -D in order to clear the default rules or insert a rule before the default rules in /etc/audit/audit.d/.
In order to confirm that the service is running without errors, run sudo systemctl restart audit-rules.service, sudo journalctl -u | grep audit and sudo auditctl -s.
Autitd should work with SELinux in Enforcing mode.