diff --git a/conf/distro/include/omnect-os-kernel.conf b/conf/distro/include/omnect-os-kernel.conf
index 5a713e70..7824c116 100644
--- a/conf/distro/include/omnect-os-kernel.conf
+++ b/conf/distro/include/omnect-os-kernel.conf
@@ -7,6 +7,7 @@ OMNECT_KERNEL_SRC_URI_LTE = " \
 "
 
 OMNECT_KERNEL_SRC_URI = " \
+    file://audit.cfg \
     file://cpu_freq_default_gov_schedutil.cfg \
     file://enable-overlayfs.cfg \
     file://enable-cifs.cfg \
diff --git a/recipes-core/systemd/systemd_%.bbappend b/recipes-core/systemd/systemd_%.bbappend
index 2ddb9550..5bcf196e 100644
--- a/recipes-core/systemd/systemd_%.bbappend
+++ b/recipes-core/systemd/systemd_%.bbappend
@@ -56,11 +56,9 @@ do_install:append() {
     [ -n "${JOURNALD_RuntimeMaxFiles}" ]    && sed -i 's/^#RuntimeMaxFiles=/RuntimeMaxFiles=${JOURNALD_RuntimeMaxFiles} /' ${D}${sysconfdir}/systemd/journald.conf
     [ -n "${JOURNALD_ForwardToSyslog}" ]    && sed -i -E 's/^#ForwardToSyslog=(.*)/ForwardToSyslog=${JOURNALD_ForwardToSyslog} /' ${D}${sysconfdir}/systemd/journald.conf
 
-    # delete systemd-journald-audit.socket if audit is not in DISTRO_FEATURES
-    if ${@bb.utils.contains('DISTRO_FEATURES', 'audit', 'false', 'true', d)}; then
-        rm -f ${D}${systemd_system_unitdir}/sockets.target.wants/systemd-journald-audit.socket
-        rm -f ${D}${systemd_system_unitdir}/systemd-journald-audit.socket
-    fi
+    # delete systemd-journald-audit.socket - we don't use this feature (yet)
+    rm -f ${D}${systemd_system_unitdir}/sockets.target.wants/systemd-journald-audit.socket
+    rm -f ${D}${systemd_system_unitdir}/systemd-journald-audit.socket
 
     # sync time on sysinit
     install -d ${D}${sysconfdir}/systemd/system/sysinit.target.wants
diff --git a/recipes-kernel/linux/files/audit.cfg b/recipes-kernel/linux/files/audit.cfg
new file mode 100644
index 00000000..a51f8655
--- /dev/null
+++ b/recipes-kernel/linux/files/audit.cfg
@@ -0,0 +1,7 @@
+CONFIG_AUDIT=y
+CONFIG_AUDITSYSCALL=y
+CONFIG_SECURITY_NETWORK=y
+# AUDIT option might depend on APPARMOR option so enable it; but keep DAC as
+# default
+CONFIG_SECURITY_APPARMOR=y
+CONFIG_DEFAULT_SECURITY_DAC=y