nixos/audit: fix journald test (439d68b5) · Commits · nix / nixpkgs

nixos/modules/security/audit.nix

+15 −1

Original line number	Diff line number	Diff line
		@@ -53,7 +53,9 @@ in

		backlogLimit = lib.mkOption {
		type = lib.types.int;
		default = 64; # Apparently the kernel default
		# Significantly increase from the kernel default of 64 because a
		# normal systems generates way more logs.
		default = 1024;
		description = ''
		The maximum number of outstanding audit buffers allowed; exceeding this is
		considered a failure and handled in a manner specified by failureMode.
		@@ -81,6 +83,18 @@ in
		};

		config = lib.mkIf (cfg.enable == "lock" \|\| cfg.enable) {
		boot.kernelParams = [
		# A lot of audit events happen before the systemd service starts. Thus
		# enable it via the kernel commandline to have the audit subsystem ready
		# as soon as the kernel starts.
		"audit=1"
		# Also set the backlog limit because the kernel default is too small to
		# capture all of them before the service starts.
		"audit_backlog_limit=${toString cfg.backlogLimit}"
		];

		environment.systemPackages = [ pkgs.audit ];

		systemd.services.audit-rules = {
		description = "Load Audit Rules";
		wantedBy = [ "sysinit.target" ];

+1 −3

Original line number	Diff line number	Diff line
		@@ -202,11 +202,9 @@ in
		}
		];

		# Starting auditd should also enable loading the audit rules..
		# Starting the userspace daemon should also enable audit in the kernel
		security.audit.enable = lib.mkDefault true;

		environment.systemPackages = [ pkgs.audit ];

		# setting this to anything other than /etc/audit/plugins.d will break, so we pin it here
		security.auditd.settings.plugin_dir = "/etc/audit/plugins.d";

+5 −2

Original line number	Diff line number	Diff line
		@@ -16,6 +16,7 @@
		rules = [
		"-a always,exit -F exe=${lib.getExe pkgs.hello} -k nixos-test"
		];
		backlogLimit = 512;
		};
		security.auditd = {
		enable = true;
		@@ -34,7 +35,9 @@
		machine.wait_for_unit("auditd.service")

		with subtest("Audit subsystem gets enabled"):
		assert "enabled 1" in machine.succeed("auditctl -s")
		audit_status = machine.succeed("auditctl -s")
		t.assertIn("enabled 1", audit_status)
		t.assertIn("backlog_limit 512", audit_status)

		with subtest("unix socket plugin activated"):
		machine.succeed("stat /var/run/audispd_events")
		@@ -45,7 +48,7 @@

		with subtest("Stopping audit-rules.service disables the audit subsystem"):
		machine.succeed("systemctl stop audit-rules.service")
		assert "enabled 0" in machine.succeed("auditctl -s")
		t.assertIn("enabled 0", machine.succeed("auditctl -s"))
		'';

		}

+0 −11

Original line number	Diff line number	Diff line
		@@ -12,16 +12,10 @@
		nodes.auditd = {
		security.auditd.enable = true;
		security.audit.enable = true;
		environment.systemPackages = [ pkgs.audit ];
		boot.kernel.sysctl."kernel.printk_ratelimit" = 0;
		boot.kernelParams = [ "audit_backlog_limit=8192" ];
		};
		nodes.journaldAudit = {
		services.journald.audit = true;
		security.audit.enable = true;
		environment.systemPackages = [ pkgs.audit ];
		boot.kernel.sysctl."kernel.printk_ratelimit" = 0;
		boot.kernelParams = [ "audit_backlog_limit=8192" ];
		};
		nodes.containerCheck = {
		containers.c1 = {
		@@ -56,11 +50,6 @@
		journaldAudit.succeed("journalctl _TRANSPORT=audit --grep 'unit=systemd-journald'")
		# logs should NOT end up in audit log
		journaldAudit.fail("grep 'unit=systemd-journald' /var/log/audit/audit.log")
		# FIXME: If systemd fixes #15324 this test will start failing.
		# You can fix this text by removing the below line.
		# logs ideally should NOT end up in kmesg, but they do due to
		# https://github.com/systemd/systemd/issues/15324
		journaldAudit.succeed("journalctl _TRANSPORT=kernel --grep 'unit=systemd-journald'")


		with subtest("container systemd-journald-audit not running"):