Loading nixos/modules/security/audit.nix +15 −1 Original line number Diff line number Diff line Loading @@ -53,7 +53,9 @@ in backlogLimit = lib.mkOption { type = lib.types.int; default = 64; # Apparently the kernel default # Significantly increase from the kernel default of 64 because a # normal systems generates way more logs. default = 1024; description = '' The maximum number of outstanding audit buffers allowed; exceeding this is considered a failure and handled in a manner specified by failureMode. Loading Loading @@ -81,6 +83,18 @@ in }; config = lib.mkIf (cfg.enable == "lock" || cfg.enable) { boot.kernelParams = [ # A lot of audit events happen before the systemd service starts. Thus # enable it via the kernel commandline to have the audit subsystem ready # as soon as the kernel starts. "audit=1" # Also set the backlog limit because the kernel default is too small to # capture all of them before the service starts. "audit_backlog_limit=${toString cfg.backlogLimit}" ]; environment.systemPackages = [ pkgs.audit ]; systemd.services.audit-rules = { description = "Load Audit Rules"; wantedBy = [ "sysinit.target" ]; Loading nixos/modules/security/auditd.nix +1 −3 Original line number Diff line number Diff line Loading @@ -202,11 +202,9 @@ in } ]; # Starting auditd should also enable loading the audit rules.. # Starting the userspace daemon should also enable audit in the kernel security.audit.enable = lib.mkDefault true; environment.systemPackages = [ pkgs.audit ]; # setting this to anything other than /etc/audit/plugins.d will break, so we pin it here security.auditd.settings.plugin_dir = "/etc/audit/plugins.d"; Loading nixos/tests/audit.nix +5 −2 Original line number Diff line number Diff line Loading @@ -16,6 +16,7 @@ rules = [ "-a always,exit -F exe=${lib.getExe pkgs.hello} -k nixos-test" ]; backlogLimit = 512; }; security.auditd = { enable = true; Loading @@ -34,7 +35,9 @@ machine.wait_for_unit("auditd.service") with subtest("Audit subsystem gets enabled"): assert "enabled 1" in machine.succeed("auditctl -s") audit_status = machine.succeed("auditctl -s") t.assertIn("enabled 1", audit_status) t.assertIn("backlog_limit 512", audit_status) with subtest("unix socket plugin activated"): machine.succeed("stat /var/run/audispd_events") Loading @@ -45,7 +48,7 @@ with subtest("Stopping audit-rules.service disables the audit subsystem"): machine.succeed("systemctl stop audit-rules.service") assert "enabled 0" in machine.succeed("auditctl -s") t.assertIn("enabled 0", machine.succeed("auditctl -s")) ''; } nixos/tests/systemd-journal.nix +0 −11 Original line number Diff line number Diff line Loading @@ -12,16 +12,10 @@ nodes.auditd = { security.auditd.enable = true; security.audit.enable = true; environment.systemPackages = [ pkgs.audit ]; boot.kernel.sysctl."kernel.printk_ratelimit" = 0; boot.kernelParams = [ "audit_backlog_limit=8192" ]; }; nodes.journaldAudit = { services.journald.audit = true; security.audit.enable = true; environment.systemPackages = [ pkgs.audit ]; boot.kernel.sysctl."kernel.printk_ratelimit" = 0; boot.kernelParams = [ "audit_backlog_limit=8192" ]; }; nodes.containerCheck = { containers.c1 = { Loading Loading @@ -56,11 +50,6 @@ journaldAudit.succeed("journalctl _TRANSPORT=audit --grep 'unit=systemd-journald'") # logs should NOT end up in audit log journaldAudit.fail("grep 'unit=systemd-journald' /var/log/audit/audit.log") # FIXME: If systemd fixes #15324 this test will start failing. # You can fix this text by removing the below line. # logs ideally should NOT end up in kmesg, but they do due to # https://github.com/systemd/systemd/issues/15324 journaldAudit.succeed("journalctl _TRANSPORT=kernel --grep 'unit=systemd-journald'") with subtest("container systemd-journald-audit not running"): Loading Loading
nixos/modules/security/audit.nix +15 −1 Original line number Diff line number Diff line Loading @@ -53,7 +53,9 @@ in backlogLimit = lib.mkOption { type = lib.types.int; default = 64; # Apparently the kernel default # Significantly increase from the kernel default of 64 because a # normal systems generates way more logs. default = 1024; description = '' The maximum number of outstanding audit buffers allowed; exceeding this is considered a failure and handled in a manner specified by failureMode. Loading Loading @@ -81,6 +83,18 @@ in }; config = lib.mkIf (cfg.enable == "lock" || cfg.enable) { boot.kernelParams = [ # A lot of audit events happen before the systemd service starts. Thus # enable it via the kernel commandline to have the audit subsystem ready # as soon as the kernel starts. "audit=1" # Also set the backlog limit because the kernel default is too small to # capture all of them before the service starts. "audit_backlog_limit=${toString cfg.backlogLimit}" ]; environment.systemPackages = [ pkgs.audit ]; systemd.services.audit-rules = { description = "Load Audit Rules"; wantedBy = [ "sysinit.target" ]; Loading
nixos/modules/security/auditd.nix +1 −3 Original line number Diff line number Diff line Loading @@ -202,11 +202,9 @@ in } ]; # Starting auditd should also enable loading the audit rules.. # Starting the userspace daemon should also enable audit in the kernel security.audit.enable = lib.mkDefault true; environment.systemPackages = [ pkgs.audit ]; # setting this to anything other than /etc/audit/plugins.d will break, so we pin it here security.auditd.settings.plugin_dir = "/etc/audit/plugins.d"; Loading
nixos/tests/audit.nix +5 −2 Original line number Diff line number Diff line Loading @@ -16,6 +16,7 @@ rules = [ "-a always,exit -F exe=${lib.getExe pkgs.hello} -k nixos-test" ]; backlogLimit = 512; }; security.auditd = { enable = true; Loading @@ -34,7 +35,9 @@ machine.wait_for_unit("auditd.service") with subtest("Audit subsystem gets enabled"): assert "enabled 1" in machine.succeed("auditctl -s") audit_status = machine.succeed("auditctl -s") t.assertIn("enabled 1", audit_status) t.assertIn("backlog_limit 512", audit_status) with subtest("unix socket plugin activated"): machine.succeed("stat /var/run/audispd_events") Loading @@ -45,7 +48,7 @@ with subtest("Stopping audit-rules.service disables the audit subsystem"): machine.succeed("systemctl stop audit-rules.service") assert "enabled 0" in machine.succeed("auditctl -s") t.assertIn("enabled 0", machine.succeed("auditctl -s")) ''; }
nixos/tests/systemd-journal.nix +0 −11 Original line number Diff line number Diff line Loading @@ -12,16 +12,10 @@ nodes.auditd = { security.auditd.enable = true; security.audit.enable = true; environment.systemPackages = [ pkgs.audit ]; boot.kernel.sysctl."kernel.printk_ratelimit" = 0; boot.kernelParams = [ "audit_backlog_limit=8192" ]; }; nodes.journaldAudit = { services.journald.audit = true; security.audit.enable = true; environment.systemPackages = [ pkgs.audit ]; boot.kernel.sysctl."kernel.printk_ratelimit" = 0; boot.kernelParams = [ "audit_backlog_limit=8192" ]; }; nodes.containerCheck = { containers.c1 = { Loading Loading @@ -56,11 +50,6 @@ journaldAudit.succeed("journalctl _TRANSPORT=audit --grep 'unit=systemd-journald'") # logs should NOT end up in audit log journaldAudit.fail("grep 'unit=systemd-journald' /var/log/audit/audit.log") # FIXME: If systemd fixes #15324 this test will start failing. # You can fix this text by removing the below line. # logs ideally should NOT end up in kmesg, but they do due to # https://github.com/systemd/systemd/issues/15324 journaldAudit.succeed("journalctl _TRANSPORT=kernel --grep 'unit=systemd-journald'") with subtest("container systemd-journald-audit not running"): Loading
