Loading nixos/modules/system/boot/systemd/journald.nix +24 −0 Original line number Diff line number Diff line Loading @@ -2,6 +2,7 @@ config, lib, pkgs, utils, ... }: let Loading Loading @@ -78,6 +79,23 @@ in ''; }; services.journald.audit = lib.mkOption { default = null; type = lib.types.nullOr lib.types.bool; description = '' If enabled systemd-journald will turn on auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor disable it, leaving the previous state unchanged. NixOS defaults to leaving this unset as enabling audit without auditd running leads to spamming /dev/kmesg with random messages and if you enable auditd then auditd is responsible for turning auditing on. If you want to have audit logs in journald and do not mind audit logs also ending up in /dev/kmesg you can set this option to true. If you want to for some ununderstandable reason disable auditing if auditd enabled it then you can set this option to false. It is of NixOS' opinion that setting this to false is definitely the wrong thing to do - but it's an option. ''; }; services.journald.extraConfig = lib.mkOption { default = ""; type = lib.types.lines; Loading Loading @@ -116,6 +134,11 @@ in "syslog.socket" ]; systemd.sockets.systemd-journald-audit.wantedBy = [ "systemd-journald.service" "sockets.target" ]; environment.etc = { "systemd/journald.conf".text = '' [Journal] Loading @@ -129,6 +152,7 @@ in ${lib.optionalString (cfg.forwardToSyslog) '' ForwardToSyslog=yes ''} Audit=${utils.systemdUtils.lib.toOption cfg.audit} ${cfg.extraConfig} ''; }; Loading nixos/tests/systemd-journal.nix +39 −2 Original line number Diff line number Diff line Loading @@ -7,12 +7,49 @@ import ./make-test-python.nix ( maintainers = [ lewo ]; }; nodes.machine = { }; nodes.machine = { environment.systemPackages = [ pkgs.audit ]; }; nodes.auditd = { security.auditd.enable = true; environment.systemPackages = [ pkgs.audit ]; }; nodes.journaldAudit = { services.journald.audit = true; environment.systemPackages = [ pkgs.audit ]; }; testScript = '' machine.wait_for_unit("multi-user.target") machine.succeed("journalctl --grep=systemd") with subtest("no audit messages"): machine.fail("journalctl _TRANSPORT=audit --grep 'unit=systemd-journald'") machine.fail("journalctl _TRANSPORT=kernel --grep 'unit=systemd-journald'") with subtest("auditd enabled"): auditd.wait_for_unit("multi-user.target") # logs should end up in the journald auditd.succeed("journalctl _TRANSPORT=audit --grep 'unit=systemd-journald'") # logs should end up in the auditd audit log auditd.succeed("grep 'unit=systemd-journald' /var/log/audit/audit.log") # logs should not end up in kmesg machine.fail("journalctl _TRANSPORT=kernel --grep 'unit=systemd-journald'") with subtest("journald audit"): journaldAudit.wait_for_unit("multi-user.target") # logs should end up in the journald journaldAudit.succeed("journalctl _TRANSPORT=audit --grep 'unit=systemd-journald'") # logs should NOT end up in audit log journaldAudit.fail("grep 'unit=systemd-journald' /var/log/audit/audit.log") # FIXME: If systemd fixes #15324 this test will start failing. # You can fix this text by removing the below line. # logs ideally should NOT end up in kmesg, but they do due to # https://github.com/systemd/systemd/issues/15324 journaldAudit.succeed("journalctl _TRANSPORT=kernel --grep 'unit=systemd-journald'") ''; } ) Loading
nixos/modules/system/boot/systemd/journald.nix +24 −0 Original line number Diff line number Diff line Loading @@ -2,6 +2,7 @@ config, lib, pkgs, utils, ... }: let Loading Loading @@ -78,6 +79,23 @@ in ''; }; services.journald.audit = lib.mkOption { default = null; type = lib.types.nullOr lib.types.bool; description = '' If enabled systemd-journald will turn on auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor disable it, leaving the previous state unchanged. NixOS defaults to leaving this unset as enabling audit without auditd running leads to spamming /dev/kmesg with random messages and if you enable auditd then auditd is responsible for turning auditing on. If you want to have audit logs in journald and do not mind audit logs also ending up in /dev/kmesg you can set this option to true. If you want to for some ununderstandable reason disable auditing if auditd enabled it then you can set this option to false. It is of NixOS' opinion that setting this to false is definitely the wrong thing to do - but it's an option. ''; }; services.journald.extraConfig = lib.mkOption { default = ""; type = lib.types.lines; Loading Loading @@ -116,6 +134,11 @@ in "syslog.socket" ]; systemd.sockets.systemd-journald-audit.wantedBy = [ "systemd-journald.service" "sockets.target" ]; environment.etc = { "systemd/journald.conf".text = '' [Journal] Loading @@ -129,6 +152,7 @@ in ${lib.optionalString (cfg.forwardToSyslog) '' ForwardToSyslog=yes ''} Audit=${utils.systemdUtils.lib.toOption cfg.audit} ${cfg.extraConfig} ''; }; Loading
nixos/tests/systemd-journal.nix +39 −2 Original line number Diff line number Diff line Loading @@ -7,12 +7,49 @@ import ./make-test-python.nix ( maintainers = [ lewo ]; }; nodes.machine = { }; nodes.machine = { environment.systemPackages = [ pkgs.audit ]; }; nodes.auditd = { security.auditd.enable = true; environment.systemPackages = [ pkgs.audit ]; }; nodes.journaldAudit = { services.journald.audit = true; environment.systemPackages = [ pkgs.audit ]; }; testScript = '' machine.wait_for_unit("multi-user.target") machine.succeed("journalctl --grep=systemd") with subtest("no audit messages"): machine.fail("journalctl _TRANSPORT=audit --grep 'unit=systemd-journald'") machine.fail("journalctl _TRANSPORT=kernel --grep 'unit=systemd-journald'") with subtest("auditd enabled"): auditd.wait_for_unit("multi-user.target") # logs should end up in the journald auditd.succeed("journalctl _TRANSPORT=audit --grep 'unit=systemd-journald'") # logs should end up in the auditd audit log auditd.succeed("grep 'unit=systemd-journald' /var/log/audit/audit.log") # logs should not end up in kmesg machine.fail("journalctl _TRANSPORT=kernel --grep 'unit=systemd-journald'") with subtest("journald audit"): journaldAudit.wait_for_unit("multi-user.target") # logs should end up in the journald journaldAudit.succeed("journalctl _TRANSPORT=audit --grep 'unit=systemd-journald'") # logs should NOT end up in audit log journaldAudit.fail("grep 'unit=systemd-journald' /var/log/audit/audit.log") # FIXME: If systemd fixes #15324 this test will start failing. # You can fix this text by removing the below line. # logs ideally should NOT end up in kmesg, but they do due to # https://github.com/systemd/systemd/issues/15324 journaldAudit.succeed("journalctl _TRANSPORT=kernel --grep 'unit=systemd-journald'") ''; } )
