audit: 4.1.1-unstable-2025-08-01 -> 4.1.2, cleanup (#441506)

    environment.systemPackages = [ pkgs.audit ];

    systemd.services.audit-rules = {

    # upstream contains a audit-rules.service, which uses augenrules.

    # That script does not handle cleanup correctly and insists on loading from /etc/audit.

    # So, instead we have our own service for loading rules.

    systemd.services.audit-rules-nixos = {

      description = "Load Audit Rules";

      wantedBy = [ "sysinit.target" ];

      before = [

        path = lib.getExe' pkgs.audit "audisp-af_unix";

        args = [

          "0640"

          "/var/run/audispd_events"

          "/run/audit/audispd_events"

          "string"

        ];

        format = "binary";

      };

    };

    systemd.services.auditd = {

      description = "Security Audit Logging Service";

      documentation = [ "man:auditd(8)" ];

      wantedBy = [ "sysinit.target" ];

      after = [

        "local-fs.target"

        "systemd-tmpfiles-setup.service"

      ];

      before = [

        "sysinit.target"

        "shutdown.target"

      ];

      conflicts = [ "shutdown.target" ];

    systemd.tmpfiles.packages = [ pkgs.audit.out ];

    systemd.packages = [ pkgs.audit.out ];

      unitConfig = {

        DefaultDependencies = false;

        RefuseManualStop = true;

        ConditionVirtualization = "!container";

        ConditionKernelCommandLine = [

          "!audit=0"

          "!audit=off"

        ];

      };

    # will try to look in /etc for rules to load, which we don't set up

    systemd.services.audit-rules.enable = lib.mkDefault false;

    systemd.services.auditd = {

      wantedBy = [ "multi-user.target" ];

      serviceConfig = {

        LogsDirectory = "audit";

        ExecStart = "${pkgs.audit}/bin/auditd -l -n -s nochange";

        Restart = "on-failure";

        # Do not restart for intentional exits. See EXIT CODES section in auditd(8).

        RestartPreventExitStatus = "2 4 6";

        # Upstream hardening settings

        MemoryDenyWriteExecute = true;

        LockPersonality = true;

        RestrictRealtime = true;

        RuntimeDirectory = "audit";

        ExecStart = [

          # the upstream unit does not allow symlinks, so clear and rewrite the ExecStart

          ""

          "${lib.getExe' pkgs.audit "auditd"} -l -s nochange"

        ];

      };

    };

  };

              '';

            };

            Audit.AudispSocketPath = lib.mkOption {

              type = lib.types.path;

              default = "/run/audit/audispd_events";

              description = ''

                Configure audit socket path. Used when

                `settings.ProcMonitorMethod` is set to `audit`.

              '';

            };

            Rules.Path = lib.mkOption {

              type = lib.types.path;

              default = "/var/lib/opensnitch/rules";

  };

  testScript = ''

    machine.wait_for_unit("audit-rules.service")

    machine.wait_for_unit("audit-rules-nixos.service")

    machine.wait_for_unit("auditd.service")

    with subtest("Audit subsystem gets enabled"):

      t.assertIn("backlog_limit 512", audit_status)

    with subtest("unix socket plugin activated"):

      machine.succeed("stat /var/run/audispd_events")

      machine.succeed("stat /run/audit/audispd_events")

    with subtest("Custom rule produces audit traces"):

      machine.succeed("hello")

      print(machine.succeed("ausearch -k nixos-test -sc exit_group"))

    with subtest("Stopping audit-rules.service disables the audit subsystem"):

      machine.succeed("systemctl stop audit-rules.service")

    with subtest("Stopping audit-rules-nixos.service disables the audit subsystem"):

      machine.succeed("systemctl stop audit-rules-nixos.service")

      t.assertIn("enabled 0", machine.succeed("auditctl -s"))

  '';

  bashNonInteractive,

  buildPackages,

  linuxHeaders,

  python3,

  python3Packages,

  swig,

  pkgsCross,

  libcap_ng,

  installShellFiles,

  makeWrapper,

  gawk,

  gnugrep,

  coreutils,

  # Enabling python support while cross compiling would be possible, but the

  # configure script tries executing python to gather info instead of relying on

  # python3-config exclusively

  enablePython ? stdenv.hostPlatform == stdenv.buildPlatform,

  enablePython ? !stdenv.hostPlatform.isStatic,

  # passthru

  nix-update-script,

  testers,

  nixosTests,

  pkgsStatic ? { }, # CI has allowVariants = false, in which case pkgsMusl would not be passed. So, instead add a default here.

  pkgsMusl ? { },

}:

stdenv.mkDerivation (finalAttrs: {

  pname = "audit";

  version = "4.1.1-unstable-2025-08-01";

  version = "4.1.2-unstable-2025-09-06"; # fixes to non-static builds right after 4.1.2 release

  src = fetchFromGitHub {

    owner = "linux-audit";

    repo = "audit-userspace";

    rev = "bee5984843d0b38992a369825a87a65fb54b18fc"; # musl fixes, --disable-legacy-actions and --runstatedir support

    hash = "sha256-l3JHWEHz2xGrYxEvfCUD29W8xm5llUnXwX5hLymRG74=";

    rev = "cb13fe75ee2c36d5c525ed9de22aae10dbc8caf4";

    hash = "sha256-NX0TWA+LtcZgbM9aQfokWv2rGNAAb3ksGqAH8URAkYM=";

  };

  postPatch = ''

    substituteInPlace bindings/swig/src/auditswig.i \

      --replace-fail "/usr/include/linux/audit.h" \

                     "${linuxHeaders}/include/linux/audit.h"

  ''

  + lib.optionalString (enablePython && finalAttrs.finalPackage.doCheck) ''

    patchShebangs auparse/test/auparse_test.py

  '';

  # https://github.com/linux-audit/audit-userspace/issues/474

  # building databuf_test fails otherwise, as that uses hidden symbols only available in the static builds

  dontDisableStatic = true;

  outputs = [

    "bin"

    "lib"

  nativeBuildInputs = [

    autoreconfHook

    installShellFiles

    makeWrapper

  ]

  ++ lib.optionals enablePython [

    python3

    python3Packages.python # for python3-config

    swig

  ];

    # capability dropping, currently mostly for plugins as those get spawned as root

    # see auditd-plugins(5)

    "--with-libcap-ng=yes"

    (if enablePython then "--with-python" else "--without-python")

    (lib.withFeature enablePython "python3")

  ];

  __structuredAttrs = true;

    bashNonInteractive

  ];

  nativeCheckInputs = lib.optionals enablePython [

    python3Packages.pythonImportsCheckHook

  ];

  pythonImportsCheck = [ "audit" ];

  doCheck = true;

  postInstall = ''

    installShellCompletion --bash init.d/audit.bash_completion

  '';

  postFixup = ''

    substituteInPlace $bin/bin/augenrules \

      --replace-fail "/sbin/auditctl" "$bin/bin/auditctl" \

      --replace-fail "/bin/ls" "ls"

    wrapProgram $bin/bin/augenrules \

      --prefix PATH : ${

        lib.makeBinPath [

          gawk

          gnugrep

          coreutils

        ]

      }

  '';

  enableParallelBuilding = true;

  passthru = {

    updateScript = nix-update-script { };

    tests = {

      musl = pkgsCross.musl64.audit;

      musl = pkgsMusl.audit or null;

      static = pkgsStatic.audit or null;

      pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage;

      audit = nixosTests.audit;

    };

  meta = {

    homepage = "https://people.redhat.com/sgrubb/audit/";

    description = "Audit Library";

    changelog = "https://github.com/linux-audit/audit-userspace/releases/tag/v4.1.1";

    changelog = "https://github.com/linux-audit/audit-userspace/releases/tag/v4.1.2";

    license = lib.licenses.gpl2Plus;

    maintainers = with lib.maintainers; [ grimmauld ];

    pkgConfigModules = [