pyrox.dev
nixos/audit: fix journald test (#432238)
+15
-1
nixos/modules/security/audit.nix
+15
-1
nixos/modules/security/audit.nix
···
53
53
54
54
backlogLimit = lib.mkOption {
55
55
type = lib.types.int;
56
-
default = 64; # Apparently the kernel default
56
+
# Significantly increase from the kernel default of 64 because a
57
+
# normal systems generates way more logs.
58
+
default = 1024;
57
59
description = ''
58
60
The maximum number of outstanding audit buffers allowed; exceeding this is
59
61
considered a failure and handled in a manner specified by failureMode.
···
81
83
};
82
84
83
85
config = lib.mkIf (cfg.enable == "lock" || cfg.enable) {
86
+
boot.kernelParams = [
87
+
# A lot of audit events happen before the systemd service starts. Thus
88
+
# enable it via the kernel commandline to have the audit subsystem ready
89
+
# as soon as the kernel starts.
90
+
"audit=1"
91
+
# Also set the backlog limit because the kernel default is too small to
92
+
# capture all of them before the service starts.
93
+
"audit_backlog_limit=${toString cfg.backlogLimit}"
94
+
];
95
+
96
+
environment.systemPackages = [ pkgs.audit ];
97
+
84
98
systemd.services.audit-rules = {
85
99
description = "Load Audit Rules";
86
100
wantedBy = [ "sysinit.target" ];
+1
-3
nixos/modules/security/auditd.nix
+1
-3
nixos/modules/security/auditd.nix
···
202
202
}
203
203
];
204
204
205
-
# Starting auditd should also enable loading the audit rules..
205
+
# Starting the userspace daemon should also enable audit in the kernel
206
206
security.audit.enable = lib.mkDefault true;
207
-
208
-
environment.systemPackages = [ pkgs.audit ];
209
207
210
208
# setting this to anything other than /etc/audit/plugins.d will break, so we pin it here
211
209
security.auditd.settings.plugin_dir = "/etc/audit/plugins.d";
+5
-2
nixos/tests/audit.nix
+5
-2
nixos/tests/audit.nix
···
16
16
rules = [
17
17
"-a always,exit -F exe=${lib.getExe pkgs.hello} -k nixos-test"
18
18
];
19
+
backlogLimit = 512;
19
20
};
20
21
security.auditd = {
21
22
enable = true;
···
34
35
machine.wait_for_unit("auditd.service")
35
36
36
37
with subtest("Audit subsystem gets enabled"):
37
-
assert "enabled 1" in machine.succeed("auditctl -s")
38
+
audit_status = machine.succeed("auditctl -s")
39
+
t.assertIn("enabled 1", audit_status)
40
+
t.assertIn("backlog_limit 512", audit_status)
38
41
39
42
with subtest("unix socket plugin activated"):
40
43
machine.succeed("stat /var/run/audispd_events")
···
45
48
46
49
with subtest("Stopping audit-rules.service disables the audit subsystem"):
47
50
machine.succeed("systemctl stop audit-rules.service")
48
-
assert "enabled 0" in machine.succeed("auditctl -s")
51
+
t.assertIn("enabled 0", machine.succeed("auditctl -s"))
49
52
'';
50
53
51
54
}
-11
nixos/tests/systemd-journal.nix
-11
nixos/tests/systemd-journal.nix
···
12
12
nodes.auditd = {
13
13
security.auditd.enable = true;
14
14
security.audit.enable = true;
15
-
environment.systemPackages = [ pkgs.audit ];
16
-
boot.kernel.sysctl."kernel.printk_ratelimit" = 0;
17
-
boot.kernelParams = [ "audit_backlog_limit=8192" ];
18
15
};
19
16
nodes.journaldAudit = {
20
17
services.journald.audit = true;
21
18
security.audit.enable = true;
22
-
environment.systemPackages = [ pkgs.audit ];
23
-
boot.kernel.sysctl."kernel.printk_ratelimit" = 0;
24
-
boot.kernelParams = [ "audit_backlog_limit=8192" ];
25
19
};
26
20
nodes.containerCheck = {
27
21
containers.c1 = {
···
56
50
journaldAudit.succeed("journalctl _TRANSPORT=audit --grep 'unit=systemd-journald'")
57
51
# logs should NOT end up in audit log
58
52
journaldAudit.fail("grep 'unit=systemd-journald' /var/log/audit/audit.log")
59
-
# FIXME: If systemd fixes #15324 this test will start failing.
60
-
# You can fix this text by removing the below line.
61
-
# logs ideally should NOT end up in kmesg, but they do due to
62
-
# https://github.com/systemd/systemd/issues/15324
63
-
journaldAudit.succeed("journalctl _TRANSPORT=kernel --grep 'unit=systemd-journald'")
64
53
65
54
66
55
with subtest("container systemd-journald-audit not running"):