pyrox.dev
nixos/audit: fix journald test (#432238)
+15
-1
nixos/modules/security/audit.nix
+15
-1
nixos/modules/security/audit.nix
···
53
54
backlogLimit = lib.mkOption {
55
type = lib.types.int;
56
-
default = 64; # Apparently the kernel default
57
description = ''
58
The maximum number of outstanding audit buffers allowed; exceeding this is
59
considered a failure and handled in a manner specified by failureMode.
···
81
};
82
83
config = lib.mkIf (cfg.enable == "lock" || cfg.enable) {
84
systemd.services.audit-rules = {
85
description = "Load Audit Rules";
86
wantedBy = [ "sysinit.target" ];
···
53
54
backlogLimit = lib.mkOption {
55
type = lib.types.int;
56
+
# Significantly increase from the kernel default of 64 because a
57
+
# normal systems generates way more logs.
58
+
default = 1024;
59
description = ''
60
The maximum number of outstanding audit buffers allowed; exceeding this is
61
considered a failure and handled in a manner specified by failureMode.
···
83
};
84
85
config = lib.mkIf (cfg.enable == "lock" || cfg.enable) {
86
+
boot.kernelParams = [
87
+
# A lot of audit events happen before the systemd service starts. Thus
88
+
# enable it via the kernel commandline to have the audit subsystem ready
89
+
# as soon as the kernel starts.
90
+
"audit=1"
91
+
# Also set the backlog limit because the kernel default is too small to
92
+
# capture all of them before the service starts.
93
+
"audit_backlog_limit=${toString cfg.backlogLimit}"
94
+
];
95
+
96
+
environment.systemPackages = [ pkgs.audit ];
97
+
98
systemd.services.audit-rules = {
99
description = "Load Audit Rules";
100
wantedBy = [ "sysinit.target" ];
+1
-3
nixos/modules/security/auditd.nix
+1
-3
nixos/modules/security/auditd.nix
···
202
}
203
];
204
205
-
# Starting auditd should also enable loading the audit rules..
206
security.audit.enable = lib.mkDefault true;
207
-
208
-
environment.systemPackages = [ pkgs.audit ];
209
210
# setting this to anything other than /etc/audit/plugins.d will break, so we pin it here
211
security.auditd.settings.plugin_dir = "/etc/audit/plugins.d";
···
202
}
203
];
204
205
+
# Starting the userspace daemon should also enable audit in the kernel
206
security.audit.enable = lib.mkDefault true;
207
208
# setting this to anything other than /etc/audit/plugins.d will break, so we pin it here
209
security.auditd.settings.plugin_dir = "/etc/audit/plugins.d";
+5
-2
nixos/tests/audit.nix
+5
-2
nixos/tests/audit.nix
···
16
rules = [
17
"-a always,exit -F exe=${lib.getExe pkgs.hello} -k nixos-test"
18
];
19
};
20
security.auditd = {
21
enable = true;
···
34
machine.wait_for_unit("auditd.service")
35
36
with subtest("Audit subsystem gets enabled"):
37
-
assert "enabled 1" in machine.succeed("auditctl -s")
38
39
with subtest("unix socket plugin activated"):
40
machine.succeed("stat /var/run/audispd_events")
···
45
46
with subtest("Stopping audit-rules.service disables the audit subsystem"):
47
machine.succeed("systemctl stop audit-rules.service")
48
-
assert "enabled 0" in machine.succeed("auditctl -s")
49
'';
50
51
}
···
16
rules = [
17
"-a always,exit -F exe=${lib.getExe pkgs.hello} -k nixos-test"
18
];
19
+
backlogLimit = 512;
20
};
21
security.auditd = {
22
enable = true;
···
35
machine.wait_for_unit("auditd.service")
36
37
with subtest("Audit subsystem gets enabled"):
38
+
audit_status = machine.succeed("auditctl -s")
39
+
t.assertIn("enabled 1", audit_status)
40
+
t.assertIn("backlog_limit 512", audit_status)
41
42
with subtest("unix socket plugin activated"):
43
machine.succeed("stat /var/run/audispd_events")
···
48
49
with subtest("Stopping audit-rules.service disables the audit subsystem"):
50
machine.succeed("systemctl stop audit-rules.service")
51
+
t.assertIn("enabled 0", machine.succeed("auditctl -s"))
52
'';
53
54
}
-11
nixos/tests/systemd-journal.nix
-11
nixos/tests/systemd-journal.nix
···
12
nodes.auditd = {
13
security.auditd.enable = true;
14
security.audit.enable = true;
15
-
environment.systemPackages = [ pkgs.audit ];
16
-
boot.kernel.sysctl."kernel.printk_ratelimit" = 0;
17
-
boot.kernelParams = [ "audit_backlog_limit=8192" ];
18
};
19
nodes.journaldAudit = {
20
services.journald.audit = true;
21
security.audit.enable = true;
22
-
environment.systemPackages = [ pkgs.audit ];
23
-
boot.kernel.sysctl."kernel.printk_ratelimit" = 0;
24
-
boot.kernelParams = [ "audit_backlog_limit=8192" ];
25
};
26
nodes.containerCheck = {
27
containers.c1 = {
···
56
journaldAudit.succeed("journalctl _TRANSPORT=audit --grep 'unit=systemd-journald'")
57
# logs should NOT end up in audit log
58
journaldAudit.fail("grep 'unit=systemd-journald' /var/log/audit/audit.log")
59
-
# FIXME: If systemd fixes #15324 this test will start failing.
60
-
# You can fix this text by removing the below line.
61
-
# logs ideally should NOT end up in kmesg, but they do due to
62
-
# https://github.com/systemd/systemd/issues/15324
63
-
journaldAudit.succeed("journalctl _TRANSPORT=kernel --grep 'unit=systemd-journald'")
64
65
66
with subtest("container systemd-journald-audit not running"):
···
12
nodes.auditd = {
13
security.auditd.enable = true;
14
security.audit.enable = true;
15
};
16
nodes.journaldAudit = {
17
services.journald.audit = true;
18
security.audit.enable = true;
19
};
20
nodes.containerCheck = {
21
containers.c1 = {
···
50
journaldAudit.succeed("journalctl _TRANSPORT=audit --grep 'unit=systemd-journald'")
51
# logs should NOT end up in audit log
52
journaldAudit.fail("grep 'unit=systemd-journald' /var/log/audit/audit.log")
53
54
55
with subtest("container systemd-journald-audit not running"):