nixos/audit: fix journald test

Makes the audit module responsible for setting up the audit subsystem of the kernel. The auditd module is now only responsible for setting up the daemon. Enable the audit subsystem early via kernelParams. Increase the default audit backlog limit so that it works out of the box for a normal system. Remove a superfluous and pointless test case.
2025-08-09 14:06:46 +02:00 · 2025-08-09 14:06:46 +02:00 · 439d68b58d
commit 439d68b58d
parent 1311b9c49f
4 changed files with 21 additions and 17 deletions
--- a/nixos/modules/security/audit.nix
+++ b/nixos/modules/security/audit.nix
@ -53,7 +53,9 @@ in

      backlogLimit = lib.mkOption {
        type = lib.types.int;
-        default = 64; # Apparently the kernel default
+        # Significantly increase from the kernel default of 64 because a
+        # normal systems generates way more logs.
+        default = 1024;
        description = ''
          The maximum number of outstanding audit buffers allowed; exceeding this is
          considered a failure and handled in a manner specified by failureMode.
@ -81,6 +83,18 @@ in
  };

  config = lib.mkIf (cfg.enable == "lock" || cfg.enable) {
+    boot.kernelParams = [
+      # A lot of audit events happen before the systemd service starts. Thus
+      # enable it via the kernel commandline to have the audit subsystem ready
+      # as soon as the kernel starts.
+      "audit=1"
+      # Also set the backlog limit because the kernel default is too small to
+      # capture all of them before the service starts.
+      "audit_backlog_limit=${toString cfg.backlogLimit}"
+    ];
+
+    environment.systemPackages = [ pkgs.audit ];
+
    systemd.services.audit-rules = {
      description = "Load Audit Rules";
      wantedBy = [ "sysinit.target" ];
--- a/nixos/modules/security/auditd.nix
+++ b/nixos/modules/security/auditd.nix
@ -202,11 +202,9 @@ in
      }
    ];

-    # Starting auditd should also enable loading the audit rules..
+    # Starting the userspace daemon should also enable audit in the kernel
    security.audit.enable = lib.mkDefault true;

-    environment.systemPackages = [ pkgs.audit ];
-
    # setting this to anything other than /etc/audit/plugins.d will break, so we pin it here
    security.auditd.settings.plugin_dir = "/etc/audit/plugins.d";

--- a/nixos/tests/audit.nix
+++ b/nixos/tests/audit.nix
@ -16,6 +16,7 @@
          rules = [
            "-a always,exit -F exe=${lib.getExe pkgs.hello} -k nixos-test"
          ];
+          backlogLimit = 512;
        };
        security.auditd = {
          enable = true;
@ -34,7 +35,9 @@
    machine.wait_for_unit("auditd.service")

    with subtest("Audit subsystem gets enabled"):
-      assert "enabled 1" in machine.succeed("auditctl -s")
+      audit_status = machine.succeed("auditctl -s")
+      t.assertIn("enabled 1", audit_status)
+      t.assertIn("backlog_limit 512", audit_status)

    with subtest("unix socket plugin activated"):
      machine.succeed("stat /var/run/audispd_events")
@ -45,7 +48,7 @@

    with subtest("Stopping audit-rules.service disables the audit subsystem"):
      machine.succeed("systemctl stop audit-rules.service")
-      assert "enabled 0" in machine.succeed("auditctl -s")
+      t.assertIn("enabled 0", machine.succeed("auditctl -s"))
  '';

 }
--- a/nixos/tests/systemd-journal.nix
+++ b/nixos/tests/systemd-journal.nix
@ -12,16 +12,10 @@
  nodes.auditd = {
    security.auditd.enable = true;
    security.audit.enable = true;
-    environment.systemPackages = [ pkgs.audit ];
-    boot.kernel.sysctl."kernel.printk_ratelimit" = 0;
-    boot.kernelParams = [ "audit_backlog_limit=8192" ];
  };
  nodes.journaldAudit = {
    services.journald.audit = true;
    security.audit.enable = true;
-    environment.systemPackages = [ pkgs.audit ];
-    boot.kernel.sysctl."kernel.printk_ratelimit" = 0;
-    boot.kernelParams = [ "audit_backlog_limit=8192" ];
  };
  nodes.containerCheck = {
    containers.c1 = {
@ -56,11 +50,6 @@
      journaldAudit.succeed("journalctl _TRANSPORT=audit --grep 'unit=systemd-journald'")
      # logs should NOT end up in audit log
      journaldAudit.fail("grep 'unit=systemd-journald' /var/log/audit/audit.log")
-      # FIXME: If systemd fixes #15324 this test will start failing.
-      # You can fix this text by removing the below line.
-      # logs ideally should NOT end up in kmesg, but they do due to
-      # https://github.com/systemd/systemd/issues/15324
-      journaldAudit.succeed("journalctl _TRANSPORT=kernel --grep 'unit=systemd-journald'")


    with subtest("container systemd-journald-audit not running"):