From 439d68b58d5c867d054fa472429106e51f13e35a Mon Sep 17 00:00:00 2001
From: nikstur <nikstur@outlook.com>
Date: Sat, 9 Aug 2025 14:06:46 +0200
Subject: [PATCH] nixos/audit: fix journald test

Makes the audit module responsible for setting up the audit subsystem of
the kernel. The auditd module is now only responsible for setting up the
daemon.

Enable the audit subsystem early via kernelParams.

Increase the default audit backlog limit so that it works out of the box
for a normal system.

Remove a superfluous and pointless test case.
---
 nixos/modules/security/audit.nix  | 16 +++++++++++++++-
 nixos/modules/security/auditd.nix |  4 +---
 nixos/tests/audit.nix             |  7 +++++--
 nixos/tests/systemd-journal.nix   | 11 -----------
 4 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/nixos/modules/security/audit.nix b/nixos/modules/security/audit.nix
index 4bcc6c62d1cb..f50c465fde5b 100644
--- a/nixos/modules/security/audit.nix
+++ b/nixos/modules/security/audit.nix
@@ -53,7 +53,9 @@ in
 
       backlogLimit = lib.mkOption {
         type = lib.types.int;
-        default = 64; # Apparently the kernel default
+        # Significantly increase from the kernel default of 64 because a
+        # normal systems generates way more logs.
+        default = 1024;
         description = ''
           The maximum number of outstanding audit buffers allowed; exceeding this is
           considered a failure and handled in a manner specified by failureMode.
@@ -81,6 +83,18 @@ in
   };
 
   config = lib.mkIf (cfg.enable == "lock" || cfg.enable) {
+    boot.kernelParams = [
+      # A lot of audit events happen before the systemd service starts. Thus
+      # enable it via the kernel commandline to have the audit subsystem ready
+      # as soon as the kernel starts.
+      "audit=1"
+      # Also set the backlog limit because the kernel default is too small to
+      # capture all of them before the service starts.
+      "audit_backlog_limit=${toString cfg.backlogLimit}"
+    ];
+
+    environment.systemPackages = [ pkgs.audit ];
+
     systemd.services.audit-rules = {
       description = "Load Audit Rules";
       wantedBy = [ "sysinit.target" ];
diff --git a/nixos/modules/security/auditd.nix b/nixos/modules/security/auditd.nix
index ff20cc2fbbf7..036ce9c01cae 100644
--- a/nixos/modules/security/auditd.nix
+++ b/nixos/modules/security/auditd.nix
@@ -202,11 +202,9 @@ in
       }
     ];
 
-    # Starting auditd should also enable loading the audit rules..
+    # Starting the userspace daemon should also enable audit in the kernel
     security.audit.enable = lib.mkDefault true;
 
-    environment.systemPackages = [ pkgs.audit ];
-
     # setting this to anything other than /etc/audit/plugins.d will break, so we pin it here
     security.auditd.settings.plugin_dir = "/etc/audit/plugins.d";
 
diff --git a/nixos/tests/audit.nix b/nixos/tests/audit.nix
index 7f1280060824..0d732442ef4b 100644
--- a/nixos/tests/audit.nix
+++ b/nixos/tests/audit.nix
@@ -16,6 +16,7 @@
           rules = [
             "-a always,exit -F exe=${lib.getExe pkgs.hello} -k nixos-test"
           ];
+          backlogLimit = 512;
         };
         security.auditd = {
           enable = true;
@@ -34,7 +35,9 @@
     machine.wait_for_unit("auditd.service")
 
     with subtest("Audit subsystem gets enabled"):
-      assert "enabled 1" in machine.succeed("auditctl -s")
+      audit_status = machine.succeed("auditctl -s")
+      t.assertIn("enabled 1", audit_status)
+      t.assertIn("backlog_limit 512", audit_status)
 
     with subtest("unix socket plugin activated"):
       machine.succeed("stat /var/run/audispd_events")
@@ -45,7 +48,7 @@
 
     with subtest("Stopping audit-rules.service disables the audit subsystem"):
       machine.succeed("systemctl stop audit-rules.service")
-      assert "enabled 0" in machine.succeed("auditctl -s")
+      t.assertIn("enabled 0", machine.succeed("auditctl -s"))
   '';
 
 }
diff --git a/nixos/tests/systemd-journal.nix b/nixos/tests/systemd-journal.nix
index 8589df339253..2c7309f163f8 100644
--- a/nixos/tests/systemd-journal.nix
+++ b/nixos/tests/systemd-journal.nix
@@ -12,16 +12,10 @@
   nodes.auditd = {
     security.auditd.enable = true;
     security.audit.enable = true;
-    environment.systemPackages = [ pkgs.audit ];
-    boot.kernel.sysctl."kernel.printk_ratelimit" = 0;
-    boot.kernelParams = [ "audit_backlog_limit=8192" ];
   };
   nodes.journaldAudit = {
     services.journald.audit = true;
     security.audit.enable = true;
-    environment.systemPackages = [ pkgs.audit ];
-    boot.kernel.sysctl."kernel.printk_ratelimit" = 0;
-    boot.kernelParams = [ "audit_backlog_limit=8192" ];
   };
   nodes.containerCheck = {
     containers.c1 = {
@@ -56,11 +50,6 @@
       journaldAudit.succeed("journalctl _TRANSPORT=audit --grep 'unit=systemd-journald'")
       # logs should NOT end up in audit log
       journaldAudit.fail("grep 'unit=systemd-journald' /var/log/audit/audit.log")
-      # FIXME: If systemd fixes #15324 this test will start failing.
-      # You can fix this text by removing the below line.
-      # logs ideally should NOT end up in kmesg, but they do due to
-      # https://github.com/systemd/systemd/issues/15324
-      journaldAudit.succeed("journalctl _TRANSPORT=kernel --grep 'unit=systemd-journald'")
 
 
     with subtest("container systemd-journald-audit not running"):