nixos/audit: fix journald test (#432238)

nixos/modules/security/audit.nix

@@ -53,7 +53,9 @@ in
 
       backlogLimit = lib.mkOption {
         type = lib.types.int;
-        default = 64; # Apparently the kernel default
+        # Significantly increase from the kernel default of 64 because a
+        # normal systems generates way more logs.
+        default = 1024;
         description = ''
           The maximum number of outstanding audit buffers allowed; exceeding this is
           considered a failure and handled in a manner specified by failureMode.
@@ -81,6 +83,18 @@ in
   };
 
   config = lib.mkIf (cfg.enable == "lock" || cfg.enable) {
+    boot.kernelParams = [
+      # A lot of audit events happen before the systemd service starts. Thus
+      # enable it via the kernel commandline to have the audit subsystem ready
+      # as soon as the kernel starts.
+      "audit=1"
+      # Also set the backlog limit because the kernel default is too small to
+      # capture all of them before the service starts.
+      "audit_backlog_limit=${toString cfg.backlogLimit}"
+    ];
+
+    environment.systemPackages = [ pkgs.audit ];
+
     systemd.services.audit-rules = {
       description = "Load Audit Rules";
       wantedBy = [ "sysinit.target" ];

nixos/modules/security/auditd.nix

@@ -202,11 +202,9 @@ in
       }
     ];
 
-    # Starting auditd should also enable loading the audit rules..
+    # Starting the userspace daemon should also enable audit in the kernel
     security.audit.enable = lib.mkDefault true;
 
-    environment.systemPackages = [ pkgs.audit ];
-
     # setting this to anything other than /etc/audit/plugins.d will break, so we pin it here
     security.auditd.settings.plugin_dir = "/etc/audit/plugins.d";
 

nixos/tests/audit.nix

@@ -16,6 +16,7 @@
           rules = [
             "-a always,exit -F exe=${lib.getExe pkgs.hello} -k nixos-test"
           ];
+          backlogLimit = 512;
         };
         security.auditd = {
           enable = true;
@@ -34,7 +35,9 @@
     machine.wait_for_unit("auditd.service")
 
     with subtest("Audit subsystem gets enabled"):
-      assert "enabled 1" in machine.succeed("auditctl -s")
+      audit_status = machine.succeed("auditctl -s")
+      t.assertIn("enabled 1", audit_status)
+      t.assertIn("backlog_limit 512", audit_status)
 
     with subtest("unix socket plugin activated"):
       machine.succeed("stat /var/run/audispd_events")
@@ -45,7 +48,7 @@
 
     with subtest("Stopping audit-rules.service disables the audit subsystem"):
       machine.succeed("systemctl stop audit-rules.service")
-      assert "enabled 0" in machine.succeed("auditctl -s")
+      t.assertIn("enabled 0", machine.succeed("auditctl -s"))
   '';
 
 }

nixos/tests/systemd-journal.nix

@@ -12,16 +12,10 @@
   nodes.auditd = {
     security.auditd.enable = true;
     security.audit.enable = true;
-    environment.systemPackages = [ pkgs.audit ];
-    boot.kernel.sysctl."kernel.printk_ratelimit" = 0;
-    boot.kernelParams = [ "audit_backlog_limit=8192" ];
   };
   nodes.journaldAudit = {
     services.journald.audit = true;
     security.audit.enable = true;
-    environment.systemPackages = [ pkgs.audit ];
-    boot.kernel.sysctl."kernel.printk_ratelimit" = 0;
-    boot.kernelParams = [ "audit_backlog_limit=8192" ];
   };
   nodes.containerCheck = {
     containers.c1 = {
@@ -56,11 +50,6 @@
       journaldAudit.succeed("journalctl _TRANSPORT=audit --grep 'unit=systemd-journald'")
       # logs should NOT end up in audit log
       journaldAudit.fail("grep 'unit=systemd-journald' /var/log/audit/audit.log")
-      # FIXME: If systemd fixes #15324 this test will start failing.
-      # You can fix this text by removing the below line.
-      # logs ideally should NOT end up in kmesg, but they do due to
-      # https://github.com/systemd/systemd/issues/15324
-      journaldAudit.succeed("journalctl _TRANSPORT=kernel --grep 'unit=systemd-journald'")
 
 
     with subtest("container systemd-journald-audit not running"):