nixos/tests/audit: test plugins

2025-06-25 23:27:02 +02:00 · 2025-06-25 23:27:02 +02:00 · 916d8b65cf
commit 916d8b65cf
parent ee774bb624
1 changed files with 10 additions and 1 deletions
--- a/nixos/tests/audit.nix
+++ b/nixos/tests/audit.nix
@ -12,7 +12,13 @@
            "-a always,exit -F exe=${lib.getExe pkgs.hello} -k nixos-test"
          ];
        };
-        security.auditd.enable = true;
+        security.auditd = {
+          enable = true;
+          plugins.af_unix.active = true;
+          plugins.syslog.active = true;
+          # plugins.remote.active = true; # needs configuring a remote server for logging
+          # plugins.filter.active = true; # needs configuring allowlist/denylist
+        };

        environment.systemPackages = [ pkgs.hello ];
      };
@ -25,6 +31,9 @@
    with subtest("Audit subsystem gets enabled"):
      assert "enabled 1" in machine.succeed("auditctl -s")

+    with subtest("unix socket plugin activated"):
+      machine.succeed("stat /var/run/audispd_events")
+
    with subtest("Custom rule produces audit traces"):
      machine.succeed("hello")
      print(machine.succeed("ausearch -k nixos-test -sc exit_group"))