nixos/tests/audit: init

nixos/tests/all-tests.nix

@@ -226,6 +226,7 @@ in
   atticd = runTest ./atticd.nix;
   atuin = runTest ./atuin.nix;
   ax25 = runTest ./ax25.nix;
+  audit = runTest ./audit.nix;
   audiobookshelf = runTest ./audiobookshelf.nix;
   auth-mysql = runTest ./auth-mysql.nix;
   authelia = runTest ./authelia.nix;

nixos/tests/audit.nix

@@ -0,0 +1,37 @@
+{
+
+  name = "audit";
+
+  nodes = {
+    machine =
+      { lib, pkgs, ... }:
+      {
+        security.audit = {
+          enable = true;
+          rules = [
+            "-a always,exit -F exe=${lib.getExe pkgs.hello} -k nixos-test"
+          ];
+        };
+        security.auditd.enable = true;
+
+        environment.systemPackages = [ pkgs.hello ];
+      };
+  };
+
+  testScript = ''
+    machine.wait_for_unit("audit-rules.service")
+    machine.wait_for_unit("auditd.service")
+
+    with subtest("Audit subsystem gets enabled"):
+      assert "enabled 1" in machine.succeed("auditctl -s")
+
+    with subtest("Custom rule produces audit traces"):
+      machine.succeed("hello")
+      print(machine.succeed("ausearch -k nixos-test -sc exit_group"))
+
+    with subtest("Stopping audit-rules.service disables the audit subsystem"):
+      machine.succeed("systemctl stop audit-rules.service")
+      assert "enabled 0" in machine.succeed("auditctl -s")
+  '';
+
+}

pkgs/by-name/au/audit/package.nix

@@ -17,6 +17,7 @@
   enablePython ? stdenv.hostPlatform == stdenv.buildPlatform,
   nix-update-script,
   testers,
+  nixosTests,
 }:
 stdenv.mkDerivation (finalAttrs: {
   pname = "audit";
@@ -90,6 +91,7 @@ stdenv.mkDerivation (finalAttrs: {
     tests = {
       musl = pkgsCross.musl64.audit;
       pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage;
+      audit = nixosTests.audit;
     };
   };