archives/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2026-03-08 01:24:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

nixos/audit{,d}: add package option (#476568)

Browse source
This commit is contained in:
nikstur 2026-01-09 16:20:09 +00:00 committed by GitHub
commit 0be153a94e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 20 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

10
nixos/modules/security/audit.nix
View file

@ -41,6 +41,8 @@ in
'';
};
package = lib.mkPackageOption pkgs "audit" { };
failureMode = lib.mkOption {
type = lib.types.enum [
"silent"
@ -93,7 +95,7 @@ in
"audit_backlog_limit=${toString cfg.backlogLimit}"
];
environment.systemPackages = [ pkgs.audit ];
environment.systemPackages = [ cfg.package ];
# upstream contains a audit-rules.service, which uses augenrules.
# That script does not handle cleanup correctly and insists on loading from /etc/audit.
@ -119,12 +121,12 @@ in
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${lib.getExe' pkgs.audit "auditctl"} -R ${rules}/audit.rules";
ExecStart = "${lib.getExe' cfg.package "auditctl"} -R ${rules}/audit.rules";
ExecStopPost = [
# Disable auditing
"${lib.getExe' pkgs.audit "auditctl"} -e 0"
"${lib.getExe' cfg.package "auditctl"} -e 0"
# Delete all rules
"${lib.getExe' pkgs.audit "auditctl"} -D"
"${lib.getExe' cfg.package "auditctl"} -D"
];
};
};

26
nixos/modules/security/auditd.nix
View file

@ -101,6 +101,8 @@ in
options.security.auditd = {
enable = lib.mkEnableOption "the Linux Audit daemon";
package = lib.mkPackageOption pkgs "auditd" { default = "audit"; };
settings = lib.mkOption {
type = lib.types.submodule {
freeformType = lib.types.attrsOf settingsType;
@ -146,7 +148,7 @@ in
defaultText = lib.literalExpression ''
{
af_unix = {
path = lib.getExe' pkgs.audit "audisp-af_unix";
path = lib.getExe' config.security.auditd.package "audisp-af_unix";
args = [
"0640"
"/var/run/audispd_events"
@ -155,15 +157,15 @@ in
format = "binary";
};
remote = {
path = lib.getExe' pkgs.audit "audisp-remote";
path = lib.getExe' config.security.auditd.package "audisp-remote";
settings = { };
};
filter = {
path = lib.getExe' pkgs.audit "audisp-filter";
path = lib.getExe' config.security.auditd.package "audisp-filter";
args = [
"allowlist"
"/etc/audit/audisp-filter.conf"
(lib.getExe' pkgs.audit "audisp-syslog")
(lib.getExe' config.security.auditd.package "audisp-syslog")
"LOG_USER"
"LOG_INFO"
"interpret"
@ -171,7 +173,7 @@ in
settings = { };
};
syslog = {
path = lib.getExe' pkgs.audit "audisp-syslog";
path = lib.getExe' config.security.auditd.package "audisp-syslog";
args = [ "LOG_INFO" ];
};
}
@ -226,7 +228,7 @@ in
security.auditd.plugins = {
af_unix = {
path = lib.getExe' pkgs.audit "audisp-af_unix";
path = lib.getExe' cfg.package "audisp-af_unix";
args = [
"0640"
"/run/audit/audispd_events"
@ -235,15 +237,15 @@ in
format = "binary";
};
remote = {
path = lib.getExe' pkgs.audit "audisp-remote";
path = lib.getExe' cfg.package "audisp-remote";
settings = { };
};
filter = {
path = lib.getExe' pkgs.audit "audisp-filter";
path = lib.getExe' cfg.package "audisp-filter";
args = [
"allowlist"
"/etc/audit/audisp-filter.conf"
(lib.getExe' pkgs.audit "audisp-syslog")
(lib.getExe' cfg.package "audisp-syslog")
"LOG_USER"
"LOG_INFO"
"interpret"
@ -251,12 +253,12 @@ in
settings = { };
};
syslog = {
path = lib.getExe' pkgs.audit "audisp-syslog";
path = lib.getExe' cfg.package "audisp-syslog";
args = [ "LOG_INFO" ];
};
};
systemd.packages = [ pkgs.audit.out ];
systemd.packages = [ cfg.package.out ];
systemd.services.auditd = {
wantedBy = [ "multi-user.target" ];
@ -271,7 +273,7 @@ in
ExecStart = [
# the upstream unit does not allow symlinks, so clear and rewrite the ExecStart
""
"${lib.getExe' pkgs.audit "auditd"} -l -s nochange"
"${lib.getExe' cfg.package "auditd"} -l -s nochange"
];
};
};