nixos/tests/audit.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / audit.nix
at master 1.5 kB view raw
 1{ lib, ... }:
 2{
 3
 4  name = "audit";
 5
 6  meta = {
 7    maintainers = with lib.maintainers; [ grimmauld ];
 8  };
 9
10  nodes = {
11    machine =
12      { lib, pkgs, ... }:
13      {
14        security.audit = {
15          enable = true;
16          rules = [
17            "-a always,exit -F exe=${lib.getExe pkgs.hello} -k nixos-test"
18          ];
19          backlogLimit = 512;
20        };
21        security.auditd = {
22          enable = true;
23          plugins.af_unix.active = true;
24          plugins.syslog.active = true;
25          # plugins.remote.active = true; # needs configuring a remote server for logging
26          # plugins.filter.active = true; # needs configuring allowlist/denylist
27        };
28
29        environment.systemPackages = [ pkgs.hello ];
30      };
31  };
32
33  testScript = ''
34    machine.wait_for_unit("audit-rules.service")
35    machine.wait_for_unit("auditd.service")
36
37    with subtest("Audit subsystem gets enabled"):
38      audit_status = machine.succeed("auditctl -s")
39      t.assertIn("enabled 1", audit_status)
40      t.assertIn("backlog_limit 512", audit_status)
41
42    with subtest("unix socket plugin activated"):
43      machine.succeed("stat /var/run/audispd_events")
44
45    with subtest("Custom rule produces audit traces"):
46      machine.succeed("hello")
47      print(machine.succeed("ausearch -k nixos-test -sc exit_group"))
48
49    with subtest("Stopping audit-rules.service disables the audit subsystem"):
50      machine.succeed("systemctl stop audit-rules.service")
51      t.assertIn("enabled 0", machine.succeed("auditctl -s"))
52  '';
53
54}