nixos/tests/systemd-journal.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / systemd-journal.nix
at master 2.2 kB view raw
 1{ pkgs, ... }:
 2
 3{
 4  name = "systemd-journal";
 5  meta = with pkgs.lib.maintainers; {
 6    maintainers = [ lewo ];
 7  };
 8
 9  nodes.machine = {
10    environment.systemPackages = [ pkgs.audit ];
11  };
12  nodes.auditd = {
13    security.auditd.enable = true;
14    security.audit.enable = true;
15  };
16  nodes.journaldAudit = {
17    services.journald.audit = true;
18    security.audit.enable = true;
19  };
20  nodes.containerCheck = {
21    containers.c1 = {
22      autoStart = true;
23      config = { };
24    };
25  };
26
27  testScript = ''
28    machine.wait_for_unit("multi-user.target")
29    machine.succeed("journalctl --grep=systemd")
30
31    with subtest("no audit messages"):
32      machine.fail("journalctl _TRANSPORT=audit --grep 'unit=systemd-journald'")
33      machine.fail("journalctl _TRANSPORT=kernel --grep 'unit=systemd-journald'")
34
35    with subtest("auditd enabled"):
36      auditd.wait_for_unit("multi-user.target")
37
38      # logs should end up in the journald
39      auditd.succeed("journalctl _TRANSPORT=audit --grep 'unit=systemd-journald'")
40      # logs should end up in the auditd audit log
41      auditd.succeed("grep 'unit=systemd-journald' /var/log/audit/audit.log")
42      # logs should not end up in kmesg
43      auditd.fail("journalctl _TRANSPORT=kernel --grep 'unit=systemd-journald'")
44
45
46    with subtest("journald audit"):
47      journaldAudit.wait_for_unit("multi-user.target")
48
49      # logs should end up in the journald
50      journaldAudit.succeed("journalctl _TRANSPORT=audit --grep 'unit=systemd-journald'")
51      # logs should NOT end up in audit log
52      journaldAudit.fail("grep 'unit=systemd-journald' /var/log/audit/audit.log")
53
54
55    with subtest("container systemd-journald-audit not running"):
56      containerCheck.wait_for_unit("multi-user.target");
57      containerCheck.wait_until_succeeds("systemctl -M c1 is-active default.target");
58
59      # systemd-journald-audit.socket should exist but not run due to the upstream unit's `Condition*` settings
60      (status, output) = containerCheck.execute("systemctl -M c1 is-active systemd-journald-audit.socket")
61      containerCheck.log(output)
62      assert status == 3 and output == "inactive\n", f"systemd-journald-audit.socket should exist in a container but remain inactive, was {output}"
63  '';
64}