diff options
author | Tuomas Tynkkynen <tuomas@tuxera.com> | 2016-08-28 18:57:36 +0300 |
---|---|---|
committer | Tuomas Tynkkynen <tuomas@tuxera.com> | 2016-08-31 23:15:32 +0300 |
commit | 5eff0b990cb2f2a9492b31f825679608d5f09d19 (patch) | |
tree | 48f41395f904742a8708b861eb2659097bbab1be | |
parent | 20ab753e359e70a940f4b95829073d654ca97f10 (diff) | |
download | nixlib-5eff0b990cb2f2a9492b31f825679608d5f09d19.tar nixlib-5eff0b990cb2f2a9492b31f825679608d5f09d19.tar.gz nixlib-5eff0b990cb2f2a9492b31f825679608d5f09d19.tar.bz2 nixlib-5eff0b990cb2f2a9492b31f825679608d5f09d19.tar.lz nixlib-5eff0b990cb2f2a9492b31f825679608d5f09d19.tar.xz nixlib-5eff0b990cb2f2a9492b31f825679608d5f09d19.tar.zst nixlib-5eff0b990cb2f2a9492b31f825679608d5f09d19.zip |
audit service: Explicitly call auditctl to disable everything
Otherwise, journald might be starting auditing. Some reading: - https://fedorahosted.org/fesco/ticket/1311 - https://github.com/systemd/systemd/issues/959 - https://github.com/openSUSE/systemd/commit/64f83d3087402c6f8730c1bc4b8fac59b84d4666
-rw-r--r-- | nixos/modules/security/audit.nix | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/nixos/modules/security/audit.nix b/nixos/modules/security/audit.nix index f223f52ec487..8d70811b01c7 100644 --- a/nixos/modules/security/audit.nix +++ b/nixos/modules/security/audit.nix @@ -4,6 +4,7 @@ with lib; let cfg = config.security.audit; + enabled = cfg.enable == "lock" || cfg.enable; failureModes = { silent = 0; @@ -11,6 +12,13 @@ let panic = 2; }; + disableScript = pkgs.writeScript "audit-disable" '' + #!${pkgs.stdenv.shell} -eu + # Explicitly disable everything, as otherwise journald might start it. + auditctl -D + auditctl -e 0 -a task,never + ''; + # TODO: it seems like people like their rules to be somewhat secret, yet they will not be if # put in the store like this. At the same time, it doesn't feel like a huge deal and working # around that is a pain so I'm leaving it like this for now. @@ -91,7 +99,7 @@ in { }; }; - config = mkIf (cfg.enable == "lock" || cfg.enable) { + config = { systemd.services.audit = { description = "Kernel Auditing"; wantedBy = [ "basic.target" ]; @@ -103,8 +111,8 @@ in { serviceConfig = { Type = "oneshot"; RemainAfterExit = true; - ExecStart = "@${startScript} audit-start"; - ExecStop = "@${stopScript} audit-stop"; + ExecStart = "@${if enabled then startScript else disableScript} audit-start"; + ExecStop = "@${stopScript} audit-stop"; }; }; }; |