From 5eff0b990cb2f2a9492b31f825679608d5f09d19 Mon Sep 17 00:00:00 2001 From: Tuomas Tynkkynen Date: Sun, 28 Aug 2016 18:57:36 +0300 Subject: audit service: Explicitly call auditctl to disable everything Otherwise, journald might be starting auditing. Some reading: - https://fedorahosted.org/fesco/ticket/1311 - https://github.com/systemd/systemd/issues/959 - https://github.com/openSUSE/systemd/commit/64f83d3087402c6f8730c1bc4b8fac59b84d4666 --- nixos/modules/security/audit.nix | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/nixos/modules/security/audit.nix b/nixos/modules/security/audit.nix index f223f52ec487..8d70811b01c7 100644 --- a/nixos/modules/security/audit.nix +++ b/nixos/modules/security/audit.nix @@ -4,6 +4,7 @@ with lib; let cfg = config.security.audit; + enabled = cfg.enable == "lock" || cfg.enable; failureModes = { silent = 0; @@ -11,6 +12,13 @@ let panic = 2; }; + disableScript = pkgs.writeScript "audit-disable" '' + #!${pkgs.stdenv.shell} -eu + # Explicitly disable everything, as otherwise journald might start it. + auditctl -D + auditctl -e 0 -a task,never + ''; + # TODO: it seems like people like their rules to be somewhat secret, yet they will not be if # put in the store like this. At the same time, it doesn't feel like a huge deal and working # around that is a pain so I'm leaving it like this for now. @@ -91,7 +99,7 @@ in { }; }; - config = mkIf (cfg.enable == "lock" || cfg.enable) { + config = { systemd.services.audit = { description = "Kernel Auditing"; wantedBy = [ "basic.target" ]; @@ -103,8 +111,8 @@ in { serviceConfig = { Type = "oneshot"; RemainAfterExit = true; - ExecStart = "@${startScript} audit-start"; - ExecStop = "@${stopScript} audit-stop"; + ExecStart = "@${if enabled then startScript else disableScript} audit-start"; + ExecStop = "@${stopScript} audit-stop"; }; }; }; -- cgit 1.4.1