audit service: Explicitly call auditctl to disable everything

Otherwise, journald might be starting auditing. Some reading: - https://fedorahosted.org/fesco/ticket/1311 - https://github.com/systemd/systemd/issues/959 - 64f83d3087
2024-11-15 03:15:56 +03:00 · 2016-08-28 18:57:36 +03:00 · 2016-08-28 18:57:36 +03:00 · 5eff0b990c
commit 5eff0b990c
parent 20ab753e35
1 changed files with 11 additions and 3 deletions
--- a/nixos/modules/security/audit.nix
+++ b/nixos/modules/security/audit.nix
@ -4,6 +4,7 @@ with lib;

 let
  cfg = config.security.audit;
+  enabled = cfg.enable == "lock" || cfg.enable;

  failureModes = {
    silent = 0;
@ -11,6 +12,13 @@ let
    panic  = 2;
  };

+  disableScript = pkgs.writeScript "audit-disable" ''
+    #!${pkgs.stdenv.shell} -eu
+    # Explicitly disable everything, as otherwise journald might start it.
+    auditctl -D
+    auditctl -e 0 -a task,never
+  '';
+
  # TODO: it seems like people like their rules to be somewhat secret, yet they will not be if
  # put in the store like this. At the same time, it doesn't feel like a huge deal and working
  # around that is a pain so I'm leaving it like this for now.
@ -91,7 +99,7 @@ in {
    };
  };

-  config = mkIf (cfg.enable == "lock" || cfg.enable) {
+  config = {
    systemd.services.audit = {
      description = "Kernel Auditing";
      wantedBy = [ "basic.target" ];
@ -103,7 +111,7 @@ in {
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
-        ExecStart = "@${startScript} audit-start";
+        ExecStart = "@${if enabled then startScript else disableScript} audit-start";
        ExecStop  = "@${stopScript} audit-stop";
      };
    };