audit service: Explicitly call auditctl to disable everything
Otherwise, journald might be starting auditing.
Some reading:
- https://fedorahosted.org/fesco/ticket/1311
- https://github.com/systemd/systemd/issues/959
- 64f83d3087
This commit is contained in:
parent
20ab753e35
commit
5eff0b990c
1 changed files with 11 additions and 3 deletions
|
@ -4,6 +4,7 @@ with lib;
|
|||
|
||||
let
|
||||
cfg = config.security.audit;
|
||||
enabled = cfg.enable == "lock" || cfg.enable;
|
||||
|
||||
failureModes = {
|
||||
silent = 0;
|
||||
|
@ -11,6 +12,13 @@ let
|
|||
panic = 2;
|
||||
};
|
||||
|
||||
disableScript = pkgs.writeScript "audit-disable" ''
|
||||
#!${pkgs.stdenv.shell} -eu
|
||||
# Explicitly disable everything, as otherwise journald might start it.
|
||||
auditctl -D
|
||||
auditctl -e 0 -a task,never
|
||||
'';
|
||||
|
||||
# TODO: it seems like people like their rules to be somewhat secret, yet they will not be if
|
||||
# put in the store like this. At the same time, it doesn't feel like a huge deal and working
|
||||
# around that is a pain so I'm leaving it like this for now.
|
||||
|
@ -91,7 +99,7 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
config = mkIf (cfg.enable == "lock" || cfg.enable) {
|
||||
config = {
|
||||
systemd.services.audit = {
|
||||
description = "Kernel Auditing";
|
||||
wantedBy = [ "basic.target" ];
|
||||
|
@ -103,8 +111,8 @@ in {
|
|||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
ExecStart = "@${startScript} audit-start";
|
||||
ExecStop = "@${stopScript} audit-stop";
|
||||
ExecStart = "@${if enabled then startScript else disableScript} audit-start";
|
||||
ExecStop = "@${stopScript} audit-stop";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue