audit service: Explicitly call auditctl to disable everything

Otherwise, journald might be starting auditing.
Some reading:
    - https://fedorahosted.org/fesco/ticket/1311
    - https://github.com/systemd/systemd/issues/959
    - 64f83d3087
This commit is contained in:
Tuomas Tynkkynen 2016-08-28 18:57:36 +03:00
parent 20ab753e35
commit 5eff0b990c

View file

@ -4,6 +4,7 @@ with lib;
let
cfg = config.security.audit;
enabled = cfg.enable == "lock" || cfg.enable;
failureModes = {
silent = 0;
@ -11,6 +12,13 @@ let
panic = 2;
};
disableScript = pkgs.writeScript "audit-disable" ''
#!${pkgs.stdenv.shell} -eu
# Explicitly disable everything, as otherwise journald might start it.
auditctl -D
auditctl -e 0 -a task,never
'';
# TODO: it seems like people like their rules to be somewhat secret, yet they will not be if
# put in the store like this. At the same time, it doesn't feel like a huge deal and working
# around that is a pain so I'm leaving it like this for now.
@ -91,7 +99,7 @@ in {
};
};
config = mkIf (cfg.enable == "lock" || cfg.enable) {
config = {
systemd.services.audit = {
description = "Kernel Auditing";
wantedBy = [ "basic.target" ];
@ -103,7 +111,7 @@ in {
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "@${startScript} audit-start";
ExecStart = "@${if enabled then startScript else disableScript} audit-start";
ExecStop = "@${stopScript} audit-stop";
};
};