Improve security.audit{,d}

[nikstur]

The audit module behaved very weirdly. Instead of being guarded behind an mkIf it would start a "disable" script if the service wasn't enabled. This would thus always pull in the service making pkgs.audit (the bin output) a mandatory part of every NixOS system closure (the lib output has always been because of systemd).
@arianvp also reported that this sometimes led to race conditions with journald which also tries to communicate with the audit subsystem. This PR fixes this behaviour and along the way gets rid of unnecessary (mandatory) bash script.

The audit and auditd module are aligned with upstream and some weird options are removed. For example ConditionSecurity = [ "audit" ]; which doesn't make sense to set because audit-rules is supposed to enable the subsystem in the first place. The only reason this has ever worked in the past is because of some unfortunate misbehaviour of journald (which would enable the audit subsystem itself).

To summarize: security.audit is now responsible for loading the audit rules and enabling the audit subsystem. security.auditd is only responsible for starting auditd.

Closes #11864

This isssue can now be closed from my perspective. Shipping default rules might be possible but can be tracked separately.

Things done

• Built on platform:
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• Tested, as applicable:
  • NixOS tests in nixos/tests.
  • Package tests at passthru.tests.
  • Tests in lib/tests or pkgs/test for functions and "core" functionality.
• Ran nixpkgs-review on this PR. See nixpkgs-review usage.
• Tested basic functionality of all binary files, usually in ./result/bin/.
• Nixpkgs Release Notes
  • Package update: when the change is major or breaking.
• NixOS Release Notes
  • Module addition: when adding a new NixOS module.
  • Module update: when the change is significant.
• Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

---

Add a 👍 reaction to pull requests you find important.

[LordGrimmauld]

fyi: i do have some changes to the auditd module in #420043. That said, those changes are not directly touching the service, so while a merge conflict will happen, the changes themselves seem orthogonal.

[LordGrimmauld]

Also: Audit is already part of every nixos closure, simply from being a dependency of systemd. These module changes don't actually change that fact. Its good to try and do some cleanup, but some of the motivation seems invalid to me.

[nikstur]

Also: Audit is already part of every nixos closure, simply from being a dependency of systemd. These module changes don't actually change that fact. Its good to try and do some cleanup, but some of the motivation seems invalid to me.

The lib output is but not the bin output. These modules pull in the bin output.

[LordGrimmauld]

I have now picked this onto my auditd testsuite branch at https://github.com/LordGrimmauld/nixpkgs/commits/audit-testing-full/ and will be building the nixos test. Compiling the packages will take a bit, but the upstream testsuite is quite exhaustive. I just recently adopted audit and am still in the process of cleaning it all up. Your help is appreciated, but this also means a lot of my changes are not yet merged (like #420043 and #429438) or even submitted for review (such as the audit-testsuite things in my branch).

[LordGrimmauld]

So uh, something is very wrong.
audit-test.log

The relevant errors (as far as i can see):

vm-test-run-auditd> machine # [    3.917831] auditd[389]: Unable to set pidfile (No such file or directory)
vm-test-run-auditd> machine # [    3.940292] audisp-af_unix[398]: Couldn't open /var/run (No such file or directory)
vm-test-run-auditd> machine # [    3.948696] auditd[389]: plugin /nix/store/iv9g3v9fih8f02m3hiys1alw9jk9llva-audit-4.1.0-bin/bin/audisp-af_unix terminated unexpectedly
...
vm-test-run-auditd> machine # [    4.369361] auditd[389]: plugin /nix/store/iv9g3v9fih8f02m3hiys1alw9jk9llva-audit-4.1.0-bin/bin/audisp-af_unix terminated unexpectedly
vm-test-run-auditd> machine # [    4.371648] auditd[389]: plugin /nix/store/iv9g3v9fih8f02m3hiys1alw9jk9llva-audit-4.1.0-bin/bin/audisp-af_unix has exceeded max_restarts

So it seems auditd starts too early, and this is indeed a regression. Please fix.

[nikstur]

I just recently adopted audit

Very cool! Glad that someone is taking care of it.

I mostly care about being able to disable this to not rely on bash (i.e. this commit: 19d79d2b918969c4832276a5969464e01fb2e105) as part of the Bashless Activation initiative.

Although I think all the changes make a lot of sense and are easy wins, I'd be willing to reduce the scope of this PR to only 19d79d2b918969c4832276a5969464e01fb2e105 if that helps you.

[LordGrimmauld]

Thanks! With the most recent push to https://github.com/LordGrimmauld/nixpkgs/commits/audit-testing-full/, the testsuite now passes. And fair enough, you couldn't have known about the additional testsuite work i was doing.

The test suite complains about vm-test-run-auditd> machine # [ 36.458156] auditd[541]: Error receiving audit netlink packet (No buffer space available), but i'll have to cross-reference that with the old behavior. And seeing as the testsuite passes, that might well be an expected fail.

I'll take a look at the overall nix changes, now that the CI and unofficial tests pass.

[LordGrimmauld]

Couple thoughts, mostly nits and a request for more testing. Overall looks good though, and the cleanup is long overdue! The last PR touching audit module significantly was back in 2016...

[LordGrimmauld]

Although I think all the changes make a lot of sense and are easy wins, I'd be willing to reduce the scope of this PR to only 19d79d2 if that helps you.

Please don't, your changes are good! This is for the better, just needs some care to not unknowingly break things, now that someone (me) actually cares.

[LordGrimmauld]

I am almost happy with this, this is definitely moving in the right direction!

[LordGrimmauld]

Thank you for this work, no complaints from me left

[nikstur]

Thank you for this work, no complaints from me left

Thank you for the review. Learned a little more about audit on the way!

[arianvp]

One more thing that we didn't do in this PR due to mass rebuild but we do require to solve more race conditions :

We should move the service to use Type=forking. This requires a patch to the audit package as currently it's trying to create its PIDFile in $out/var/run/audit.pid which obviously doesn't work.

Reason why we need Type=forking is that audit uses fork() to notify when the daemon is ready for traffic. And things that order After=auditd.service will only get started once auditd is ready to process things. with Type=simple things with After=auditd.service will start too soon.

Otherwise things like https://github.com/systemd/systemd/blob/922885e0a5b729a3faaba35676b37013f323d309/units/systemd-update-utmp.service.in#L16 are racey.

[LordGrimmauld]

I imagine that too would fall under respecting $RUNTIME_DIRECTORY, also see linux-audit/audit-userspace#490

[nikstur]

We should probably set --runstatedir=/run in the configureFlags of the audit package. This is what archlinux does:
https://gitlab.archlinux.org/archlinux/packaging/packages/audit/-/blob/main/PKGBUILD?ref_type=heads#L73

[LordGrimmauld]

I don't see how that'd fix all the hardcoded /var/run paths though

[arianvp]

This might need a release note? Not sure. I am a little bit out of the loop what the kernel param does. I assume it causes the audit subsystem to start before userspace even starts up. Does it buffer the events?

[arianvp]

from the auditd docs they do say:

A boot param of audit=1 should be added to ensure that all processes that run before the audit daemon starts is marked as auditable by the kernel. Not doing that will make a few processes impossible to properly audit.

[LordGrimmauld]

i'll try to look into this soon. Ideally there'd be a VM test to actually test this stuff and get immediate results. My approach to looking into this will be trying to break it (i.e. try to audit pid 1), and if that breaks see whether adding that kernel parameter fixes it.

[nikstur]

We should just add the kernelParam back. But to the audit module and not the auditd module!.

[LordGrimmauld]

huh? No that makes little sense. auditd is there for the userspace auditing, our audit module is only there for rules. And you can enable audit(d) without adding any rules.

[LordGrimmauld]

iirc you can attach audit to existing processes using auditctl later, but only if those processes were started either after auditd or with the kernel flag. Which would mean that is entirely independent of our rule-loading module.
I might be mistaken, i have some reading to do to get this right.

[nikstur]

our audit module is only there for rules. And you can enable audit(d) without adding any rules.

No, our audit module enables the audit subsystem in the kernel right now (via the -e rule). This is what our test shows. Enabling just the audit daemon does not enable the audit subsystem (because of the -s nochange, see https://man.archlinux.org/man/auditd.8.en#s=).

IMO the audit module is there to (a) enable the audit subsystem and (b) load the rules. You can then use whatever audit daemon you like (go-audit, auditd, etc.). That's why I also think this module should set the kernelParam.

The auditd module needs the audit module (to enable the audit subsystem) to receive any audit logs from the kernel.

We shouldn't couple enabling the audit subsystem direclty to the daemon used.

[nikstur]

Anyways, let's finish this discussion here and take it elsewhere.

[LordGrimmauld]

Update: since linux-audit/audit-userspace@4ade146, upstream now officially tries to respect --runstatedir, so we should probably start using that. We could fetch that patch, or just wait ~a month for the next patch release

[arianvp]

Great stuff!