Skip to content

audit: Centralize ordering and systemd service override#1635

Merged
brianmcgillion merged 1 commit intotiiuae:mainfrom
everton-dematos:pr_audit_fixes
Dec 15, 2025
Merged

audit: Centralize ordering and systemd service override#1635
brianmcgillion merged 1 commit intotiiuae:mainfrom
everton-dematos:pr_audit_fixes

Conversation

@everton-dematos
Copy link
Copy Markdown
Contributor

@everton-dematos everton-dematos commented Dec 12, 2025

This PR addresses two separate issues:

  1. The standard NixOS auditd module generates an audit.rules file that includes flags to set the backlog limit (-b 8192) and failure mode (-f). We are already defining those parameters inside security.audit. In some environments, auditctl lacks the permissions to set these kernel parameters at runtime, causing failures. The -D was kept to clear any pre-existing rules. In summary, the kernel parameters were defined redundantly.

  2. Resetting the service dependencies makes it run later, like a normal service, resolving a race condition problem. Previously, it was added only to zathura-vm to solve this issue. However, we could see the same issue in ghaf-host when some specific audit rules were applied. That is why it was decided to centralize the ordering for all the VMs.

Description of Changes

Type of Change

  • New Feature
  • Bug Fix
  • Improvement / Refactor

Related Issues / Tickets

https://jira.tii.ae/browse/SSRCSP-7625

Checklist

  • Clear summary in PR description
  • Detailed and meaningful commit message(s)
  • Commits are logically organized and squashed if appropriate
  • Contribution guidelines followed
  • Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
  • Author has run make-checks and it passes
  • All automatic GitHub Action checks pass - see actions
  • Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

  • Orin AGX aarch64
  • Orin NX aarch64
  • Lenovo X1 x86_64
  • Dell Latitude x86_64
  • System 76 x86_64

Installation Method

  • Requires full re-installation
  • Can be updated with nixos-rebuild ... switch
  • Other:

Test Steps To Verify:

  1. Set audit.enable to true: https://github.com/everton-dematos/ghaf/blob/pr_audit_fixes/modules/reference/profiles/mvp-user-trial.nix#L112
  2. Verify that auditd and audit-rules-nixos services are active/enabled (any VM - specially ghaf-host, chrome-vm, and zathura-vm that were presenting issues):
    2.1 systemctl status audit-rules-nixos.service
    2.2 systemctl status auditd.service
  3. In case you want to test this specific issue: https://jira.tii.ae/browse/SSRCSP-7625. Then, please enable OSPP rules, by setting enableOspp to true - https://github.com/everton-dematos/ghaf/blob/pr_audit_fixes/modules/common/security/audit/default.nix#L52

@everton-dematos
audit: Centralize ordering and systemd service override
15d2517 
This override addresses two separate issues:

1. The standard NixOS auditd module generates an audit.rules file that includes flags to set the backlog limit (`-b 8192`) and failure mode (`-f`). In some environments `auditctl` lacks the permissions to set these kernel parameters at runtime, causing failures. The `-D` was kept to clear any pre-existing rules. In summary, The kernel parameters were defined redundantly.

2. Resetting the service dependencies makes it run later, like a normal service, resolving a race condition problem.

Signed-off-by: Everton de Matos <everton.dematos@tii.ae>
brianmcgillion
brianmcgillion approved these changes Dec 12, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@brianmcgillion brianmcgillion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice

@brianmcgillion brianmcgillion added the Needs Testing CI Team to pre-verify label Dec 12, 2025
@Gaya-03 Gaya-03 added Tested on System76 and removed Needs Testing CI Team to pre-verify labels Dec 15, 2025
@brianmcgillion brianmcgillion merged commit d4b188e into tiiuae:main Dec 15, 2025
32 checks passed
@everton-dematos everton-dematos deleted the pr_audit_fixes branch January 23, 2026 07:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brianmcgillion brianmcgillion brianmcgillion approved these changes

@mbssrc mbssrc Awaiting requested review from mbssrc

@leivos-unikie leivos-unikie Awaiting requested review from leivos-unikie

Assignees

No one assigned

Labels

Tested on System76

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@everton-dematos @brianmcgillion @Gaya-03