nixos/tests/audit-testsuite: init

2026-06-05 21:03:40 +00:00 · 2025-11-27 10:51:42 +01:00
parent bff2752ec7
commit bb62fa7c88
3 changed files with 47 additions and 1 deletions
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -253,6 +253,7 @@ in
  atuin = runTest ./atuin.nix;
  audiobookshelf = runTest ./audiobookshelf.nix;
  audit = runTest ./audit.nix;
+  audit-testsuite = runTest ./audit-testsuite.nix;
  auth-mysql = runTest ./auth-mysql.nix;
  authelia = runTest ./authelia.nix;
  auto-cpufreq = runTest ./auto-cpufreq.nix;
--- a/nixos/tests/audit-testsuite.nix
+++ b/nixos/tests/audit-testsuite.nix
@@ -0,0 +1,45 @@
+{ lib, ... }:
+{
+  # https://github.com/linux-audit/audit-testsuite
+  # This test is meant to *only* run the audit regression testsuite.
+  # The test mutates the audit rules on the system it runs on, and can not run in the nix build sandbox.
+  # Thus a dedicated VM test makes sense.
+
+  name = "audit-testsuite";
+
+  meta = {
+    maintainers = with lib.maintainers; [ grimmauld ];
+  };
+
+  nodes.machine =
+    { pkgs, ... }:
+    {
+      # https://github.com/linux-audit/audit-testsuite/blob/5a10451642ac1ba2fa4b31c06a21cf9aa2d38b66/tests/amcast_joinpart/test#L86
+      # tests use LC_TIME=en_DK.utf8 to force ISO 8601 date format
+      i18n.extraLocales = [ "en_DK.UTF-8/UTF-8" ];
+
+      security.polkit.enable = true; # needed for run0
+
+      security.audit.backlogLimit = 8192;
+
+      security.auditd = {
+        enable = true;
+        plugins.af_unix.active = true;
+        settings = {
+          num_logs = 4;
+          disk_full_action = "rotate";
+        };
+      };
+
+      environment.systemPackages = [ pkgs.audit.testsuite.runner ];
+    };
+
+  testScript = ''
+    start_all()
+    machine.wait_for_unit("auditd.service")
+    machine.wait_for_unit("network.target") # netfilter test requires network to be up
+
+    # we need a valid session to which we can send commands, so we use run0
+    machine.succeed("run0 --pty audit-testsuite-runner")
+  '';
+}
--- a/pkgs/by-name/au/audit/package.nix
+++ b/pkgs/by-name/au/audit/package.nix
@@ -157,7 +157,7 @@ stdenv.mkDerivation (finalAttrs: {
      musl = pkgsMusl.audit or null;
      static = pkgsStatic.audit or null;
      pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage;
-      audit = nixosTests.audit;
+      inherit (nixosTests) audit audit-testsuite;
      # Broken on a hardened kernel
      package = finalAttrs.finalPackage.overrideAttrs (previousAttrs: {
        pname = previousAttrs.pname + "-test";