From bb62fa7c88576cf3407820b4841db874a815907d Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Thu, 27 Nov 2025 10:51:42 +0100
Subject: [PATCH] nixos/tests/audit-testsuite: init

---
 nixos/tests/all-tests.nix         |  1 +
 nixos/tests/audit-testsuite.nix   | 45 +++++++++++++++++++++++++++++++
 pkgs/by-name/au/audit/package.nix |  2 +-
 3 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 nixos/tests/audit-testsuite.nix

diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 7892274095aa..5aabe8634c1c 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -253,6 +253,7 @@ in
   atuin = runTest ./atuin.nix;
   audiobookshelf = runTest ./audiobookshelf.nix;
   audit = runTest ./audit.nix;
+  audit-testsuite = runTest ./audit-testsuite.nix;
   auth-mysql = runTest ./auth-mysql.nix;
   authelia = runTest ./authelia.nix;
   auto-cpufreq = runTest ./auto-cpufreq.nix;
diff --git a/nixos/tests/audit-testsuite.nix b/nixos/tests/audit-testsuite.nix
new file mode 100644
index 000000000000..7c45de00544f
--- /dev/null
+++ b/nixos/tests/audit-testsuite.nix
@@ -0,0 +1,45 @@
+{ lib, ... }:
+{
+  # https://github.com/linux-audit/audit-testsuite
+  # This test is meant to *only* run the audit regression testsuite.
+  # The test mutates the audit rules on the system it runs on, and can not run in the nix build sandbox.
+  # Thus a dedicated VM test makes sense.
+
+  name = "audit-testsuite";
+
+  meta = {
+    maintainers = with lib.maintainers; [ grimmauld ];
+  };
+
+  nodes.machine =
+    { pkgs, ... }:
+    {
+      # https://github.com/linux-audit/audit-testsuite/blob/5a10451642ac1ba2fa4b31c06a21cf9aa2d38b66/tests/amcast_joinpart/test#L86
+      # tests use LC_TIME=en_DK.utf8 to force ISO 8601 date format
+      i18n.extraLocales = [ "en_DK.UTF-8/UTF-8" ];
+
+      security.polkit.enable = true; # needed for run0
+
+      security.audit.backlogLimit = 8192;
+
+      security.auditd = {
+        enable = true;
+        plugins.af_unix.active = true;
+        settings = {
+          num_logs = 4;
+          disk_full_action = "rotate";
+        };
+      };
+
+      environment.systemPackages = [ pkgs.audit.testsuite.runner ];
+    };
+
+  testScript = ''
+    start_all()
+    machine.wait_for_unit("auditd.service")
+    machine.wait_for_unit("network.target") # netfilter test requires network to be up
+
+    # we need a valid session to which we can send commands, so we use run0
+    machine.succeed("run0 --pty audit-testsuite-runner")
+  '';
+}
diff --git a/pkgs/by-name/au/audit/package.nix b/pkgs/by-name/au/audit/package.nix
index e9109b4bf04a..49e6849c2a2d 100644
--- a/pkgs/by-name/au/audit/package.nix
+++ b/pkgs/by-name/au/audit/package.nix
@@ -157,7 +157,7 @@ stdenv.mkDerivation (finalAttrs: {
       musl = pkgsMusl.audit or null;
       static = pkgsStatic.audit or null;
       pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage;
-      audit = nixosTests.audit;
+      inherit (nixosTests) audit audit-testsuite;
       # Broken on a hardened kernel
       package = finalAttrs.finalPackage.overrideAttrs (previousAttrs: {
         pname = previousAttrs.pname + "-test";