Nixpkgs: Audit still outputs messages after being disabled

Created on 29 Jun 2016  ยท  3Comments  ยท  Source: NixOS/nixpkgs

Issue description

When security.audit.enable = false is used, audit still outputs messages to the journal and dmesg.

Journal:

Jun 29 09:04:34 myhost audit[1683]: SECCOMP auid=1000 uid=1000 gid=1000 ses=1 pid=1683 comm="chromium" exe="/nix/store/bc7wghsaam5synw1s74m8aqw2y9lb9j6-chromium-51.0.2704.63/libexec/chromium/chromium" sig=0 arch=
Jun 29 09:04:34 myhost audit[1685]: SECCOMP auid=1000 uid=1000 gid=1000 ses=1 pid=1685 comm="chromium" exe="/nix/store/bc7wghsaam5synw1s74m8aqw2y9lb9j6-chromium-51.0.2704.63/libexec/chromium/chromium" sig=0 arch=

Dmesg:

[  732.472688] audit: type=1326 audit(1467184112.529:264): auid=1000 uid=1000 gid=1000 ses=1 pid=1736 comm="chromium" exe="/nix/store/bc7wghsaam5synw1s74m8aqw2y9lb9j6-chromium-51.0.2704.63/libexec/chromium/chromium" sig=0 arch=c000003e syscall=273 compat=0 ip=0x7f6d5bc87684 code=0x50000
[  769.465493] audit: type=1326 audit(1467184149.523:265): auid=1000 uid=1000 gid=1000 ses=1 pid=1739 comm="chromium" exe="/nix/store/bc7wghsaam5synw1s74m8aqw2y9lb9j6-chromium-51.0.2704.63/libexec/chromium/chromium" sig=0 arch=c000003e syscall=273 compat=0 ip=0x7f6d5bc87684 code=0x50000
[  769.465669] audit: type=1326 audit(1467184149.523:266): auid=1000 uid=1000 gid=1000 ses=1 pid=1740 comm="chromium" exe="/nix/store/bc7wghsaam5synw1s74m8aqw2y9lb9j6-chromium-51.0.2704.63/libexec/chromium/chromium" sig=0 arch=c000003e syscall=273 compat=0 ip=0x7f6d5bc87684 code=0x50000

Option is disabled:

$ nixos-option security.audit.enable
Value:
false

Daemon is not running:

$ sudo systemctl status auditd.service 
โ— auditd.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

No audit daemon process is running, only the kernel process:

$ ps aux | grep audit
root       503  0.0  0.0      0     0 ?        S    08:56   0:00 [kauditd]
me        1767  0.0  0.0 117036  2220 pts/2    S+   09:12   0:00 grep --color=always audit

I encountered #13710 and tried to disable audit so that I wouldn't get all the messages chromium outputs. That's how I found this problem.

It seems audit is being worked on right now in #11864.

Steps to reproduce

  1. Add security.audit.enable = false; to your /etc/nixos/configuration.nix
  2. Run sudo nixos-rebuild switch
  3. Reboot

    Technical details

  • System: NixOS 16.03 (Linux 4.4.11 x86_64)
  • Nix version: 1.11.2
  • Nixpkgs version: 16.03.909.f199be0
picture rzetterberg

Most helpful comment

Until this is fixed the following lines will completely disable auditing:

security.audit.enable = false;
boot.kernelParams = [ "audit=0" ];
picture carlsverre on 7 Aug 2016
👍2 🎉1

All 3 comments

That is probably journald enabling it: https://github.com/systemd/systemd/issues/959. I suppose we should add an audit=0 kernel boot parameter if security.audit.enable = false is set.

BTW, it'd probably be useful to consider disabling audit by default, as I'm not sure if it does anything useful by default, except printing those stupid message. Also especially so if the performance impact as described in https://fedorahosted.org/fesco/ticket/1311 occurs in our default configuration...

dezgeg picture dezgeg on 29 Jun 2016
👍2

Until this is fixed the following lines will completely disable auditing:

security.audit.enable = false;
boot.kernelParams = [ "audit=0" ];
carlsverre picture carlsverre on 7 Aug 2016
👍2 🎉1

Audit is now off by default https://github.com/NixOS/nixpkgs/pull/17916

Profpatsch picture Profpatsch on 24 Jun 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

domenkozar picture domenkozar  ยท  3Comments
matthiasbeyer picture matthiasbeyer  ยท  3Comments
tomberek picture tomberek  ยท  3Comments
sid-kap picture sid-kap  ยท  3Comments
yawnt picture yawnt  ยท  3Comments