Makes the audit module responsible for setting up the audit subsystem of
the kernel. The auditd module is now only responsible for setting up the
daemon.
Enable the audit subsystem early via kernelParams.
Increase the default audit backlog limit so that it works out of the box
for a normal system.
Remove a superfluous and pointless test case.
these changes were generated with nixq 0.0.2, by running
nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix
nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix
two mentions of the mdDoc function remain in nixos/, both of which
are inside of comments.
Since lib.mdDoc is already defined as just id, this commit is a no-op as
far as Nix (and the built manual) is concerned.
Would otherwise fail with
```
error: A definition for option `systemd.services.auditd.conflicts."[definition 1-entry 1]"' is not of type `string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)'. Definition values:
- In `/nix/store/x2khl2yx0vz2i357x7mz5xm1kagql8ag-source/nixos/modules/security/auditd.nix': "shutdown.target "
```
conversions were done using https://github.com/pennae/nix-doc-munge
using (probably) rev f34e145 running
nix-doc-munge nixos/**/*.nix
nix-doc-munge --import nixos/**/*.nix
the tool ensures that only changes that could affect the generated
manual *but don't* are committed, other changes require manual review
and are discarded.
auditd creates an ordering cycle by adding wantedBy = [ "basic.target" ],
because of this the job job systemd-update-utmp.service/start is deleted.
Adding unitConfig.DefaultDependencies = false; to the auditd service unbreaks the cycle.
See also #11864
#11864 Support Linux audit subsystem
Add the auditd.service as NixOS module to be able to
generate profiles from /var/log/audit/audit.log
with apparmor-utils.
auditd needs the folder /var/log/audit to be present on start
so this is generated in ExecPreStart.
auditd starts with -s nochange so that effective audit processing
is managed by the audit.service.
