feat(handlers): audit_rule_set loads rules via AUDIT netlink (Phase 5, PR 1/2)

go.mod

@@ -4,6 +4,7 @@ go 1.26.4
 
 require (
 	github.com/coreos/go-systemd/v22 v22.7.0
+	github.com/elastic/go-libaudit/v2 v2.6.2
 	github.com/godbus/dbus/v5 v5.2.2
 	github.com/google/uuid v1.6.0
 	github.com/johnfercher/maroto/v2 v2.4.0
@@ -20,11 +21,13 @@ require (
 	github.com/boombuler/barcode v1.1.0 // indirect
 	github.com/clipperhouse/uax29/v2 v2.7.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/elastic/go-licenser v0.4.1 // indirect
 	github.com/f-amaral/go-async v0.3.0 // indirect
 	github.com/hhrutter/lzw v1.0.0 // indirect
 	github.com/hhrutter/pkcs7 v0.2.0 // indirect
 	github.com/hhrutter/tiff v1.0.2 // indirect
 	github.com/johnfercher/go-tree v1.1.0 // indirect
+	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.21 // indirect
 	github.com/ncruces/go-strftime v1.0.0 // indirect

go.sum

@@ -12,6 +12,10 @@ github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxK
 github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/elastic/go-libaudit/v2 v2.6.2 h1:1PM6wVBTJHJQYsKl8jfA9/Aw9pFty5uUezPiUfKtOI4=
+github.com/elastic/go-libaudit/v2 v2.6.2/go.mod h1:8205nkf2oSrXFlO4H5j8/cyVMoSF3Y7jt+FjgS4ubQU=
+github.com/elastic/go-licenser v0.4.1 h1:1xDURsc8pL5zYT9R29425J3vkHdt4RT5TNEMeRN48x4=
+github.com/elastic/go-licenser v0.4.1/go.mod h1:V56wHMpmdURfibNBggaSBfqgPxyT1Tldns1i87iTEvU=
 github.com/f-amaral/go-async v0.3.0 h1:h4kLsX7aKfdWaHvV0lf+/EE3OIeCzyeDYJDb/vDZUyg=
 github.com/f-amaral/go-async v0.3.0/go.mod h1:Hz5Qr6DAWpbTTUjytnrg1WIsDgS7NtOei5y8SipYS7U=
 github.com/godbus/dbus/v5 v5.2.2 h1:TUR3TgtSVDmjiXOgAAyaZbYmIeP3DPkld3jgKGV8mXQ=
@@ -35,6 +39,8 @@ github.com/johnfercher/go-tree v1.1.0/go.mod h1:DUO6QkXIFh1K7jeGBIkLCZaeUgnkdQAs
 github.com/johnfercher/maroto/v2 v2.4.0 h1:Nc/jA2RCZvNZESrQj41HJOgtkwmerSHd5FUbP4dRrIE=
 github.com/johnfercher/maroto/v2 v2.4.0/go.mod h1:Nnxa3g4f+vzdx/u/dUgx/52HnrCOCt5QBPSdeSlkFZQ=
 github.com/jung-kurt/gofpdf v1.0.0/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=
+github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
+github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.21 h1:jJKAZiQH+2mIinzCJIaIG9Be1+0NR+5sz/lYEEjdM8w=
@@ -63,25 +69,52 @@ github.com/stretchr/objx v0.5.3/go.mod h1:rDQraq+vQZU7Fde9LOZLr8Tax6zZvy4kuNKF+Q
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
 golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
 golang.org/x/image v0.0.0-20190910094157-69e4b8554b2a/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/image v0.37.0 h1:ZiRjArKI8GwxZOoEtUfhrBtaCN+4b/7709dlT6SSnQA=
 golang.org/x/image v0.37.0/go.mod h1:/3f6vaXC+6CEanU4KJxbcUZyEePbyKbaLoDOe4ehFYY=
+golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
 golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.46.0 h1:noSf2Fq6F8DBgS+LysIkx7rIExoNHJsxOAtPp4rthXw=
 golang.org/x/sys v0.46.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.44.0 h1:0rLvDRCtNj0gZkyIXhCyOb2OAzEhLVqc4B+hrsBhrmc=
 golang.org/x/term v0.44.0/go.mod h1:7ze4MdzUzLXpSAoFP1H0bOI9aXDqveSvatT5vKcFh2Y=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
 golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
 golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
 golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
 google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=

internal/agent/auditnl/audit.go

@@ -0,0 +1,85 @@
+// Package auditnl holds the agent-side AUDIT_NETLINK primitives: the
+// audit_rule_set handler uses them to load/unload audit rules via the
+// kernel's netlink interface (the auditctl mechanism) instead of shelling
+// out to augenrules, and the engine uses EmitPhaseEvent to write
+// transaction-phase records into auditd. Netlink AUDIT requires
+// CAP_AUDIT_CONTROL (root); when the socket cannot be opened the
+// primitives return ErrAuditUnavailable so callers fall back to the shell
+// path — mirroring systemd.ErrHelperNotFound.
+package auditnl
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	libaudit "github.com/elastic/go-libaudit/v2"
+	"github.com/elastic/go-libaudit/v2/rule"
+	"github.com/elastic/go-libaudit/v2/rule/flags"
+)
+
+// ErrAuditUnavailable is returned when the AUDIT netlink socket cannot be
+// opened (no privilege, or audit not compiled in). A handler treats it as
+// the signal to fall back to its shell path, exactly as the systemd
+// handlers treat systemd.ErrHelperNotFound.
+var ErrAuditUnavailable = errors.New("auditnl: audit netlink unavailable")
+
+// AuditClient is the subset of the go-libaudit client the handler uses,
+// defined as an interface so tests can inject an in-memory fake without a
+// real netlink socket. *libaudit.AuditClient satisfies it.
+type AuditClient interface {
+	// AddRule loads a rule (in kernel wire format) into the kernel.
+	AddRule(rule []byte) error
+	// DeleteRule unloads a rule (in kernel wire format) from the kernel.
+	DeleteRule(rule []byte) error
+	// GetRules returns the currently-loaded rules in kernel wire format.
+	GetRules() ([][]byte, error)
+	// Close releases the netlink socket.
+	Close() error
+}
+
+var _ AuditClient = (*libaudit.AuditClient)(nil)
+
+// Open opens a real AUDIT netlink client. A failure to open (the common
+// non-root / no-audit case) is wrapped as ErrAuditUnavailable so callers
+// can branch to their shell fallback.
+func Open() (AuditClient, error) {
+	c, err := libaudit.NewAuditClient(nil)
+	if err != nil {
+		return nil, fmt.Errorf("%w: %v", ErrAuditUnavailable, err)
+	}
+	return c, nil
+}
+
+// BuildRule parses one auditctl-syntax rule line (e.g.
+// "-w /etc/passwd -p wa -k identity" or
+// "-a always,exit -F arch=b64 -S execve -k exec") and returns its kernel
+// wire format, suitable for AddRule/DeleteRule and for byte-equality
+// comparison against GetRules output. The go-libaudit parser is the same
+// grammar auditctl implements, so we do not reimplement it.
+func BuildRule(line string) ([]byte, error) {
+	r, err := flags.Parse(line)
+	if err != nil {
+		return nil, fmt.Errorf("auditnl: parse %q: %w", line, err)
+	}
+	wire, err := rule.Build(r)
+	if err != nil {
+		return nil, fmt.Errorf("auditnl: build %q: %w", line, err)
+	}
+	return []byte(wire), nil
+}
+
+// RuleLines splits a rule-set body into the individual audit-rule lines
+// to load, dropping blank lines and comments (and the Kensa header). Each
+// returned line is fed to BuildRule.
+func RuleLines(body string) []string {
+	var out []string
+	for _, raw := range strings.Split(body, "\n") {
+		line := strings.TrimSpace(raw)
+		if line == "" || strings.HasPrefix(line, "#") {
+			continue
+		}
+		out = append(out, line)
+	}
+	return out
+}

internal/agent/auditnl/audit_test.go

@@ -0,0 +1,52 @@
+package auditnl_test
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/Hanalyx/kensa/internal/agent/auditnl"
+)
+
+// BuildRule parses both watch and syscall auditctl syntax into non-empty
+// wire format, and rejects a malformed line.
+//
+// @spec auditnl-rule-set
+// @ac AC-01
+func TestBuildRule(t *testing.T) {
+	t.Run("auditnl-rule-set/AC-01", func(t *testing.T) {})
+	for _, line := range []string{
+		"-w /etc/passwd -p wa -k identity",
+		"-a always,exit -F arch=b64 -S execve -k exec",
+	} {
+		wire, err := auditnl.BuildRule(line)
+		if err != nil {
+			t.Errorf("BuildRule(%q): %v", line, err)
+		}
+		if len(wire) == 0 {
+			t.Errorf("BuildRule(%q): empty wire", line)
+		}
+	}
+	// Deterministic: same line → same wire (the equality basis for capture).
+	a, _ := auditnl.BuildRule("-w /etc/passwd -p wa -k identity")
+	b, _ := auditnl.BuildRule("-w /etc/passwd -p wa -k identity")
+	if !reflect.DeepEqual(a, b) {
+		t.Error("BuildRule is not deterministic")
+	}
+	if _, err := auditnl.BuildRule("this is not an audit rule"); err == nil {
+		t.Error("BuildRule should reject a malformed line")
+	}
+}
+
+// RuleLines drops blanks, comments, and whitespace.
+//
+// @spec auditnl-rule-set
+// @ac AC-01
+func TestRuleLines(t *testing.T) {
+	t.Run("auditnl-rule-set/AC-01", func(t *testing.T) {})
+	body := "# Managed by Kensa.\n\n  -w /etc/passwd -p wa -k identity  \n# comment\n-w /etc/group -p wa -k identity\n"
+	got := auditnl.RuleLines(body)
+	want := []string{"-w /etc/passwd -p wa -k identity", "-w /etc/group -p wa -k identity"}
+	if !reflect.DeepEqual(got, want) {
+		t.Errorf("RuleLines = %v, want %v", got, want)
+	}
+}

internal/agent/auditnl/fake.go

@@ -0,0 +1,73 @@
+package auditnl
+
+import (
+	"encoding/hex"
+
+	"github.com/Hanalyx/kensa/internal/agent/kernelio"
+)
+
+// FakeAuditTransport is an in-memory test double implementing
+// AuditTransport. It embeds kernelio.FakeSysctlTransport for the file +
+// api.Transport surface and adds an in-memory kernel rule list, so a test
+// can exercise a full audit Apply → Capture → Rollback round trip without
+// a real netlink socket. Lives in the production package (a normal file)
+// so the audit_rule_set handler tests can share it, mirroring
+// servicedbus.FakeTransport / kernelio.FakeSysctlTransport.
+type FakeAuditTransport struct {
+	*kernelio.FakeSysctlTransport
+	// Loaded is the in-memory kernel rule list, keyed by hex(wire).
+	Loaded map[string][]byte
+	// OpenErr, when set, is returned by AuditClient() — set it to
+	// ErrAuditUnavailable to exercise the shell fallback.
+	OpenErr error
+}
+
+// NewFakeAudit returns a FakeAuditTransport with initialized state.
+func NewFakeAudit() *FakeAuditTransport {
+	return &FakeAuditTransport{
+		FakeSysctlTransport: kernelio.NewFakeSysctl(),
+		Loaded:              map[string][]byte{},
+	}
+}
+
+// AuditClient returns an in-memory client over the fake's rule list, or
+// OpenErr when set.
+func (f *FakeAuditTransport) AuditClient() (AuditClient, error) {
+	if f.OpenErr != nil {
+		return nil, f.OpenErr
+	}
+	return &fakeAuditClient{t: f}, nil
+}
+
+// LoadedLines is a test helper returning the count of loaded rules.
+func (f *FakeAuditTransport) LoadedCount() int { return len(f.Loaded) }
+
+type fakeAuditClient struct{ t *FakeAuditTransport }
+
+func key(wire []byte) string { return hex.EncodeToString(wire) }
+
+func (c *fakeAuditClient) AddRule(wire []byte) error {
+	c.t.Loaded[key(wire)] = append([]byte(nil), wire...)
+	return nil
+}
+
+func (c *fakeAuditClient) DeleteRule(wire []byte) error {
+	delete(c.t.Loaded, key(wire))
+	return nil
+}
+
+func (c *fakeAuditClient) GetRules() ([][]byte, error) {
+	out := make([][]byte, 0, len(c.t.Loaded))
+	for _, w := range c.t.Loaded {
+		out = append(out, w)
+	}
+	return out, nil
+}
+
+func (c *fakeAuditClient) Close() error { return nil }
+
+// Compile-time assertions.
+var (
+	_ AuditTransport = (*FakeAuditTransport)(nil)
+	_ AuditClient    = (*fakeAuditClient)(nil)
+)

internal/agent/auditnl/transport.go

@@ -0,0 +1,16 @@
+package auditnl
+
+import "github.com/Hanalyx/kensa/internal/agent/kernelio"
+
+// AuditTransport is the capability a transport implements when it can
+// manage audit rules via AUDIT netlink: the FileTransport ops for the
+// /etc/audit/rules.d drop-in persistence, plus AuditClient() to open a
+// netlink client for the runtime rule load/unload. The audit_rule_set
+// handler asserts it; AuditClient() returning ErrAuditUnavailable (or the
+// assertion failing) sends the handler to its augenrules shell path.
+type AuditTransport interface {
+	kernelio.FileTransport
+	// AuditClient opens a netlink client; the caller closes it. Returns a
+	// wrapped ErrAuditUnavailable when the socket cannot be opened.
+	AuditClient() (AuditClient, error)
+}

internal/agent/transport/local/local.go

@@ -29,6 +29,7 @@ import (
 	"time"
 
 	"github.com/Hanalyx/kensa/api"
+	"github.com/Hanalyx/kensa/internal/agent/auditnl"
 	"github.com/Hanalyx/kensa/internal/agent/fsatomic"
 	"github.com/Hanalyx/kensa/internal/agent/kernelio"
 	"github.com/Hanalyx/kensa/internal/agent/systemd"
@@ -309,11 +310,20 @@ func (t *Transport) DeleteModule(name string) error {
 	return kernelio.DeleteModule(name)
 }
 
+// AuditClient opens an AUDIT netlink client. Satisfies
+// auditnl.AuditTransport for the audit_rule_set handler's runtime rule
+// load/unload. A non-root / no-audit host gets a wrapped
+// auditnl.ErrAuditUnavailable, sending the handler to its shell path.
+func (t *Transport) AuditClient() (auditnl.AuditClient, error) {
+	return auditnl.Open()
+}
+
 // Compile-time interface check.
 var (
 	_ api.Transport            = (*Transport)(nil)
 	_ fsatomic.Transport       = (*Transport)(nil)
 	_ systemd.Transport        = (*Transport)(nil)
 	_ kernelio.SysctlTransport = (*Transport)(nil)
 	_ kernelio.ModuleTransport = (*Transport)(nil)
+	_ auditnl.AuditTransport   = (*Transport)(nil)
 )