systemd services support setting a runtime directory via RuntimeDirectory, see systemd.exec(5). For this, it expects services to respect the $RUNTIME_DIRECTORY environment variable.

Currently, auditd hardcodes /var/run in various places, e.g.:

This is fine if /var/run actually exists. On some systems (typically modern systemd systems), such as NixOS, /run is the actual runtime directory. /var/run -> /run is typically a symlink created by systemd-tmpfiles. This is fine as long as auditd starts after the systemd-tmpfiles-setup.service service. However, omitting this After= will result in various things failing. I discovered this while reviewing a cleanup PR to our audit setup (NixOS/nixpkgs#429553 (comment)). Such a dependency in the service is also not great, as it restricts how early in the boot process audit can start logging things.

Further, auditd polluting the global /run with files is not ideal. I'd prefer auditd using $RUNTIME_DIRECTORY/auditd/<...> for its various files. And while some of the audit files such as the audispd_events socket can be trivially moved using the config file, things like the pid file can not.

I understand this is a somewhat big change to request. I also understand $RUNTIME_DIRECTORY might not be set, especially on non-systemd setups, in which case it is probably fair to assume /var/run as a default.