From c3dda54f90ea7c0fd285695be7a7a09187233539 Mon Sep 17 00:00:00 2001
From: ItsDrike <itsdrike@protonmail.com>
Date: Mon, 15 Apr 2024 22:47:54 +0200
Subject: [PATCH] Add auditd

---
 hosts/herugrim/default.nix         |  7 ++++
 options/default.nix                |  1 +
 options/security/auditd.nix        | 61 ++++++++++++++++++++++++++++++
 options/security/default.nix       |  5 +++
 system/shared/security/auditd.nix  | 52 +++++++++++++++++++++++++
 system/shared/security/default.nix |  1 +
 6 files changed, 127 insertions(+)
 create mode 100644 options/security/auditd.nix
 create mode 100644 options/security/default.nix
 create mode 100644 system/shared/security/auditd.nix

diff --git a/hosts/herugrim/default.nix b/hosts/herugrim/default.nix
index ecffaed..7000dfb 100644
--- a/hosts/herugrim/default.nix
+++ b/hosts/herugrim/default.nix
@@ -59,6 +59,13 @@
       hasTPM = true;
     };
 
+    security = {
+      auditd = {
+        enable = true;
+        autoPrune.enable = true;
+      };
+    };
+
     workstation = {
       printing.enable = true;
     };
diff --git a/options/default.nix b/options/default.nix
index 5385c36..3853e45 100644
--- a/options/default.nix
+++ b/options/default.nix
@@ -4,5 +4,6 @@ _: {
     ./home
     ./system
     ./workstation
+    ./security
   ];
 }
diff --git a/options/security/auditd.nix b/options/security/auditd.nix
new file mode 100644
index 0000000..fccb222
--- /dev/null
+++ b/options/security/auditd.nix
@@ -0,0 +1,61 @@
+{ lib, config, ... }: with lib; let
+  inherit (lib) mkEnableOption mkOption literalExpression types;
+in
+{
+  options.myOptions.security.auditd = {
+    enable = mkEnableOption "the audit daemon.";
+    autoPrune = {
+      enable = mkEnableOption ''
+        automatic pruning of audit logs.
+
+        Enabling this is HEAVILY recommended, as audit logs
+        can grow very large very quickly.
+      '';
+
+      size = mkOption {
+        type = types.int;
+        default = 524288000; # roughly 500MB
+        description = ''
+          The maximum size of the audit log in bytes.
+
+          The default is 500MB.
+        '';
+      };
+
+      schedule = mkOption {
+        type = types.str;
+        default = "daily";
+        example = "weekly";
+        description = "How often cleaning is triggered. Passed to systemd.time";
+      };
+    };
+
+    extraFiles = mkOption {
+      default = [];
+      type = types.listOf types.path;
+      example = literalExpression ''["/etc/nix/id_rsa"]'';
+      description = ''
+        Additional files in root to link to persistent storage.
+      '';
+    };
+
+    extraDirectories = mkOption {
+      default = [];
+      type = types.listOf types.path;
+      example = literalExpression ''["/etc/nix/id_rsa"]'';
+      description = ''
+        Additional directories in root to link to persistent storage.
+      '';
+    };
+
+    persistentMountPoint = mkOption {
+      default = "/persist";
+      description = ''
+        Path to a persistent directory (usually a mount point to a
+        standalone partition / subvolume), which will hold the persistent
+        system state files.
+      '';
+    };
+  };
+}
+
diff --git a/options/security/default.nix b/options/security/default.nix
new file mode 100644
index 0000000..015276a
--- /dev/null
+++ b/options/security/default.nix
@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./auditd.nix
+  ];
+}
diff --git a/system/shared/security/auditd.nix b/system/shared/security/auditd.nix
new file mode 100644
index 0000000..eaa4780
--- /dev/null
+++ b/system/shared/security/auditd.nix
@@ -0,0 +1,52 @@
+{ config, lib, ... }: let
+  inherit (lib) mkIf;
+
+  cfg = config.myOptions.security.auditd;
+in {
+  config = mkIf cfg.enable {
+    security = {
+      auditd.enable = true;
+      audit = {
+        enable = true;
+        # maximum number of outstanding audit buffers allowed
+        # exceeding this is considered a failure and handled in
+        # a manner specified by failureMode
+        backlogLimit = 8192;
+        # how to handle critical errors in the auditing system
+        failureMode = "printk"; # "silent" | "printk" | "panic"
+        rules = [
+          "-a exit,always -F arch=b64 -S execve"
+        ];
+      };
+    };
+
+    systemd = mkIf cfg.autoPrune.enable {
+      # Systemd timer to clean /var/log/audit.log on configured schedule
+      timers."clean-audit-log" = {
+        description = "Periodically clean audit log";
+        wantedBy = ["timers.target"];
+        timerConfig = {
+          OnCalendar = cfg.autoPrune.schedule;
+          Persistent = true;
+        };
+      };
+
+      # clean audit log if it's larger than the configured size
+      services."clean-audit-log" = {
+        script = ''
+          set -eu
+          if [[ $(stat -c "%s" /var/log/audit/audit.log) -gt ${cfg.autoPrune.size} ]]; then
+            echo "Clearing Audit Log";
+            rm -rvf /var/log/audit/audit.log;
+            echo "Done!"
+          fi
+        '';
+
+        serviceConfig = {
+          Type = "oneshot";
+          User = "root";
+        };
+      };
+    };
+  };
+}
diff --git a/system/shared/security/default.nix b/system/shared/security/default.nix
index df16fb6..c7c2b61 100644
--- a/system/shared/security/default.nix
+++ b/system/shared/security/default.nix
@@ -1,5 +1,6 @@
 {
   imports = [
     ./apparmor.nix
+    ./auditd.nix
   ];
 }