mirror of
https://github.com/ItsDrike/nixdots
synced 2024-12-25 19:24:34 +00:00
Add auditd
This commit is contained in:
parent
4ea6be120d
commit
c3dda54f90
|
@ -59,6 +59,13 @@
|
|||
hasTPM = true;
|
||||
};
|
||||
|
||||
security = {
|
||||
auditd = {
|
||||
enable = true;
|
||||
autoPrune.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
workstation = {
|
||||
printing.enable = true;
|
||||
};
|
||||
|
|
|
@ -4,5 +4,6 @@ _: {
|
|||
./home
|
||||
./system
|
||||
./workstation
|
||||
./security
|
||||
];
|
||||
}
|
||||
|
|
61
options/security/auditd.nix
Normal file
61
options/security/auditd.nix
Normal file
|
@ -0,0 +1,61 @@
|
|||
{ lib, config, ... }: with lib; let
|
||||
inherit (lib) mkEnableOption mkOption literalExpression types;
|
||||
in
|
||||
{
|
||||
options.myOptions.security.auditd = {
|
||||
enable = mkEnableOption "the audit daemon.";
|
||||
autoPrune = {
|
||||
enable = mkEnableOption ''
|
||||
automatic pruning of audit logs.
|
||||
|
||||
Enabling this is HEAVILY recommended, as audit logs
|
||||
can grow very large very quickly.
|
||||
'';
|
||||
|
||||
size = mkOption {
|
||||
type = types.int;
|
||||
default = 524288000; # roughly 500MB
|
||||
description = ''
|
||||
The maximum size of the audit log in bytes.
|
||||
|
||||
The default is 500MB.
|
||||
'';
|
||||
};
|
||||
|
||||
schedule = mkOption {
|
||||
type = types.str;
|
||||
default = "daily";
|
||||
example = "weekly";
|
||||
description = "How often cleaning is triggered. Passed to systemd.time";
|
||||
};
|
||||
};
|
||||
|
||||
extraFiles = mkOption {
|
||||
default = [];
|
||||
type = types.listOf types.path;
|
||||
example = literalExpression ''["/etc/nix/id_rsa"]'';
|
||||
description = ''
|
||||
Additional files in root to link to persistent storage.
|
||||
'';
|
||||
};
|
||||
|
||||
extraDirectories = mkOption {
|
||||
default = [];
|
||||
type = types.listOf types.path;
|
||||
example = literalExpression ''["/etc/nix/id_rsa"]'';
|
||||
description = ''
|
||||
Additional directories in root to link to persistent storage.
|
||||
'';
|
||||
};
|
||||
|
||||
persistentMountPoint = mkOption {
|
||||
default = "/persist";
|
||||
description = ''
|
||||
Path to a persistent directory (usually a mount point to a
|
||||
standalone partition / subvolume), which will hold the persistent
|
||||
system state files.
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
5
options/security/default.nix
Normal file
5
options/security/default.nix
Normal file
|
@ -0,0 +1,5 @@
|
|||
{
|
||||
imports = [
|
||||
./auditd.nix
|
||||
];
|
||||
}
|
52
system/shared/security/auditd.nix
Normal file
52
system/shared/security/auditd.nix
Normal file
|
@ -0,0 +1,52 @@
|
|||
{ config, lib, ... }: let
|
||||
inherit (lib) mkIf;
|
||||
|
||||
cfg = config.myOptions.security.auditd;
|
||||
in {
|
||||
config = mkIf cfg.enable {
|
||||
security = {
|
||||
auditd.enable = true;
|
||||
audit = {
|
||||
enable = true;
|
||||
# maximum number of outstanding audit buffers allowed
|
||||
# exceeding this is considered a failure and handled in
|
||||
# a manner specified by failureMode
|
||||
backlogLimit = 8192;
|
||||
# how to handle critical errors in the auditing system
|
||||
failureMode = "printk"; # "silent" | "printk" | "panic"
|
||||
rules = [
|
||||
"-a exit,always -F arch=b64 -S execve"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
systemd = mkIf cfg.autoPrune.enable {
|
||||
# Systemd timer to clean /var/log/audit.log on configured schedule
|
||||
timers."clean-audit-log" = {
|
||||
description = "Periodically clean audit log";
|
||||
wantedBy = ["timers.target"];
|
||||
timerConfig = {
|
||||
OnCalendar = cfg.autoPrune.schedule;
|
||||
Persistent = true;
|
||||
};
|
||||
};
|
||||
|
||||
# clean audit log if it's larger than the configured size
|
||||
services."clean-audit-log" = {
|
||||
script = ''
|
||||
set -eu
|
||||
if [[ $(stat -c "%s" /var/log/audit/audit.log) -gt ${cfg.autoPrune.size} ]]; then
|
||||
echo "Clearing Audit Log";
|
||||
rm -rvf /var/log/audit/audit.log;
|
||||
echo "Done!"
|
||||
fi
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "root";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,5 +1,6 @@
|
|||
{
|
||||
imports = [
|
||||
./apparmor.nix
|
||||
./auditd.nix
|
||||
];
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue