Add auditd

This commit is contained in:
ItsDrike 2024-04-15 22:47:54 +02:00
parent 4ea6be120d
commit c3dda54f90
Signed by: ItsDrike
GPG key ID: FA2745890B7048C0
6 changed files with 127 additions and 0 deletions

View file

@ -59,6 +59,13 @@
hasTPM = true;
};
security = {
auditd = {
enable = true;
autoPrune.enable = true;
};
};
workstation = {
printing.enable = true;
};

View file

@ -4,5 +4,6 @@ _: {
./home
./system
./workstation
./security
];
}

View file

@ -0,0 +1,61 @@
{ lib, config, ... }: with lib; let
inherit (lib) mkEnableOption mkOption literalExpression types;
in
{
options.myOptions.security.auditd = {
enable = mkEnableOption "the audit daemon.";
autoPrune = {
enable = mkEnableOption ''
automatic pruning of audit logs.
Enabling this is HEAVILY recommended, as audit logs
can grow very large very quickly.
'';
size = mkOption {
type = types.int;
default = 524288000; # roughly 500MB
description = ''
The maximum size of the audit log in bytes.
The default is 500MB.
'';
};
schedule = mkOption {
type = types.str;
default = "daily";
example = "weekly";
description = "How often cleaning is triggered. Passed to systemd.time";
};
};
extraFiles = mkOption {
default = [];
type = types.listOf types.path;
example = literalExpression ''["/etc/nix/id_rsa"]'';
description = ''
Additional files in root to link to persistent storage.
'';
};
extraDirectories = mkOption {
default = [];
type = types.listOf types.path;
example = literalExpression ''["/etc/nix/id_rsa"]'';
description = ''
Additional directories in root to link to persistent storage.
'';
};
persistentMountPoint = mkOption {
default = "/persist";
description = ''
Path to a persistent directory (usually a mount point to a
standalone partition / subvolume), which will hold the persistent
system state files.
'';
};
};
}

View file

@ -0,0 +1,5 @@
{
imports = [
./auditd.nix
];
}

View file

@ -0,0 +1,52 @@
{ config, lib, ... }: let
inherit (lib) mkIf;
cfg = config.myOptions.security.auditd;
in {
config = mkIf cfg.enable {
security = {
auditd.enable = true;
audit = {
enable = true;
# maximum number of outstanding audit buffers allowed
# exceeding this is considered a failure and handled in
# a manner specified by failureMode
backlogLimit = 8192;
# how to handle critical errors in the auditing system
failureMode = "printk"; # "silent" | "printk" | "panic"
rules = [
"-a exit,always -F arch=b64 -S execve"
];
};
};
systemd = mkIf cfg.autoPrune.enable {
# Systemd timer to clean /var/log/audit.log on configured schedule
timers."clean-audit-log" = {
description = "Periodically clean audit log";
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = cfg.autoPrune.schedule;
Persistent = true;
};
};
# clean audit log if it's larger than the configured size
services."clean-audit-log" = {
script = ''
set -eu
if [[ $(stat -c "%s" /var/log/audit/audit.log) -gt ${cfg.autoPrune.size} ]]; then
echo "Clearing Audit Log";
rm -rvf /var/log/audit/audit.log;
echo "Done!"
fi
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
};
};
}

View file

@ -1,5 +1,6 @@
{
imports = [
./apparmor.nix
./auditd.nix
];
}