From 0729404d27ac299ae47867ff92ab694c1dca15f8 Mon Sep 17 00:00:00 2001
From: Antoine Viallon <antoine@lesviallon.fr>
Date: Fri, 8 Mar 2024 23:28:04 +0100
Subject: [PATCH] [Hardening] add many more sane audit rules

---
 security/hardening.nix | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/security/hardening.nix b/security/hardening.nix
index fba0b5b..a19d8fc 100644
--- a/security/hardening.nix
+++ b/security/hardening.nix
@@ -113,9 +113,21 @@ in
       path = [ pkgs.audit ];
     };
 
-    security.audit.rules = concatLists [
-      (optional cfg.expensive "-a exit,always -F arch=b64 -S execve")
-    ];
+    security.audit.rules = []
+      ++ [
+          "-A exclude,always -F msgtype=SERVICE_START"
+          "-A exclude,always -F msgtype=SERVICE_STOP"
+          "-A exclude,always -F msgtype=BPF"
+          "-w /etc/apparmor/ -p wa -k apparmor_changes"
+          "-w /etc/apparmor.d/ -p wa -k apparmor_changes"
+          
+          "-a exit,always -F arch=b64 -S init_module -S finit_module -k module_insertion"
+          "-a exit,always -F arch=b32 -S init_module -S finit_module -k module_insertion"
+          "-a exit,always -F arch=b64 -C auid!=euid -F euid=0 -S execve -k privesc_execve"
+          "-a exit,always -F arch=b32 -C auid!=euid -F euid=0 -S execve -k privesc_execve"
+         ]
+      ++ optional cfg.expensive "-a exit,always -F arch=b64 -S execve -k execve_calls"
+    ;
 
     environment.systemPackages = with pkgs; [
       sbctl # Secure Boot keys generation