aviallon/nixos-lib
1
0
Fork 0
mirror of https://github.com/aviallon/nixos-lib.git synced 2026-04-05 17:27:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

[Hardening] add many more sane audit rules

Browse source
This commit is contained in:
Antoine Viallon 2024-03-08 23:28:04 +01:00
parent 06398f02a6
commit 0729404d27
Signed by: aviallon
GPG key ID: 186FC35EDEB25716
1 changed files with 15 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

18
security/hardening.nix
View file

@ -113,9 +113,21 @@ in
path = [ pkgs.audit ];
};
security.audit.rules = concatLists [
(optional cfg.expensive "-a exit,always -F arch=b64 -S execve")
];
security.audit.rules = []
++ [
"-A exclude,always -F msgtype=SERVICE_START"
"-A exclude,always -F msgtype=SERVICE_STOP"
"-A exclude,always -F msgtype=BPF"
"-w /etc/apparmor/ -p wa -k apparmor_changes"
"-w /etc/apparmor.d/ -p wa -k apparmor_changes"
"-a exit,always -F arch=b64 -S init_module -S finit_module -k module_insertion"
"-a exit,always -F arch=b32 -S init_module -S finit_module -k module_insertion"
"-a exit,always -F arch=b64 -C auid!=euid -F euid=0 -S execve -k privesc_execve"
"-a exit,always -F arch=b32 -C auid!=euid -F euid=0 -S execve -k privesc_execve"
]
++ optional cfg.expensive "-a exit,always -F arch=b64 -S execve -k execve_calls"
;
environment.systemPackages = with pkgs; [
sbctl # Secure Boot keys generation