aviallon/nixos-lib
1
0
Fork 0
mirror of https://github.com/aviallon/nixos-lib.git synced 2026-04-05 17:27:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

[Hardening] use systemd-journald for audit logs

Browse source
This commit is contained in:
Antoine Viallon 2024-03-08 23:26:32 +01:00
parent 87ab357291
commit 07893642d7
Signed by: aviallon
GPG key ID: 186FC35EDEB25716
1 changed files with 12 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

12
security/hardening.nix
View file

@ -97,6 +97,18 @@ in
# Can really badly affect performance in some occasions.
security.audit.enable = mkDefault true;
security.auditd.enable = mkQuasiForce false;
systemd.services.systemd-journald = let
rules = pkgs.writeText "audit.rules" (concatStringsSep "\n" config.security.audit.rules);
in mkIf config.security.audit.enable {
serviceConfig = {
#ExecStartPre = "-${pkgs.audit}/bin/augenrules --load";
ExecStartPre = ''-${pkgs.audit}/bin/auditctl -R ${rules} -e 1 -f 1 -r 1000 -b 64'';
Sockets = [ "systemd-journald-audit.socket" ];
};
aliases = [ "auditd.service" ];
path = [ pkgs.audit ];
};
security.audit.rules = concatLists [
(optional cfg.expensive "-a exit,always -F arch=b64 -S execve")