isabelroses.com / dotfiles
my over complex system configurations dotfiles.isabelroses.com/
nixos nix flake dotfiles linux
12
fork

Configure Feed

Select the types of activity you want to include in your feed.

dotfiles / modules / nixos / security / auditd.nix
at main 73 lines 1.8 kB view raw
isabelroses.com fix(auditd): use options that we have createed
4191cbb7
1{ lib, config, ... }: 2let 3 inherit (lib.modules) mkIf; 4 inherit (lib.options) mkOption mkEnableOption; 5 inherit (lib.types) int str; 6 7 cfg = config.garden.system.security.auditd; 8in 9{ 10 options.garden.system.security.auditd = { 11 enable = mkEnableOption "Enable the audit daemon"; 12 13 autoPrune = { 14 enable = mkEnableOption "Enable auto-pruning of audit logs" // { 15 default = cfg.enable; 16 }; 17 18 size = mkOption { 19 type = int; 20 default = 524288000; # ~500 megabytes 21 description = "The maximum size of the audit log in bytes"; 22 }; 23 24 dates = mkOption { 25 type = str; 26 default = "daily"; 27 example = "weekly"; 28 description = "How often the audit log should be pruned"; 29 }; 30 }; 31 }; 32 33 config = mkIf cfg.enable { 34 security = { 35 auditd.enable = true; 36 37 audit = { 38 enable = true; 39 backlogLimit = 8192; 40 failureMode = "printk"; 41 rules = [ "-a exit,always -F arch=b64 -S execve" ]; 42 }; 43 }; 44 45 # the audit log can grow quite large, so we _can_ automatically prune it 46 systemd = mkIf cfg.autoPrune.enable { 47 timers."clean-audit-log" = { 48 description = "Periodically clean audit log"; 49 wantedBy = [ "timers.target" ]; 50 timerConfig = { 51 OnCalendar = cfg.autoPrune.dates; 52 Persistent = true; 53 }; 54 }; 55 56 services."clean-audit-log" = { 57 script = '' 58 set -eu 59 if [[ $(stat -c "%s" /var/log/audit/audit.log) -gt ${toString cfg.autoPrune.size} ]]; then 60 echo "Clearing Audit Log"; 61 rm -rvf /var/log/audit/audit.log; 62 echo "Done!" 63 fi 64 ''; 65 66 serviceConfig = { 67 Type = "oneshot"; 68 User = "root"; 69 }; 70 }; 71 }; 72 }; 73}