pyrox.dev / nixpkgs
lol
fork atom

nixos/auditd: init at 2.7.6 (#27261)

#11864 Support Linux audit subsystem
Add the auditd.service as NixOS module to be able to
generate profiles from /var/log/audit/audit.log
with apparmor-utils.

auditd needs the folder /var/log/audit to be present on start
so this is generated in ExecPreStart.

auditd starts with -s nochange so that effective audit processing
is managed by the audit.service.

authored by Christian Albrecht and committed by Jörg Thalheim ebaff599 466e7e23

+27
unified split
+1
nixos/modules/module-list.nix
··· 116 116 ./security/apparmor.nix 117 117 ./security/apparmor-suid.nix 118 118 ./security/audit.nix 119 + ./security/auditd.nix 119 120 ./security/ca.nix 120 121 ./security/chromium-suid-sandbox.nix 121 122 ./security/dhparams.nix
+26
nixos/modules/security/auditd.nix
··· 1 + { config, lib, pkgs, ... }: 2 + 3 + with lib; 4 + 5 + { 6 + options.security.auditd.enable = mkEnableOption "the Linux Audit daemon"; 7 + 8 + config = mkIf config.security.auditd.enable { 9 + systemd.services.auditd = { 10 + description = "Linux Audit daemon"; 11 + wantedBy = [ "basic.target" ]; 12 + 13 + unitConfig = { 14 + ConditionVirtualization = "!container"; 15 + ConditionSecurity = [ "audit" ]; 16 + }; 17 + 18 + path = [ pkgs.audit ]; 19 + 20 + serviceConfig = { 21 + ExecStartPre="${pkgs.coreutils}/bin/mkdir -p /var/log/audit"; 22 + ExecStart = "${pkgs.audit}/bin/auditd -l -n -s nochange"; 23 + }; 24 + }; 25 + }; 26 + }