mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git
synced 2024-11-30 14:31:27 +00:00
add more audit rules
This commit is contained in:
parent
9d026e0750
commit
3582ba6419
|
@ -27,11 +27,27 @@ in
|
||||||
security.audit.enable = true;
|
security.audit.enable = true;
|
||||||
security.audit.rules = [
|
security.audit.rules = [
|
||||||
"-w /root -p war -k root"
|
"-w /root -p war -k root"
|
||||||
"-w /etc/nixos -p w -k nixos_config"
|
"-w /root/.ssh -p wa -k rootkey"
|
||||||
"-w /etc/selfprivacy.nix -p w -k selfprivacy_folder"
|
"-w /etc/nixos -p w -k nixosconfig"
|
||||||
"-w /sbin/insmod -p x -k module_insertion"
|
"-w /etc/selfprivacy.nix -p w -k selfprivacyfolder"
|
||||||
"-w /etc/passwd -p rwxa -k passwd_changes"
|
|
||||||
"-a exit,always -F arch=b64 -S execve"
|
"-a exit,always -F arch=b64 -S execve"
|
||||||
|
"-a always,exit -F arch=b64 -S kexec_load -k KEXEC"
|
||||||
|
"-a always,exit -F arch=b64 -S mknod -S mknodat -k specialfiles"
|
||||||
|
"-a always,exit -F arch=b64 -S mount -S umount2 -F auid!=-1 -k mount"
|
||||||
|
"-a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap"
|
||||||
|
"-a always,exit -F arch=b64 -F uid!=ntp -S adjtimex -S settimeofday -S clock_settime -k time"
|
||||||
|
"-w /etc/group -p wa -k etcgroup"
|
||||||
|
"-w /etc/passwd -p wa -k etcpasswd"
|
||||||
|
"-w /etc/shadow -k etcpasswd"
|
||||||
|
"-w /etc/sudoers -p wa -k actions"
|
||||||
|
"-a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications"
|
||||||
|
"-a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileaccess"
|
||||||
|
"-a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileaccess"
|
||||||
|
"-a always,exit -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileaccess"
|
||||||
|
"-a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileaccess"
|
||||||
|
"-a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileaccess"
|
||||||
|
"-a always,exit -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileaccess"
|
||||||
|
|
||||||
];
|
];
|
||||||
services.cadvisor = {
|
services.cadvisor = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -66,6 +82,19 @@ in
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
services.logrotate = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
"/var/log/audit/audit.log" = {
|
||||||
|
rotate = 7;
|
||||||
|
compress = true;
|
||||||
|
missingok = true;
|
||||||
|
notifempty = true;
|
||||||
|
sharedscripts = true;
|
||||||
|
postrotate = "systemctl kill -s USR1 auditd.service";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
systemd = {
|
systemd = {
|
||||||
services = {
|
services = {
|
||||||
prometheus.serviceConfig.Slice = "monitoring.slice";
|
prometheus.serviceConfig.Slice = "monitoring.slice";
|
||||||
|
|
Loading…
Reference in a new issue