SelfPrivacy/selfprivacy-nixos-config
1
0
Fork 0
mirror of https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git synced 2024-11-27 05:11:30 +00:00
Code Issues Projects Releases Wiki Activity

add more audit rules

Browse source
This commit is contained in:
Inex Code 2024-07-30 07:53:58 +03:00
parent 9d026e0750
commit 3582ba6419
1 changed files with 33 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
sp-modules/monitoring/module.nix
View file

@ -27,11 +27,27 @@ in
security.audit.enable = true; security.audit.enable = true;
security.audit.rules = [ security.audit.rules = [
"-w /root -p war -k root" "-w /root -p war -k root"
"-w /etc/nixos -p w -k nixos_config" "-w /root/.ssh -p wa -k rootkey"
"-w /etc/selfprivacy.nix -p w -k selfprivacy_folder" "-w /etc/nixos -p w -k nixosconfig"
"-w /sbin/insmod -p x -k module_insertion" "-w /etc/selfprivacy.nix -p w -k selfprivacyfolder"
"-w /etc/passwd -p rwxa -k passwd_changes"
"-a exit,always -F arch=b64 -S execve" "-a exit,always -F arch=b64 -S execve"
"-a always,exit -F arch=b64 -S kexec_load -k KEXEC"
"-a always,exit -F arch=b64 -S mknod -S mknodat -k specialfiles"
"-a always,exit -F arch=b64 -S mount -S umount2 -F auid!=-1 -k mount"
"-a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap"
"-a always,exit -F arch=b64 -F uid!=ntp -S adjtimex -S settimeofday -S clock_settime -k time"
"-w /etc/group -p wa -k etcgroup"
"-w /etc/passwd -p wa -k etcpasswd"
"-w /etc/shadow -k etcpasswd"
"-w /etc/sudoers -p wa -k actions"
"-a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications"
"-a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileaccess"
"-a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileaccess"
"-a always,exit -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileaccess"
"-a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileaccess"
"-a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileaccess"
"-a always,exit -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileaccess"
]; ];
services.cadvisor = { services.cadvisor = {
enable = true; enable = true;
@ -66,6 +82,19 @@ in
} }
]; ];
}; };
services.logrotate = {
enable = true;
settings = {
"/var/log/audit/audit.log" = {
rotate = 7;
compress = true;
missingok = true;
notifempty = true;
sharedscripts = true;
postrotate = "systemctl kill -s USR1 auditd.service";
};
};
};
systemd = { systemd = {
services = { services = {
prometheus.serviceConfig.Slice = "monitoring.slice"; prometheus.serviceConfig.Slice = "monitoring.slice";