SelfPrivacy/selfprivacy-nixos-config
1
0
Fork 0
mirror of https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git synced 2024-11-27 05:11:30 +00:00
Code Issues Projects Releases Wiki Activity

update

Browse source
This commit is contained in:
Inex Code 2024-07-30 15:22:57 +03:00
parent a3b514b391
commit fca4b2d3ee
2 changed files with 4 additions and 45 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
flake.lock
View file

@ -28,11 +28,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1722312464, "lastModified": 1722342143,
"narHash": "sha256-+nbgcYTYNuIzIheQyRbxHK2hGy0xP8hyc6dDpjpD3Rc=", "narHash": "sha256-n8L2sBYCm0M7/Murq4hhPLoefRo9lbAQKaflGy8Mk7o=",
"ref": "add_monitoring_prometheus", "ref": "add_monitoring_prometheus",
"rev": "bd2fae2e6d014384cd216dda3f9365ec94b8298e", "rev": "806c3052ff08d85f737191946a43a79aa0f626cb",
"revCount": 1472, "revCount": 1473,
"type": "git", "type": "git",
"url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git" "url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git"
}, },

41
sp-modules/monitoring/module.nix
View file

@ -23,34 +23,6 @@ in
]; ];
}; };
}; };
security.auditd.enable = true;
security.audit.enable = true;
security.audit.rules = [
"-w /root -p war -k root"
"-w /root/.ssh -p wa -k rootkey"
"-w /etc/nixos -p w -k nixosconfig"
"-w /etc/selfprivacy.nix -p w -k selfprivacyfolder"
"-a always,exclude -F msgtype=CWD"
"-a always,exclude -F msgtype=PATH"
# "-a exit,always -F arch=b64 -S execve"
"-a always,exit -F arch=b64 -S kexec_load -k KEXEC"
"-a always,exit -F arch=b64 -S mknod -S mknodat -k specialfiles"
"-a always,exit -F arch=b64 -S mount -S umount2 -F auid!=-1 -k mount"
"-a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap"
"-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time"
"-w /etc/group -p wa -k etcgroup"
"-w /etc/passwd -p wa -k etcpasswd"
"-w /etc/shadow -k etcpasswd"
"-w /etc/sudoers -p wa -k actions"
"-a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications"
"-a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileaccess"
"-a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileaccess"
"-a always,exit -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileaccess"
"-a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileaccess"
"-a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileaccess"
"-a always,exit -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileaccess"
];
services.cadvisor = { services.cadvisor = {
enable = true; enable = true;
port = 9003; port = 9003;
@ -84,19 +56,6 @@ in
} }
]; ];
}; };
services.logrotate = {
enable = true;
settings = {
"/var/log/audit/audit.log" = {
rotate = 7;
compress = true;
missingok = true;
notifempty = true;
sharedscripts = true;
postrotate = "systemctl kill -s USR1 auditd.service";
};
};
};
systemd = { systemd = {
services = { services = {
prometheus.serviceConfig.Slice = "monitoring.slice"; prometheus.serviceConfig.Slice = "monitoring.slice";