mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git
synced 2024-11-30 06:21:28 +00:00
update
This commit is contained in:
parent
a3b514b391
commit
fca4b2d3ee
|
@ -28,11 +28,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1722312464,
|
||||
"narHash": "sha256-+nbgcYTYNuIzIheQyRbxHK2hGy0xP8hyc6dDpjpD3Rc=",
|
||||
"lastModified": 1722342143,
|
||||
"narHash": "sha256-n8L2sBYCm0M7/Murq4hhPLoefRo9lbAQKaflGy8Mk7o=",
|
||||
"ref": "add_monitoring_prometheus",
|
||||
"rev": "bd2fae2e6d014384cd216dda3f9365ec94b8298e",
|
||||
"revCount": 1472,
|
||||
"rev": "806c3052ff08d85f737191946a43a79aa0f626cb",
|
||||
"revCount": 1473,
|
||||
"type": "git",
|
||||
"url": "https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git"
|
||||
},
|
||||
|
|
|
@ -23,34 +23,6 @@ in
|
|||
];
|
||||
};
|
||||
};
|
||||
security.auditd.enable = true;
|
||||
security.audit.enable = true;
|
||||
security.audit.rules = [
|
||||
"-w /root -p war -k root"
|
||||
"-w /root/.ssh -p wa -k rootkey"
|
||||
"-w /etc/nixos -p w -k nixosconfig"
|
||||
"-w /etc/selfprivacy.nix -p w -k selfprivacyfolder"
|
||||
"-a always,exclude -F msgtype=CWD"
|
||||
"-a always,exclude -F msgtype=PATH"
|
||||
# "-a exit,always -F arch=b64 -S execve"
|
||||
"-a always,exit -F arch=b64 -S kexec_load -k KEXEC"
|
||||
"-a always,exit -F arch=b64 -S mknod -S mknodat -k specialfiles"
|
||||
"-a always,exit -F arch=b64 -S mount -S umount2 -F auid!=-1 -k mount"
|
||||
"-a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap"
|
||||
"-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time"
|
||||
"-w /etc/group -p wa -k etcgroup"
|
||||
"-w /etc/passwd -p wa -k etcpasswd"
|
||||
"-w /etc/shadow -k etcpasswd"
|
||||
"-w /etc/sudoers -p wa -k actions"
|
||||
"-a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications"
|
||||
"-a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileaccess"
|
||||
"-a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileaccess"
|
||||
"-a always,exit -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileaccess"
|
||||
"-a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileaccess"
|
||||
"-a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileaccess"
|
||||
"-a always,exit -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileaccess"
|
||||
|
||||
];
|
||||
services.cadvisor = {
|
||||
enable = true;
|
||||
port = 9003;
|
||||
|
@ -84,19 +56,6 @@ in
|
|||
}
|
||||
];
|
||||
};
|
||||
services.logrotate = {
|
||||
enable = true;
|
||||
settings = {
|
||||
"/var/log/audit/audit.log" = {
|
||||
rotate = 7;
|
||||
compress = true;
|
||||
missingok = true;
|
||||
notifempty = true;
|
||||
sharedscripts = true;
|
||||
postrotate = "systemctl kill -s USR1 auditd.service";
|
||||
};
|
||||
};
|
||||
};
|
||||
systemd = {
|
||||
services = {
|
||||
prometheus.serviceConfig.Slice = "monitoring.slice";
|
||||
|
|
Loading…
Reference in a new issue