nixos/auditd: init at 2.7.6 (#27261)
#11864 Support Linux audit subsystem Add the auditd.service as NixOS module to be able to generate profiles from /var/log/audit/audit.log with apparmor-utils. auditd needs the folder /var/log/audit to be present on start so this is generated in ExecPreStart. auditd starts with -s nochange so that effective audit processing is managed by the audit.service.
This commit is contained in:
parent
466e7e23c6
commit
ebaff599ba
@ -116,6 +116,7 @@
|
||||
./security/apparmor.nix
|
||||
./security/apparmor-suid.nix
|
||||
./security/audit.nix
|
||||
./security/auditd.nix
|
||||
./security/ca.nix
|
||||
./security/chromium-suid-sandbox.nix
|
||||
./security/dhparams.nix
|
||||
|
26
nixos/modules/security/auditd.nix
Normal file
26
nixos/modules/security/auditd.nix
Normal file
@ -0,0 +1,26 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
options.security.auditd.enable = mkEnableOption "the Linux Audit daemon";
|
||||
|
||||
config = mkIf config.security.auditd.enable {
|
||||
systemd.services.auditd = {
|
||||
description = "Linux Audit daemon";
|
||||
wantedBy = [ "basic.target" ];
|
||||
|
||||
unitConfig = {
|
||||
ConditionVirtualization = "!container";
|
||||
ConditionSecurity = [ "audit" ];
|
||||
};
|
||||
|
||||
path = [ pkgs.audit ];
|
||||
|
||||
serviceConfig = {
|
||||
ExecStartPre="${pkgs.coreutils}/bin/mkdir -p /var/log/audit";
|
||||
ExecStart = "${pkgs.audit}/bin/auditd -l -n -s nochange";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue
Block a user