nixos/auditd: init at 2.7.6 (#27261)

#11864 Support Linux audit subsystem Add the auditd.service as NixOS module to be able to generate profiles from /var/log/audit/audit.log with apparmor-utils. auditd needs the folder /var/log/audit to be present on start so this is generated in ExecPreStart. auditd starts with -s nochange so that effective audit processing is managed by the audit.service.
7 years ago · ebaff599ba
parent 466e7e23c6
commit ebaff599ba
2 changed files with 27 additions and 0 deletions
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -116,6 +116,7 @@
  ./security/apparmor.nix
  ./security/apparmor-suid.nix
  ./security/audit.nix
+  ./security/auditd.nix
  ./security/ca.nix
  ./security/chromium-suid-sandbox.nix
  ./security/dhparams.nix
--- a/nixos/modules/security/auditd.nix
+++ b/nixos/modules/security/auditd.nix
@ -0,0 +1,26 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  options.security.auditd.enable = mkEnableOption "the Linux Audit daemon";
+
+  config = mkIf config.security.auditd.enable {
+    systemd.services.auditd = {
+      description = "Linux Audit daemon";
+      wantedBy = [ "basic.target" ];
+
+      unitConfig = {
+        ConditionVirtualization = "!container";
+        ConditionSecurity = [ "audit" ];
+      };
+
+      path = [ pkgs.audit ];
+
+      serviceConfig = {
+        ExecStartPre="${pkgs.coreutils}/bin/mkdir -p /var/log/audit";
+        ExecStart = "${pkgs.audit}/bin/auditd -l -n -s nochange";
+      };
+    };
+  };
+}