feat(hosts/luna): add basic auditd setup

hosts/luna/modules/monitoring/auditd.nix

@@ -0,0 +1,36 @@
+{ persist-dir, ... }: {
+  security = {
+    audit.enable = true;
+    auditd.enable = true;
+  };
+  security.audit.rules = [
+    # Program Executions
+    "-a exit,always -F arch=b64 -S execve -F key=progexec"
+
+    # Home path access/modification
+    "-a always,exit -F arch=b64 -F dir=/home -F perm=war -F key=homeaccess"
+
+    # Kexec usage
+    "-a always,exit -F arch=b64 -S kexec_load -F key=KEXEC"
+
+    # Root directory access/modification
+    "-a always,exit -F arch=b64 -F dir=/root -F key=roothomeaccess -F perm=war"
+
+    # Failed Modifications of critcal paths
+    "-a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -F key=unauthedfileaccess"
+    "-a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -F key=unauthedfileaccess"
+    "-a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -F key=unauthedfileaccess"
+    "-a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -F key=unauthedfileaccess"
+    "-a always,exit -F arch=b64 -S open -F dir=/srv -F success=0 -F key=unauthedfileaccess"
+    "-a always,exit -F arch=b64 -S open -F dir=/opt -F success=0 -F key=unauthedfileaccess"
+    "-a always,exit -F arch=b64 -S open -F dir=/boot -F success=0 -F key=unauthedfileaccess"
+    "-a always,exit -F arch=b64 -S open -F dir=/nix -F success=0 -F key=unauthedfileaccess"
+    "-a always,exit -F arch=b64 -S open -F dir=${persist-dir} -F success=0 -F key=unauthedfileaccess"
+
+    # File deletion events by users
+    "-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -F key=delete"
+
+    # Root command executions
+    "-a always,exit -F arch=b64 -F euid=0 -F auid>=1000 -F auid!=-1 -S execve -F key=rootcmd"
+  ];
+}