From 0912b6357ea8e0f697959e99a8e75fae4c9cebc2 Mon Sep 17 00:00:00 2001
From: Price Hiller <price@orion-technologies.io>
Date: Thu, 14 Mar 2024 00:45:34 -0500
Subject: [PATCH] feat(hosts/luna): add basic `auditd` setup

---
 hosts/luna/modules/monitoring/auditd.nix | 36 ++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 hosts/luna/modules/monitoring/auditd.nix

diff --git a/hosts/luna/modules/monitoring/auditd.nix b/hosts/luna/modules/monitoring/auditd.nix
new file mode 100644
index 0000000..3a2bab4
--- /dev/null
+++ b/hosts/luna/modules/monitoring/auditd.nix
@@ -0,0 +1,36 @@
+{ persist-dir, ... }: {
+  security = {
+    audit.enable = true;
+    auditd.enable = true;
+  };
+  security.audit.rules = [
+    # Program Executions
+    "-a exit,always -F arch=b64 -S execve -F key=progexec"
+
+    # Home path access/modification
+    "-a always,exit -F arch=b64 -F dir=/home -F perm=war -F key=homeaccess"
+
+    # Kexec usage
+    "-a always,exit -F arch=b64 -S kexec_load -F key=KEXEC"
+
+    # Root directory access/modification
+    "-a always,exit -F arch=b64 -F dir=/root -F key=roothomeaccess -F perm=war"
+
+    # Failed Modifications of critcal paths
+    "-a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -F key=unauthedfileaccess"
+    "-a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -F key=unauthedfileaccess"
+    "-a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -F key=unauthedfileaccess"
+    "-a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -F key=unauthedfileaccess"
+    "-a always,exit -F arch=b64 -S open -F dir=/srv -F success=0 -F key=unauthedfileaccess"
+    "-a always,exit -F arch=b64 -S open -F dir=/opt -F success=0 -F key=unauthedfileaccess"
+    "-a always,exit -F arch=b64 -S open -F dir=/boot -F success=0 -F key=unauthedfileaccess"
+    "-a always,exit -F arch=b64 -S open -F dir=/nix -F success=0 -F key=unauthedfileaccess"
+    "-a always,exit -F arch=b64 -S open -F dir=${persist-dir} -F success=0 -F key=unauthedfileaccess"
+
+    # File deletion events by users
+    "-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -F key=delete"
+
+    # Root command executions
+    "-a always,exit -F arch=b64 -F euid=0 -F auid>=1000 -F auid!=-1 -S execve -F key=rootcmd"
+  ];
+}
\ No newline at end of file