diff --git a/hosts/luna/modules/monitoring/auditd.nix b/hosts/luna/modules/monitoring/auditd.nix index 0bc41e8..eb254dd 100644 --- a/hosts/luna/modules/monitoring/auditd.nix +++ b/hosts/luna/modules/monitoring/auditd.nix @@ -1,8 +1,119 @@ -{ persist-dir, ... }: { +{ persist-dir, pkgs, config, ... }: +let laurel-user = "_laurel"; +in { security = { audit.enable = true; + wrappers.laurel = { + source = "${pkgs.laurel}/bin/laurel"; + owner = "root"; + group = "${laurel-user}"; + permissions = "u=rwx,g=rx,o="; + }; auditd.enable = true; }; + users.groups."${laurel-user}" = { }; + users.users."${laurel-user}" = { + isSystemUser = true; + createHome = true; + group = "${laurel-user}"; + home = "/var/log/laurel"; + }; + environment.etc = { + "laurel/config.toml" = { + user = "${laurel-user}"; + text = '' + # Write log files relative to this directory + directory = "${config.users.users."${laurel-user}".home}" + # Drop privileges from root to this user + user = "${laurel-user}" + # The periodical time window in seconds for status information to be printed to Syslog. + # Status report includes the running version, config and parsing stats. + # Default is 0 --> no status reports. + statusreport-period = 0 + # By default, audit events are read from stdin ("stdin"). Alternatively, they + # can be consumed from an existing UNIX domain socket ("unix:/path/to/socket") + input = "stdin" + + # A string that is written to the log on startup and + # whenever Laurel writes a status report. + # marker = "correct-horse-battery-staple" + + [auditlog] + # Base file name for the JSONL-based log file. Set to "-" to log to stdout. In this case + # other log file related settings will be ignored. + file = "audit.log" + # Rotate when log file reaches this size (in bytes) + size = 5000000 + # When rotating, keep this number of generations around + generations = 10 + # Grant read permissions on the log files to these users, using + [transform] + + # "array" (the default) causes EXECVE a0, a1, a2 … arguments to be + # output as a list of strings, "ARGV". This is the default, it allows + # analysts to reliably reproduce what was executed. + # + # "string" causes arguments to be concatenated into a single string, + # separated by space characters, "ARGV_STR". This form allows for + # easier grepping, but it is impossible to tell if space characters in + # the resulting string are a separator or were part of an individual + # argument in the original command line. + + execve-argv = [ "array" ] + + # execve-argv = [ "array", "string" ] + + # Trim excessively long EXECVE.ARGV and EXECVE.ARGV_STR entries. + # Excess is cut from the middle of the argument list and a marker + # indicating how many arguments / bytes have been cut is inserted. + + # execve-argv-limit-bytes = 10000 + + [translate] + + # Perform translations of numeric values that can also be done by + # auditd if configured with log_format=ENRICHED. + + # arch, syscall, sockaddr structures + universal = false + # UID, GID values + user-db = false + # Drop raw (numeric) syscall, arch, UID, GID values if they are translated + drop-raw = false + + [enrich] + + # Add context (event-id, comm, exe, ppid) for *pid entries + pid = true + + # List of environment variables to log for every EXECVE event + execve-env = [ "LD_PRELOAD", "LD_LIBRARY_PATH" ] + + # Add container context to SYSCALL-based events + container = true + + # Add script context to SYSCALL execve events + script = true + + # Add groups that the user (uid) is a member of. Default: true + user-groups = true + + [label-process] + + [filter] + filter-null-keys = false + filter-action = "drop" + ''; + }; + "audit/plugins.d/laurel.conf".text = '' + active = yes + direction = out + type = always + path = ${config.security.wrapperDir}/laurel + format = string + args = --config /etc/laurel/config.toml + ''; + }; security.audit.rules = [ # Program Executions "-a exit,always -F arch=b64 -S execve -F key=progexec" @@ -33,4 +144,4 @@ # Root command executions "-a always,exit -F arch=b64 -F euid=0 -F auid>=1000 -F auid!=-1 -S execve -F key=rootcmd" ]; -} +} \ No newline at end of file