feat(hosts/luna): install laurel as an auditd plugin

hosts/luna/modules/monitoring/auditd.nix

@@ -1,8 +1,119 @@
-{ persist-dir, ... }: {
+{ persist-dir, pkgs, config, ... }:
+let laurel-user = "_laurel";
+in {
   security = {
     audit.enable = true;
+    wrappers.laurel = {
+      source = "${pkgs.laurel}/bin/laurel";
+      owner = "root";
+      group = "${laurel-user}";
+      permissions = "u=rwx,g=rx,o=";
+    };
     auditd.enable = true;
   };
+  users.groups."${laurel-user}" = { };
+  users.users."${laurel-user}" = {
+    isSystemUser = true;
+    createHome = true;
+    group = "${laurel-user}";
+    home = "/var/log/laurel";
+  };
+  environment.etc = {
+    "laurel/config.toml" = {
+      user = "${laurel-user}";
+      text = ''
+        # Write log files relative to this directory
+        directory = "${config.users.users."${laurel-user}".home}"
+        # Drop privileges from root to this user
+        user = "${laurel-user}"
+        # The periodical time window in seconds for status information to be printed to Syslog.
+        # Status report includes the running version, config and parsing stats.
+        # Default is 0 --> no status reports.
+        statusreport-period = 0
+        # By default, audit events are read from stdin ("stdin"). Alternatively, they
+        # can be consumed from an existing UNIX domain socket ("unix:/path/to/socket")
+        input = "stdin"
+
+        # A string that is written to the log on startup and
+        # whenever Laurel writes a status report.
+        # marker = "correct-horse-battery-staple"
+
+        [auditlog]
+        # Base file name for the JSONL-based log file. Set to "-" to log to stdout. In this case
+        # other log file related settings will be ignored.
+        file = "audit.log"
+        # Rotate when log file reaches this size (in bytes)
+        size = 5000000
+        # When rotating, keep this number of generations around
+        generations = 10
+        # Grant read permissions on the log files to these users, using
+        [transform]
+
+        # "array" (the default) causes EXECVE a0, a1, a2 … arguments to be
+        # output as a list of strings, "ARGV". This is the default, it allows
+        # analysts to reliably reproduce what was executed.
+        #
+        # "string" causes arguments to be concatenated into a single string,
+        # separated by space characters, "ARGV_STR". This form allows for
+        # easier grepping, but it is impossible to tell if space characters in
+        # the resulting string are a separator or were part of an individual
+        # argument in the original command line.
+
+        execve-argv = [ "array" ]
+
+        # execve-argv = [ "array", "string" ]
+
+        # Trim excessively long EXECVE.ARGV and EXECVE.ARGV_STR entries.
+        # Excess is cut from the middle of the argument list and a marker
+        # indicating how many arguments / bytes have been cut is inserted.
+
+        # execve-argv-limit-bytes = 10000
+
+        [translate]
+
+        # Perform translations of numeric values that can also be done by
+        # auditd if configured with log_format=ENRICHED.
+
+        # arch, syscall, sockaddr structures
+        universal = false
+        # UID, GID values
+        user-db = false
+        # Drop raw (numeric) syscall, arch, UID, GID values if they are translated
+        drop-raw = false
+
+        [enrich]
+
+        # Add context (event-id, comm, exe, ppid) for *pid entries
+        pid = true
+
+        # List of environment variables to log for every EXECVE event
+        execve-env = [ "LD_PRELOAD", "LD_LIBRARY_PATH" ]
+
+        # Add container context to SYSCALL-based events
+        container = true
+
+        # Add script context to SYSCALL execve events
+        script = true
+
+        # Add groups that the user (uid) is a member of. Default: true
+        user-groups = true
+
+        [label-process]
+
+        [filter]
+        filter-null-keys = false
+        filter-action = "drop"
+      '';
+    };
+    "audit/plugins.d/laurel.conf".text = ''
+      active = yes
+      direction = out
+      type = always
+      path = ${config.security.wrapperDir}/laurel
+      format = string
+      args = --config /etc/laurel/config.toml
+    '';
+  };
   security.audit.rules = [
     # Program Executions
     "-a exit,always -F arch=b64 -S execve -F key=progexec"
@@ -33,4 +144,4 @@
     # Root command executions
     "-a always,exit -F arch=b64 -F euid=0 -F auid>=1000 -F auid!=-1 -S execve -F key=rootcmd"
   ];
-}
+}