hosts/luna/modules/monitoring/auditd.nix

@@ -1,119 +1,8 @@
-{ persist-dir, pkgs, config, ... }:
+{ persist-dir, ... }: {
-let laurel-user = "_laurel";
-in {
   security = {
     audit.enable = true;
-    wrappers.laurel = {
-      source = "${pkgs.laurel}/bin/laurel";
-      owner = "root";
-      group = "${laurel-user}";
-      permissions = "u=rwx,g=rx,o=";
-    };
     auditd.enable = true;
   };
-  users.groups."${laurel-user}" = { };
-  users.users."${laurel-user}" = {
-    isSystemUser = true;
-    createHome = true;
-    group = "${laurel-user}";
-    home = "/var/log/laurel";
-  };
-  environment.etc = {
-    "laurel/config.toml" = {
-      user = "${laurel-user}";
-      text = ''
-        # Write log files relative to this directory
-        directory = "${config.users.users."${laurel-user}".home}"
-        # Drop privileges from root to this user
-        user = "${laurel-user}"
-        # The periodical time window in seconds for status information to be printed to Syslog.
-        # Status report includes the running version, config and parsing stats.
-        # Default is 0 --> no status reports.
-        statusreport-period = 0
-        # By default, audit events are read from stdin ("stdin"). Alternatively, they
-        # can be consumed from an existing UNIX domain socket ("unix:/path/to/socket")
-        input = "stdin"
-
-        # A string that is written to the log on startup and
-        # whenever Laurel writes a status report.
-        # marker = "correct-horse-battery-staple"
-
-        [auditlog]
-        # Base file name for the JSONL-based log file. Set to "-" to log to stdout. In this case
-        # other log file related settings will be ignored.
-        file = "audit.log"
-        # Rotate when log file reaches this size (in bytes)
-        size = 5000000
-        # When rotating, keep this number of generations around
-        generations = 10
-        # Grant read permissions on the log files to these users, using
-        [transform]
-
-        # "array" (the default) causes EXECVE a0, a1, a2 … arguments to be
-        # output as a list of strings, "ARGV". This is the default, it allows
-        # analysts to reliably reproduce what was executed.
-        #
-        # "string" causes arguments to be concatenated into a single string,
-        # separated by space characters, "ARGV_STR". This form allows for
-        # easier grepping, but it is impossible to tell if space characters in
-        # the resulting string are a separator or were part of an individual
-        # argument in the original command line.
-
-        execve-argv = [ "array" ]
-
-        # execve-argv = [ "array", "string" ]
-
-        # Trim excessively long EXECVE.ARGV and EXECVE.ARGV_STR entries.
-        # Excess is cut from the middle of the argument list and a marker
-        # indicating how many arguments / bytes have been cut is inserted.
-
-        # execve-argv-limit-bytes = 10000
-
-        [translate]
-
-        # Perform translations of numeric values that can also be done by
-        # auditd if configured with log_format=ENRICHED.
-
-        # arch, syscall, sockaddr structures
-        universal = false
-        # UID, GID values
-        user-db = false
-        # Drop raw (numeric) syscall, arch, UID, GID values if they are translated
-        drop-raw = false
-
-        [enrich]
-
-        # Add context (event-id, comm, exe, ppid) for *pid entries
-        pid = true
-
-        # List of environment variables to log for every EXECVE event
-        execve-env = [ "LD_PRELOAD", "LD_LIBRARY_PATH" ]
-
-        # Add container context to SYSCALL-based events
-        container = true
-
-        # Add script context to SYSCALL execve events
-        script = true
-
-        # Add groups that the user (uid) is a member of. Default: true
-        user-groups = true
-
-        [label-process]
-
-        [filter]
-        filter-null-keys = false
-        filter-action = "drop"
-      '';
-    };
-    "audit/plugins.d/laurel.conf".text = ''
-      active = yes
-      direction = out
-      type = always
-      path = ${config.security.wrapperDir}/laurel
-      format = string
-      args = --config /etc/laurel/config.toml
-    '';
-  };
   security.audit.rules = [
     # Program Executions
     "-a exit,always -F arch=b64 -S execve -F key=progexec"
@@ -144,4 +33,4 @@ in {
     # Root command executions
     "-a always,exit -F arch=b64 -F euid=0 -F auid>=1000 -F auid!=-1 -S execve -F key=rootcmd"
   ];
-}
+}

hosts/luna/modules/users.nix

@@ -1,6 +1,5 @@
 { pkgs, config, ... }: {
   security.sudo.wheelNeedsPassword = false;
-  users.mutableUsers = false;
   users.users = {
     root.hashedPasswordFile = config.age.secrets.users-root-pw.path;
     price = {
@@ -20,4 +19,4 @@
       files = [ ".bash_history" ];
     };
   };
-}
+}