From 84a40a7bf0d41624cf9692475d102235dfa7e411 Mon Sep 17 00:00:00 2001
From: Price Hiller <price@orion-technologies.io>
Date: Thu, 2 Jan 2025 11:49:32 -0600
Subject: [PATCH] refactor(hosts/orion): disable auditd

---
 hosts/orion/modules/security.nix | 33 --------------------------------
 1 file changed, 33 deletions(-)

diff --git a/hosts/orion/modules/security.nix b/hosts/orion/modules/security.nix
index 197a54f4..ff629a98 100644
--- a/hosts/orion/modules/security.nix
+++ b/hosts/orion/modules/security.nix
@@ -5,39 +5,6 @@
       enable = true;
     };
     sudo.execWheelOnly = true;
-    auditd.enable = true;
-    audit = {
-      enable = true;
-      rules = [
-        # Program Executions
-        "-a exit,always -F arch=b64 -S execve -F key=progexec"
-
-        # Home path access/modification
-        "-a always,exit -F arch=b64 -F dir=/home -F perm=war -F key=homeaccess"
-
-        # Kexec usage
-        "-a always,exit -F arch=b64 -S kexec_load -F key=KEXEC"
-
-        # Root directory access/modification
-        "-a always,exit -F arch=b64 -F dir=/root -F key=roothomeaccess -F perm=war"
-
-        # Failed Modifications of critcal paths
-        "-a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -F key=unauthedfileaccess"
-        "-a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -F key=unauthedfileaccess"
-        "-a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -F key=unauthedfileaccess"
-        "-a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -F key=unauthedfileaccess"
-        "-a always,exit -F arch=b64 -S open -F dir=/srv -F success=0 -F key=unauthedfileaccess"
-        "-a always,exit -F arch=b64 -S open -F dir=/boot -F success=0 -F key=unauthedfileaccess"
-        "-a always,exit -F arch=b64 -S open -F dir=/nix -F success=0 -F key=unauthedfileaccess"
-        "-a always,exit -F arch=b64 -S open -F dir=/persist -F success=0 -F key=unauthedfileaccess"
-
-        # File deletion events by users
-        "-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=-1 -F key=delete"
-
-        # Root command executions
-        "-a always,exit -F arch=b64 -F euid=0 -F auid>=1000 -F auid!=-1 -S execve -F key=rootcmd"
-      ];
-    };
   };
   boot.kernel.sysctl = {
     "net.ipv4.conf.all.log_martions" = true;