diff options
author | Christian Albrecht <christian.albrecht@mayflower.de> | 2017-07-09 18:59:09 +0200 |
---|---|---|
committer | Jörg Thalheim <Mic92@users.noreply.github.com> | 2017-07-09 17:59:09 +0100 |
commit | ebaff599ba0e76ab3c505c4039df979d3799a17c (patch) | |
tree | ed0e1cc446c17eacea4e85cecfaabb5dc02f7f6d | |
parent | 466e7e23c6f71ebed7050802d377102002fc2a0d (diff) | |
download | nixpkgs-ebaff599ba0e76ab3c505c4039df979d3799a17c.tar nixpkgs-ebaff599ba0e76ab3c505c4039df979d3799a17c.tar.gz nixpkgs-ebaff599ba0e76ab3c505c4039df979d3799a17c.tar.bz2 nixpkgs-ebaff599ba0e76ab3c505c4039df979d3799a17c.tar.lz nixpkgs-ebaff599ba0e76ab3c505c4039df979d3799a17c.tar.xz nixpkgs-ebaff599ba0e76ab3c505c4039df979d3799a17c.tar.zst nixpkgs-ebaff599ba0e76ab3c505c4039df979d3799a17c.zip |
nixos/auditd: init at 2.7.6 (#27261)
#11864 Support Linux audit subsystem Add the auditd.service as NixOS module to be able to generate profiles from /var/log/audit/audit.log with apparmor-utils. auditd needs the folder /var/log/audit to be present on start so this is generated in ExecPreStart. auditd starts with -s nochange so that effective audit processing is managed by the audit.service.
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/security/auditd.nix | 26 |
2 files changed, 27 insertions, 0 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index a2add1b3e43..3aeb1225ae5 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -116,6 +116,7 @@ ./security/apparmor.nix ./security/apparmor-suid.nix ./security/audit.nix + ./security/auditd.nix ./security/ca.nix ./security/chromium-suid-sandbox.nix ./security/dhparams.nix diff --git a/nixos/modules/security/auditd.nix b/nixos/modules/security/auditd.nix new file mode 100644 index 00000000000..319dce9a6c5 --- /dev/null +++ b/nixos/modules/security/auditd.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + options.security.auditd.enable = mkEnableOption "the Linux Audit daemon"; + + config = mkIf config.security.auditd.enable { + systemd.services.auditd = { + description = "Linux Audit daemon"; + wantedBy = [ "basic.target" ]; + + unitConfig = { + ConditionVirtualization = "!container"; + ConditionSecurity = [ "audit" ]; + }; + + path = [ pkgs.audit ]; + + serviceConfig = { + ExecStartPre="${pkgs.coreutils}/bin/mkdir -p /var/log/audit"; + ExecStart = "${pkgs.audit}/bin/auditd -l -n -s nochange"; + }; + }; + }; +} |