nixos/auditd: init at 2.7.6 (#27261)

#11864 Support Linux audit subsystem
Add the auditd.service as NixOS module to be able to
generate profiles from /var/log/audit/audit.log
with apparmor-utils.

auditd needs the folder /var/log/audit to be present on start
so this is generated in ExecPreStart.

auditd starts with -s nochange so that effective audit processing
is managed by the audit.service.

2 files changed, 27 insertions, 0 deletions

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index a2add1b3e43..3aeb1225ae5 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -116,6 +116,7 @@
   ./security/apparmor.nix
   ./security/apparmor-suid.nix
   ./security/audit.nix
+  ./security/auditd.nix
   ./security/ca.nix
   ./security/chromium-suid-sandbox.nix
   ./security/dhparams.nix
diff --git a/nixos/modules/security/auditd.nix b/nixos/modules/security/auditd.nix
new file mode 100644
index 00000000000..319dce9a6c5
--- /dev/null
+++ b/nixos/modules/security/auditd.nix
@@ -0,0 +1,26 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  options.security.auditd.enable = mkEnableOption "the Linux Audit daemon";
+
+  config = mkIf config.security.auditd.enable {
+    systemd.services.auditd = {
+      description = "Linux Audit daemon";
+      wantedBy = [ "basic.target" ];
+
+      unitConfig = {
+        ConditionVirtualization = "!container";
+        ConditionSecurity = [ "audit" ];
+      };
+
+      path = [ pkgs.audit ];
+
+      serviceConfig = {
+        ExecStartPre="${pkgs.coreutils}/bin/mkdir -p /var/log/audit";
+        ExecStart = "${pkgs.audit}/bin/auditd -l -n -s nochange";
+      };
+    };
+  };
+}