diff options
| author | Maciej Krüger <mkg20001@gmail.com> | 2021-10-19 15:28:51 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-10-19 15:28:51 +0200 |
| commit | b33ac6e5c077c83f3e28eaa1254442a6e28d8008 (patch) | |
| tree | 82d727792029d09dd7ceebf43d6bbca58ef9d0ff /nixos/modules/security/pam.nix | |
| parent | 8bf6698ad02a955b2f156275567f23a2b77b2ae5 (diff) | |
| parent | f3d00b3a94bbbe89890bb75bb099c52988300fcb (diff) | |
| download | nixpkgs-b33ac6e5c077c83f3e28eaa1254442a6e28d8008.tar nixpkgs-b33ac6e5c077c83f3e28eaa1254442a6e28d8008.tar.gz nixpkgs-b33ac6e5c077c83f3e28eaa1254442a6e28d8008.tar.bz2 nixpkgs-b33ac6e5c077c83f3e28eaa1254442a6e28d8008.tar.lz nixpkgs-b33ac6e5c077c83f3e28eaa1254442a6e28d8008.tar.xz nixpkgs-b33ac6e5c077c83f3e28eaa1254442a6e28d8008.tar.zst nixpkgs-b33ac6e5c077c83f3e28eaa1254442a6e28d8008.zip | |
Merge pull request #137646 from mkg20001/pam-audit
Diffstat (limited to 'nixos/modules/security/pam.nix')
| -rw-r--r-- | nixos/modules/security/pam.nix | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 4c18fa8cc67..e12c52e3d34 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -197,6 +197,46 @@ let ''; }; + ttyAudit = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable or disable TTY auditing for specified users + ''; + }; + + enablePattern = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + For each user matching one of comma-separated + glob patterns, enable TTY auditing + ''; + }; + + disablePattern = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + For each user matching one of comma-separated + glob patterns, disable TTY auditing + ''; + }; + + openOnly = mkOption { + type = types.bool; + default = false; + description = '' + Set the TTY audit flag when opening the session, + but do not restore it when closing the session. + Using this option is necessary for some services + that don't fork() to run the authenticated session, + such as sudo. + ''; + }; + }; + forwardXAuth = mkOption { default = false; type = types.bool; @@ -482,6 +522,12 @@ let "session ${ if config.boot.isContainer then "optional" else "required" } pam_loginuid.so"} + ${optionalString cfg.ttyAudit.enable + "session required ${pkgs.pam}/lib/security/pam_tty_audit.so + open_only=${toString cfg.ttyAudit.openOnly} + ${optionalString (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}"} + ${optionalString (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}"} + "} ${optionalString cfg.makeHomeDir "session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0022"} ${optionalString cfg.updateWtmp |