diff --git a/common/ssh-audit.nix b/common/ssh-audit.nix new file mode 100644 index 0000000..6697a05 --- /dev/null +++ b/common/ssh-audit.nix @@ -0,0 +1,21 @@ +# SSH session command auditing +# +# Logs all commands executed by users who logged in interactively (SSH). +# System services and nix builds are excluded via auid filter. +# +# Logs are sent to journald and forwarded to Loki via promtail. +# Query with: {host=""} |= "EXECVE" +{ + # Enable Linux audit subsystem + security.audit.enable = true; + security.auditd.enable = true; + + # Log execve syscalls only from interactive login sessions + # auid!=4294967295 means "audit login uid is set" (excludes system services, nix builds) + security.audit.rules = [ + "-a exit,always -F arch=b64 -S execve -F auid!=4294967295" + ]; + + # Forward audit logs to journald (so promtail ships them to Loki) + services.journald.audit = true; +} diff --git a/hosts/testvm01/configuration.nix b/hosts/testvm01/configuration.nix index 572084b..ee93d4a 100644 --- a/hosts/testvm01/configuration.nix +++ b/hosts/testvm01/configuration.nix @@ -11,6 +11,7 @@ ../../system ../../common/vm + ../../common/ssh-audit.nix ]; # Host metadata (adjust as needed) diff --git a/hosts/testvm02/configuration.nix b/hosts/testvm02/configuration.nix index 323b818..5e6f11b 100644 --- a/hosts/testvm02/configuration.nix +++ b/hosts/testvm02/configuration.nix @@ -11,6 +11,7 @@ ../../system ../../common/vm + ../../common/ssh-audit.nix ]; # Host metadata (adjust as needed) diff --git a/hosts/testvm03/configuration.nix b/hosts/testvm03/configuration.nix index a3dd2f3..6fd9b48 100644 --- a/hosts/testvm03/configuration.nix +++ b/hosts/testvm03/configuration.nix @@ -11,6 +11,7 @@ ../../system ../../common/vm + ../../common/ssh-audit.nix ]; # Host metadata (adjust as needed)