From 7fcc043a4d48a10b56d5f3fb24e8e38d653cf159 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= Date: Sun, 8 Feb 2026 03:07:10 +0100 Subject: [PATCH] testvm: add SSH session command auditing Enable Linux audit to log execve syscalls from interactive SSH sessions. Uses auid filter to exclude system services and nix builds. Logs forwarded to journald for Loki ingestion. Query with: {host="testvmXX"} |= "EXECVE" Co-Authored-By: Claude Opus 4.5 --- common/ssh-audit.nix | 21 +++++++++++++++++++++ hosts/testvm01/configuration.nix | 1 + hosts/testvm02/configuration.nix | 1 + hosts/testvm03/configuration.nix | 1 + 4 files changed, 24 insertions(+) create mode 100644 common/ssh-audit.nix diff --git a/common/ssh-audit.nix b/common/ssh-audit.nix new file mode 100644 index 0000000..6697a05 --- /dev/null +++ b/common/ssh-audit.nix @@ -0,0 +1,21 @@ +# SSH session command auditing +# +# Logs all commands executed by users who logged in interactively (SSH). +# System services and nix builds are excluded via auid filter. +# +# Logs are sent to journald and forwarded to Loki via promtail. +# Query with: {host=""} |= "EXECVE" +{ + # Enable Linux audit subsystem + security.audit.enable = true; + security.auditd.enable = true; + + # Log execve syscalls only from interactive login sessions + # auid!=4294967295 means "audit login uid is set" (excludes system services, nix builds) + security.audit.rules = [ + "-a exit,always -F arch=b64 -S execve -F auid!=4294967295" + ]; + + # Forward audit logs to journald (so promtail ships them to Loki) + services.journald.audit = true; +} diff --git a/hosts/testvm01/configuration.nix b/hosts/testvm01/configuration.nix index 572084b..ee93d4a 100644 --- a/hosts/testvm01/configuration.nix +++ b/hosts/testvm01/configuration.nix @@ -11,6 +11,7 @@ ../../system ../../common/vm + ../../common/ssh-audit.nix ]; # Host metadata (adjust as needed) diff --git a/hosts/testvm02/configuration.nix b/hosts/testvm02/configuration.nix index 323b818..5e6f11b 100644 --- a/hosts/testvm02/configuration.nix +++ b/hosts/testvm02/configuration.nix @@ -11,6 +11,7 @@ ../../system ../../common/vm + ../../common/ssh-audit.nix ]; # Host metadata (adjust as needed) diff --git a/hosts/testvm03/configuration.nix b/hosts/testvm03/configuration.nix index a3dd2f3..6fd9b48 100644 --- a/hosts/testvm03/configuration.nix +++ b/hosts/testvm03/configuration.nix @@ -11,6 +11,7 @@ ../../system ../../common/vm + ../../common/ssh-audit.nix ]; # Host metadata (adjust as needed)