testvm: add SSH session command auditing
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
Some checks failed
Run nix flake check / flake-check (push) Failing after 1s
Enable Linux audit to log execve syscalls from interactive SSH sessions.
Uses auid filter to exclude system services and nix builds.
Logs forwarded to journald for Loki ingestion. Query with:
{host="testvmXX"} |= "EXECVE"
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
21
common/ssh-audit.nix
Normal file
21
common/ssh-audit.nix
Normal file
@@ -0,0 +1,21 @@
|
||||
# SSH session command auditing
|
||||
#
|
||||
# Logs all commands executed by users who logged in interactively (SSH).
|
||||
# System services and nix builds are excluded via auid filter.
|
||||
#
|
||||
# Logs are sent to journald and forwarded to Loki via promtail.
|
||||
# Query with: {host="<hostname>"} |= "EXECVE"
|
||||
{
|
||||
# Enable Linux audit subsystem
|
||||
security.audit.enable = true;
|
||||
security.auditd.enable = true;
|
||||
|
||||
# Log execve syscalls only from interactive login sessions
|
||||
# auid!=4294967295 means "audit login uid is set" (excludes system services, nix builds)
|
||||
security.audit.rules = [
|
||||
"-a exit,always -F arch=b64 -S execve -F auid!=4294967295"
|
||||
];
|
||||
|
||||
# Forward audit logs to journald (so promtail ships them to Loki)
|
||||
services.journald.audit = true;
|
||||
}
|
||||
Reference in New Issue
Block a user