testvm: add SSH session command auditing

Enable Linux audit to log execve syscalls from interactive SSH sessions. Uses auid filter to exclude system services and nix builds. Logs forwarded to journald for Loki ingestion. Query with: {host="testvmXX"} |= "EXECVE" Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-08 03:07:10 +01:00
parent 70ec5f8109
commit 7fcc043a4d
4 changed files with 24 additions and 0 deletions
--- a/hosts/testvm02/configuration.nix
+++ b/hosts/testvm02/configuration.nix
@@ -11,6 +11,7 @@

    ../../system
    ../../common/vm
+    ../../common/ssh-audit.nix
  ];

  # Host metadata (adjust as needed)