testvm: add SSH session command auditing

Enable Linux audit to log execve syscalls from interactive SSH sessions.
Uses auid filter to exclude system services and nix builds.

Logs forwarded to journald for Loki ingestion. Query with:
{host="testvmXX"} |= "EXECVE"

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

common/ssh-audit.nix

@@ -0,0 +1,21 @@
+# SSH session command auditing
+#
+# Logs all commands executed by users who logged in interactively (SSH).
+# System services and nix builds are excluded via auid filter.
+#
+# Logs are sent to journald and forwarded to Loki via promtail.
+# Query with: {host="<hostname>"} |= "EXECVE"
+{
+  # Enable Linux audit subsystem
+  security.audit.enable = true;
+  security.auditd.enable = true;
+
+  # Log execve syscalls only from interactive login sessions
+  # auid!=4294967295 means "audit login uid is set" (excludes system services, nix builds)
+  security.audit.rules = [
+    "-a exit,always -F arch=b64 -S execve -F auid!=4294967295"
+  ];
+
+  # Forward audit logs to journald (so promtail ships them to Loki)
+  services.journald.audit = true;
+}

hosts/testvm01/configuration.nix

@@ -11,6 +11,7 @@
 
     ../../system
     ../../common/vm
+    ../../common/ssh-audit.nix
   ];
 
   # Host metadata (adjust as needed)

hosts/testvm02/configuration.nix

@@ -11,6 +11,7 @@
 
     ../../system
     ../../common/vm
+    ../../common/ssh-audit.nix
   ];
 
   # Host metadata (adjust as needed)

hosts/testvm03/configuration.nix

@@ -11,6 +11,7 @@
 
     ../../system
     ../../common/vm
+    ../../common/ssh-audit.nix
   ];
 
   # Host metadata (adjust as needed)