# SSH session command auditing
#
# Logs all commands executed by users who logged in interactively (SSH).
# System services and nix builds are excluded via auid filter.
#
# Logs are sent to journald and forwarded to Loki via promtail.
# Query with: {host="<hostname>"} |= "EXECVE"
{
  # Enable Linux audit subsystem
  security.audit.enable = true;
  security.auditd.enable = true;

  # Log execve syscalls only from interactive login sessions
  # auid!=4294967295 means "audit login uid is set" (excludes system services, nix builds)
  security.audit.rules = [
    "-a exit,always -F arch=b64 -S execve -F auid!=4294967295"
  ];

  # Forward audit logs to journald (so promtail ships them to Loki)
  services.journald.audit = true;
}