depot/third_party/nixpkgs/nixos/modules/security/audit.nix

{
  config,
  lib,
  pkgs,
  ...
}:
let
  cfg = config.security.audit;
  enabled = cfg.enable == "lock" || cfg.enable;

  failureModes = {
    silent = 0;
    printk = 1;
    panic = 2;
  };

  disableScript = pkgs.writeScript "audit-disable" ''
    #!${pkgs.runtimeShell} -eu
    # Explicitly disable everything, as otherwise journald might start it.
    auditctl -D
    auditctl -e 0 -a task,never
  '';

  # TODO: it seems like people like their rules to be somewhat secret, yet they will not be if
  # put in the store like this. At the same time, it doesn't feel like a huge deal and working
  # around that is a pain so I'm leaving it like this for now.
  startScript = pkgs.writeScript "audit-start" ''
    #!${pkgs.runtimeShell} -eu
    # Clear out any rules we may start with
    auditctl -D

    # Put the rules in a temporary file owned and only readable by root
    rulesfile="$(mktemp)"
    ${lib.concatMapStrings (x: "echo '${x}' >> $rulesfile\n") cfg.rules}

    # Apply the requested rules
    auditctl -R "$rulesfile"

    # Enable and configure auditing
    auditctl \
      -e ${if cfg.enable == "lock" then "2" else "1"} \
      -b ${toString cfg.backlogLimit} \
      -f ${toString failureModes.${cfg.failureMode}} \
      -r ${toString cfg.rateLimit}
  '';

  stopScript = pkgs.writeScript "audit-stop" ''
    #!${pkgs.runtimeShell} -eu
    # Clear the rules
    auditctl -D

    # Disable auditing
    auditctl -e 0
  '';
in
{
  options = {
    security.audit = {
      enable = lib.mkOption {
        type = lib.types.enum [
          false
          true
          "lock"
        ];
        default = false;
        description = ''
          Whether to enable the Linux audit system. The special `lock` value can be used to
          enable auditing and prevent disabling it until a restart. Be careful about locking
          this, as it will prevent you from changing your audit configuration until you
          restart. If possible, test your configuration using build-vm beforehand.
        '';
      };

      failureMode = lib.mkOption {
        type = lib.types.enum [
          "silent"
          "printk"
          "panic"
        ];
        default = "printk";
        description = "How to handle critical errors in the auditing system";
      };

      backlogLimit = lib.mkOption {
        type = lib.types.int;
        default = 64; # Apparently the kernel default
        description = ''
          The maximum number of outstanding audit buffers allowed; exceeding this is
          considered a failure and handled in a manner specified by failureMode.
        '';
      };

      rateLimit = lib.mkOption {
        type = lib.types.int;
        default = 0;
        description = ''
          The maximum messages per second permitted before triggering a failure as
          specified by failureMode. Setting it to zero disables the limit.
        '';
      };

      rules = lib.mkOption {
        type = lib.types.listOf lib.types.str; # (types.either types.str (types.submodule rule));
        default = [ ];
        example = [ "-a exit,always -F arch=b64 -S execve" ];
        description = ''
          The ordered audit rules, with each string appearing as one line of the audit.rules file.
        '';
      };
    };
  };

  config = {
    systemd.services.audit = {
      description = "Kernel Auditing";
      wantedBy = [ "basic.target" ];

      unitConfig = {
        ConditionVirtualization = "!container";
        ConditionSecurity = [ "audit" ];
      };

      path = [ pkgs.audit ];

      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
        ExecStart = "@${if enabled then startScript else disableScript} audit-start";
        ExecStop = "@${stopScript} audit-stop";
      };
    };
  };
}