From 07023ebc1892a559cad1f80235a4afb0955b29ab Mon Sep 17 00:00:00 2001 From: Danny Milosavljevic Date: Tue, 4 Jun 2019 09:27:43 +0200 Subject: [PATCH] services: Add auditd. * gnu/services/auditd.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. * doc/guix.texi (Miscellaneous Services): Document it. --- doc/guix.texi | 49 +++++++++++++++++++++++++++++++++++++ gnu/local.mk | 1 + gnu/services/auditd.scm | 54 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 104 insertions(+) create mode 100644 gnu/services/auditd.scm diff --git a/doc/guix.texi b/doc/guix.texi index 996255d9dc..bdfe14c724 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -24114,6 +24114,55 @@ The Containerd package to use. @end table @end deftp +@cindex Audit +@subsubheading Auditd Service + +The @code{(gnu services auditd)} module provides the following service. + +@defvr {Scheme Variable} auditd-service-type + +This is the type of the service that runs +@url{https://people.redhat.com/sgrubb/audit/,auditd}, +a daemon that tracks security-relevant information on your system. + +Examples of things that can be tracked: + +@enumerate +@item +File accesses +@item +System calls +@item +Invoked commands +@item +Failed login attempts +@item +Firewall filtering +@item +Network access +@end enumerate + +@command{auditctl} from the @code{audit} package can be used in order +to add or remove events to be tracked (until the next reboot). +In order to permanently track events, put the command line arguments +of auditctl into @file{/etc/audit/audit.rules}. +@command{aureport} from the @code{audit} package can be used in order +to view a report of all recorded events. +The audit daemon usually logs into the directory @file{/var/log/audit}. + +@end defvr + +@deftp {Data Type} auditd-configuration +This is the data type representing the configuration of auditd. + +@table @asis + +@item @code{audit} (default: @code{audit}) +The audit package to use. + +@end table +@end deftp + @node Setuid Programs @section Setuid Programs diff --git a/gnu/local.mk b/gnu/local.mk index 6878aef44a..203445ef1b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -501,6 +501,7 @@ GNU_SYSTEM_MODULES = \ %D%/services.scm \ %D%/services/admin.scm \ %D%/services/audio.scm \ + %D%/services/auditd.scm \ %D%/services/avahi.scm \ %D%/services/base.scm \ %D%/services/certbot.scm \ diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm new file mode 100644 index 0000000000..8a9292015f --- /dev/null +++ b/gnu/services/auditd.scm @@ -0,0 +1,54 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2019 Danny Milosavljevic +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu services auditd) + #:use-module (gnu services) + #:use-module (gnu services configuration) + #:use-module (gnu services base) + #:use-module (gnu services shepherd) + #:use-module (gnu packages admin) + #:use-module (guix records) + #:use-module (guix gexp) + #:use-module (guix packages) + #:export (auditd-configuration + auditd-service-type)) + +; /etc/audit/audit.rules + +(define-configuration auditd-configuration + (audit + (package audit) + "Audit package.")) + +(define (auditd-shepherd-service config) + (let* ((audit (auditd-configuration-audit config))) + (list (shepherd-service + (documentation "Auditd allows you to audit file system accesses.") + (provision '(auditd)) + (start #~(make-forkexec-constructor + (list (string-append #$audit "/sbin/auditd")))) + (stop #~(make-kill-destructor)))))) + +(define auditd-service-type + (service-type (name 'auditd) + (description "Allows auditing file system accesses.") + (extensions + (list + (service-extension shepherd-root-service-type + auditd-shepherd-service))) + (default-value (auditd-configuration))))