diff --git a/kyra/security/audit.nix b/kyra/security/audit.nix
new file mode 100644
index 0000000..fb22289
--- /dev/null
+++ b/kyra/security/audit.nix
@@ -0,0 +1,29 @@
+_: {
+  security = {
+    audit = {
+      enable = true;
+      failureMode = 2;
+      rules = [
+        "-a always,exit -F arch=b64 -S mount,umount2,swapon,swapoff -k fs_ops"
+        "-a always,exit -F arch=b64 -S init_module,delete_module,finit_module -k kernel_mods"
+        "-a always,exit -F arch=b64 -S bind,connect,accept -F success=0 -k net_violations"
+        "-w /run/secrets -p r -k secret_read"
+      ];
+    };
+
+    auditd = {
+      enable = true;
+      settings = {
+        flush = "incremental_async";
+        freq = 50;
+        max_log_file = 10;
+        num_logs = 3;
+        max_log_file_action = "rotate";
+        admin_space_left_action = "suspend";
+        disk_full_action = "suspend";
+        disk_error_action = "suspend";
+        log_format = "ENRICHED";
+      };
+    };
+  };
+}