kyra(hardening): journalctl audit settings

Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>

kyra/security/audit.nix

@@ -0,0 +1,29 @@
+_: {
+  security = {
+    audit = {
+      enable = true;
+      failureMode = 2;
+      rules = [
+        "-a always,exit -F arch=b64 -S mount,umount2,swapon,swapoff -k fs_ops"
+        "-a always,exit -F arch=b64 -S init_module,delete_module,finit_module -k kernel_mods"
+        "-a always,exit -F arch=b64 -S bind,connect,accept -F success=0 -k net_violations"
+        "-w /run/secrets -p r -k secret_read"
+      ];
+    };
+
+    auditd = {
+      enable = true;
+      settings = {
+        flush = "incremental_async";
+        freq = 50;
+        max_log_file = 10;
+        num_logs = 3;
+        max_log_file_action = "rotate";
+        admin_space_left_action = "suspend";
+        disk_full_action = "suspend";
+        disk_error_action = "suspend";
+        log_format = "ENRICHED";
+      };
+    };
+  };
+}

kyra/security/defaults.nix

@@ -0,0 +1,13 @@
+_: {
+  security = {
+    unprivilegedUsernsClone = false;
+    forcePageTableIsolation = true;
+    allowSimultaneousMultithreading = false;
+    protectKernelImage = true;
+    lockKernelModules = true;
+
+    virtualisation = {
+      flushL1DataCache = "always";
+    };
+  };
+}

kyra/services/journalctl.nix

@@ -0,0 +1,14 @@
+_: {
+  services = {
+    journald = {
+      audit = true;
+      storage = "volatile";
+      rateLimitBurst = 1000;
+      rateLimitInterval = "30s";
+      extraConfig = ''
+        RuntimeMaxUse=128M
+        MaxRetentionSec=1day
+      '';
+    };
+  };
+}