services: Add auditd.

* gnu/services/auditd.scm: New file.
* gnu/local.mk (GNU_SYSTEM_MODULES): Add it.
* doc/guix.texi (Miscellaneous Services): Document it.

3 files changed, 104 insertions, 0 deletions

diff --git a/doc/guix.texi b/doc/guix.texi
index 996255d9dc..bdfe14c724 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -24114,6 +24114,55 @@ The Containerd package to use.
 @end table
 @end deftp
 
+@cindex Audit
+@subsubheading Auditd Service
+
+The @code{(gnu services auditd)} module provides the following service.
+
+@defvr {Scheme Variable} auditd-service-type
+
+This is the type of the service that runs
+@url{https://people.redhat.com/sgrubb/audit/,auditd},
+a daemon that tracks security-relevant information on your system.
+
+Examples of things that can be tracked:
+
+@enumerate
+@item
+File accesses
+@item
+System calls
+@item
+Invoked commands
+@item
+Failed login attempts
+@item
+Firewall filtering
+@item
+Network access
+@end enumerate
+
+@command{auditctl} from the @code{audit} package can be used in order
+to add or remove events to be tracked (until the next reboot).
+In order to permanently track events, put the command line arguments
+of auditctl into @file{/etc/audit/audit.rules}.
+@command{aureport} from the @code{audit} package can be used in order
+to view a report of all recorded events.
+The audit daemon usually logs into the directory @file{/var/log/audit}.
+
+@end defvr
+
+@deftp {Data Type} auditd-configuration
+This is the data type representing the configuration of auditd.
+
+@table @asis
+
+@item @code{audit} (default: @code{audit})
+The audit package to use.
+
+@end table
+@end deftp
+
 @node Setuid Programs
 @section Setuid Programs
 
diff --git a/gnu/local.mk b/gnu/local.mk
index 6878aef44a..203445ef1b 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -501,6 +501,7 @@ GNU_SYSTEM_MODULES =				\
   %D%/services.scm				\
   %D%/services/admin.scm			\
   %D%/services/audio.scm                        \
+  %D%/services/auditd.scm			\
   %D%/services/avahi.scm			\
   %D%/services/base.scm				\
   %D%/services/certbot.scm			\
diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm
new file mode 100644
index 0000000000..8a9292015f
--- /dev/null
+++ b/gnu/services/auditd.scm
@@ -0,0 +1,54 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2019 Danny Milosavljevic <dannym@scratchpost.org>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu services auditd)
+  #:use-module (gnu services)
+  #:use-module (gnu services configuration)
+  #:use-module (gnu services base)
+  #:use-module (gnu services shepherd)
+  #:use-module (gnu packages admin)
+  #:use-module (guix records)
+  #:use-module (guix gexp)
+  #:use-module (guix packages)
+  #:export (auditd-configuration
+            auditd-service-type))
+
+; /etc/audit/audit.rules
+
+(define-configuration auditd-configuration
+  (audit
+   (package audit)
+   "Audit package."))
+
+(define (auditd-shepherd-service config)
+  (let* ((audit (auditd-configuration-audit config)))
+    (list (shepherd-service
+           (documentation "Auditd allows you to audit file system accesses.")
+           (provision '(auditd))
+           (start #~(make-forkexec-constructor
+                     (list (string-append #$audit "/sbin/auditd"))))
+           (stop #~(make-kill-destructor))))))
+
+(define auditd-service-type
+  (service-type (name 'auditd)
+                (description "Allows auditing file system accesses.")
+                (extensions
+                 (list
+                  (service-extension shepherd-root-service-type
+                                     auditd-shepherd-service)))
+                (default-value (auditd-configuration))))