ivan · May 17, 2026 07:51
diff --git a/systemd service for NixOS to log all executed commands.nix b/systemd service for NixOS to log all executed commands.nix
 { lib, pkgs, ... }:

 let
  max_args = 100;
  log_fails = false;

  execsnoop_args =
    assert max_args >= 1;
    [
      "--time"
      "--quote"
      "--print-uid"
      "--print-cpu"
      "--print-pcomm"
      "--max-args" (toString max_args)
    ] ++ lib.optionals log_fails [ "--fails" ];

  execsnoop_runner = pkgs.writeShellScript "execsnoop-journal" ''
    exec ${pkgs.bcc}/bin/execsnoop ${lib.escapeShellArgs execsnoop_args}
  '';
 in
 {
  systemd.services.execsnoop = {
    description = "Trace execve calls to the journal with BCC execsnoop";
    documentation = [
      "https://iovisor.github.io/bcc/man/man8/execsnoop.html"
      "man:systemd.service(5)"
      "man:systemd.unit(5)"
      "man:systemd.exec(5)"
    ];

    wantedBy = [ "multi-user.target" ];

    path = [ pkgs.kmod ]; # execsnoop calls modprobe

    unitConfig = {
      StartLimitIntervalSec = 0;
    };

    environment = {
      PYTHONUNBUFFERED = "1";
    };

    serviceConfig = {
      Type = "exec";
      ExecStart = execsnoop_runner;

      Restart = "always";
      RestartSec = "10s";

      User = "root";
      Group = "root";

      StandardOutput = "journal";
      StandardError = "journal";
      SyslogIdentifier = "execsnoop";

      # BPF tools commonly need a generous memlock limit.
      LimitMEMLOCK = "infinity";

      # Let SIGINT stop execsnoop the same way Ctrl-C would, instead of
      # immediately SIGTERMing the Python process.
      KillSignal = "SIGINT";
      TimeoutStopSec = "10s";

      # execsnoop can burst during rebuilds, login storms, or fork/exec loops.
      # This is high enough not to drop ordinary activity but still leaves a
      # fuse against filling the journal instantly.
      LogRateLimitIntervalSec = "30s";
      LogRateLimitBurst = 200000;

      # Light hardening that should not interfere with BPF, /proc inspection,
      # tracefs/debugfs, or kernel symbol access.
      NoNewPrivileges = true;
      LockPersonality = true;
      RestrictSUIDSGID = true;
      ProtectHome = true;
    };
  };
 }
	{ lib, pkgs, ... }:

	let
	max_args = 100;
	log_fails = false;

	execsnoop_args =
	assert max_args >= 1;
	[
	"--time"
	"--quote"
	"--print-uid"
	"--print-cpu"
	"--print-pcomm"
	"--max-args" (toString max_args)
	] ++ lib.optionals log_fails [ "--fails" ];

	execsnoop_runner = pkgs.writeShellScript "execsnoop-journal" ''
	exec ${pkgs.bcc}/bin/execsnoop ${lib.escapeShellArgs execsnoop_args}
	'';
	in
	{
	systemd.services.execsnoop = {
	description = "Trace execve calls to the journal with BCC execsnoop";
	documentation = [
	"https://iovisor.github.io/bcc/man/man8/execsnoop.html"
	"man:systemd.service(5)"
	"man:systemd.unit(5)"
	"man:systemd.exec(5)"
	];

	wantedBy = [ "multi-user.target" ];

	path = [ pkgs.kmod ]; # execsnoop calls modprobe

	unitConfig = {
	StartLimitIntervalSec = 0;
	};

	environment = {
	PYTHONUNBUFFERED = "1";
	};

	serviceConfig = {
	Type = "exec";
	ExecStart = execsnoop_runner;

	Restart = "always";
	RestartSec = "10s";

	User = "root";
	Group = "root";

	StandardOutput = "journal";
	StandardError = "journal";
	SyslogIdentifier = "execsnoop";

	# BPF tools commonly need a generous memlock limit.
	LimitMEMLOCK = "infinity";

	# Let SIGINT stop execsnoop the same way Ctrl-C would, instead of
	# immediately SIGTERMing the Python process.
	KillSignal = "SIGINT";
	TimeoutStopSec = "10s";

	# execsnoop can burst during rebuilds, login storms, or fork/exec loops.
	# This is high enough not to drop ordinary activity but still leaves a
	# fuse against filling the journal instantly.
	LogRateLimitIntervalSec = "30s";
	LogRateLimitBurst = 200000;

	# Light hardening that should not interfere with BPF, /proc inspection,
	# tracefs/debugfs, or kernel symbol access.
	NoNewPrivileges = true;
	LockPersonality = true;
	RestrictSUIDSGID = true;
	ProtectHome = true;
	};
	};
	}
No results found