nix-config/modules/features/security/security-auditd.nix

{ ... }:
{
  config.dendritic.features.security-auditd = {
    nixosModules = [
      (
        { ... }:
        {
          # start as early in the boot process as possible
          boot.kernelParams = [ "audit=1" ];

          security.auditd.enable = true;
          security.audit.enable = true;

          security.audit.rules = [
            # Log all program executions on 64-bit architecture
            "-a exit,always -F arch=b64 -S execve"
          ];
        }
      )
    ];
  };
}