🛡️ Security & Auditing Diagnostics
This page covers how to inspect system logs for authentication events, failed logins, and administrative actions.
🔐 Viewing Authentication Logs
NixOS aggregates authentication logs via systemd's journal. You can view all login attempts (both successful and failed) by querying the systemd-logind and SSH services.
To view SSH login attempts:
journalctl -u sshd(Note: SSH is disabled by default in the workstation-gui profile. If you have explicitly enabled it, you should monitor these logs).
To view local TTY or graphical login events:
journalctl -u systemd-logind🚨 Auditing Failed Logins
To specifically search the journal for failed authentication attempts across the system:
journalctl | grep "authentication failure"🔑 Privilege Escalation (doas) Auditing
The workstation uses doas instead of sudo for privilege escalation. To see a record of all commands executed with elevated privileges:
journalctl | grep doasThis will show who ran doas, when they ran it, and what command they executed.
👤 Session History
To see a list of users who have recently logged into the system, including when they logged in and out:
lastTo see a list of all users who are currently logged into the system:
whoYubiKey Git Signing
The desktop starts the OpenSSH agent and uses ksshaskpass for FIDO2 PIN fallback. Home Manager reads user.signingKey from the global Git configuration, removes a trailing .pub, and loads the matching FIDO key handle into the agent. Keep user.signingKey pointed at the public key file.
After rebuilding and logging in again, verify the agent and signing path:
systemctl --user status ssh-agent ssh-add-git-signing-key
ssh-add -L
git commit --allow-empty -S -m "test: YubiKey signing"
git verify-commit HEADAfter failed fingerprint verification, the expected fallback is a graphical FIDO2 PIN prompt from ksshaskpass.
Malware Analysis
The desktop includes ClamAV and YARA for manual file analysis. ClamAV signatures are refreshed automatically without running the persistent clamd daemon or on-access scanning.
Inspect the updater and scan a path:
systemctl status clamav-freshclam.timer
journalctl -u clamav-freshclam.service
clamscan --recursive ~/DownloadsRun a YARA rule against a file or directory:
yara rules.yar suspicious-file
yara --recursive rules.yar suspicious-directoryResource Monitoring
Monitor per-process network usage and GPU activity:
doas nethogs
nvtopnvtop is built with support for AMD, Intel, and NVIDIA GPUs. Actual device visibility depends on the installed hardware and graphics driver.