From 0ed60a4352ea9d94059c4f9fd4cc0f17bf4e645f Mon Sep 17 00:00:00 2001
From: Ahwx <ahwx@ahwx.org>
Date: Sun, 27 Jul 2025 21:06:47 +0200
Subject: [PATCH] feat: harden sudo configuration a little bit

---
 modules/core/security.nix | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/modules/core/security.nix b/modules/core/security.nix
index f95be92..a7c557e 100644
--- a/modules/core/security.nix
+++ b/modules/core/security.nix
@@ -8,9 +8,17 @@
   security = {
     rtkit.enable = true;
     pam.services.swaylock = { };
+    auditd.enable = true;
+    audit = {
+      enable = true;
+      rules = [
+        "-a exit,always -F arch=b64 -S execve"
+      ];
+    };
 
     sudo = {
       enable = true;
+      execWheelOnly = true;
       extraRules = [
         {
           groups = [ "wheel" ];
@@ -20,7 +28,7 @@
               options = [ "NOPASSWD" ];
             }
             {
-              command = "/home/liv/.local/src/framework-system/target/debug/framework_tool";
+              command = "/run/current-system/sw/bin/framework_tool --privacy";
               options = [ "NOPASSWD" ];
             }
           ];