Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify NixOS has the network firewall enabled with the following command: $ grep firewall.enable /etc/nixos/configuration.nix networking.firewall.enable = true; If "networking.firewall.enable" is not set to "true", is commented out, or is missing, this is a finding.
Configure /etc/nixos/configuration.nix to enforce firewall rules by adding the following configuration settings: networking.firewall.enable = true; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify that emergency or temporary accounts have been provisioned with an expiration date of 72 hours. For every existing emergency or temporary account, run the following command to obtain its account expiration information. $ sudo chage -l system_account_name If any emergency or temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.
Configure the system to terminate emergency or temporary accounts after a 72-hour time period with the following command. Substitute "system_account_name" with the account to be created. $ sudo chage -E "date -d "+3 days" +%Y-%m-%d" system_account_name
Verify NixOS has the audit service configured with the following command: $ grep security.audit /etc/nixos/configuration.nix security.auditd.enable = true; security.audit.enable = true; If auditd, and audit are not set to true or lock, this is a finding.
Configure the system to enable the audit service by adding or updating the following configurations in /etc/nixos/configuration.nix: security.auditd.enable = true; security.audit.enable = true; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify that NixOS locks an account after three unsuccessful login attempts within 15 minutes with the following commands: $ cat /etc/pam.d/login auth required pam_faillock.so preauth deny=3 even_deny_root fail_interval=900 unlock_time=0 dir=/var/log/faillock If the "fail_interval" option is not set to "900" or less (but not "0") on the "preauth" lines with the "pam_faillock" module, or is missing from this line, this is a finding.
Configure NixOS to lock an account when three unsuccessful login attempts occur within 15 minutes. Modify /etc/nixos/configuration.nix to include the following lines: security.pam.services = let pamfile = '' auth required pam_faillock.so preauth silent audit deny=3 fail_interval=900 unlock_time=0 auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail audit deny=3 fail_interval=900 unlock_time=0 auth sufficient pam_faillock.so authsucc account required pam_faillock.so ''; in { login.text = pkgs.lib.mkDefault pamfile; sshd.text = pkgs.lib.mkDefault pamfile; }; Note that the entire pam file must be entered as this pamfile string. Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify that NixOS displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via a command line user login. Check /etc/nixos/configuration.nix and any files imported from it to ensure the attribute "services.getty.helpLine" is defined to the following value with the following command: $ grep -R helpLine /etc/nixos /etc/nixos/configuration.nix:services.getty.helpLine = '' You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ''; If the "services.getty.helpLine" service is not configured with a banner, or the banner does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.
Configure NixOS to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via a command line. Add the following to the /etc/nix/configuration.nix file: services.getty.helpLine = '' You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify the operating system displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via an SSH login. Check /etc/nixos/configuration.nix and any files imported from it to ensure the attribute "services.openssh.banner" is defined with the following value with the following command: $ grep -R openssh.banner /etc/nixos /etc/nixos/configuration.nix:services.openssh.banner = '' You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ''; If the "services.openssh.banner" service is not configured with a banner, or the banner does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.
Configure NixOS to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via openssh. Add the following to the /etc/nix/configuration.nix file: services.openssh.banner = '' You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the graphical user login with the following command: $ grep -R gdm.banner /etc/nixos /etc/nixos/configuration.nix:services.xserver.displayManager.gdm.banner = "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."; If the "services.xserver.displayManager.gdm.banner" service is not configured with a banner, or the banner does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.
Configure NixOS to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via a graphical user login. Add the following to the NixOS configuration: services.xserver.displayManager.gdm.banner = "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS limits the number of concurrent sessions to ten for all accounts and/or account types. Check /etc/nixos/configuration.nix and any files imported from it to ensure the attribute "security.pam.loginLimits" is defined to include the following value with the following command: $ grep -R -A 5 pam.loginLimits /etc/nixos /etc/nixos/configuration.nix:security.pam.loginLimits = [ /etc/nixos/configuration.nix:{ /etc/nixos/configuration.nix:domain = "*"; /etc/nixos/configuration.nix:item = "maxlogins"; /etc/nixos/configuration.nix:type = "hard"; /etc/nixos/configuration.nix:value = "10"; If the "maxlogins" item is missing, commented out, or the value is set greater than "10" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.
Configure the NixOS to limit the number of concurrent sessions to ten for all accounts and/or account types. Add the following to the NixOS configuration: /etc/nixos/configuration.nix security.pam.loginLimits = [ { domain = "*"; item = "maxlogins"; type = "hard"; value = "10"; } ]; Note: Security.pam.loginLimits can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS initiates a session lock after a 10-minute period of inactivity for graphical user login with the following command: $ sudo gsettings get org.gnome.desktop.session idle-delay uint32 600 If "idle-delay" is set to "0" or a value greater than "600", this is a finding.
Configure NixOS to initiate a session lock after a 10-minute period of inactivity for graphical user login. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix: programs.dconf.profiles.user.databases = with lib.gvariant; [ { settings."org/gnome/desktop/session".idle-delay = mkUint32 600; locks = [ "org/gnome/desktop/session/idle-delay" ]; } ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify the NixOS operating system has the "vlock" package installed by running the following command: $ nix-store --query --requisites /run/current-system | cut -d- -f2- | sort | uniq | grep vlock vlock-2.2.2 If the "vlock" package is not installed, this is a finding.
Configure NixOS to have a package that allows user to lock session. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix: environment.systemPackages = [ pkgs.vlock ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Configure the NixOS to monitors remote access methods with the following command: $ grep -R openssh.logLevel /etc/nixos /etc/nixos/configuration.nix:services.openssh.logLevel = "VERBOSE"; If services.openssh.logLevel does not equal VERBOSE, is missing, or is commented out, this is a finding.
Configure the NixOS to monitor remote access methods by adding the following configuration to the /etc/nixos/configuration.nix: services.openssh.logLevel = "VERBOSE"; Rebuild NixOS with the following command: $ sudo nixos-rebuild switch
Verify NixOS is configured to only use ciphers employing FIPS 140-3 approved algorithms with the following command: $ grep -R -A 4 openssh.setting.Ciphers /etc/nixos/configuration.nix:services.openssh.setting.Ciphers = [ /etc/nixos/configuration.nix- "aes256-ctr" /etc/nixos/configuration.nix- "aes192-ctr" /etc/nixos/configuration.nix- "aes128-ctr" /etc/nixos/configuration.nix- ]; If the cipher entries in the "configuration.nix" file have any ciphers other than "aes256-ctr,aes192-ctr,aes128-ctr", the order differs from the example above, they are missing, or commented out, this is a finding.
Configure NixOS to use only ciphers employing FIPS 140-3 approved algorithms. To configure OpenSSH, add the following Nix code to the NixOS Configuration usually located in /etc/nixos/configuration.nix: services.openssh.setting.Ciphers = [ "aes256-ctr" "aes192-ctr" "aes128-ctr" ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch A reboot is required for the changes to take effect.
Verify that NixOS has the audit service is installed with the following command: $ nix-store --query --requisites /run/current-system | cut -d- -f2- | sort | uniq | grep audit audit-3.1.2 audit-3.1.2-bin audit-3.1.2-man audit-start audit-stop unit-auditd.service unit-audit.service If the "audit" package is not installed, this is a finding.
Configure NixOS to have the audit service package. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix: environment.systemPackages = [ audit ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS generates audit records for all execution of privileged functions with the following command: $ sudo auditctl -l | grep execve -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv If the command does not return the example output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.
Configure NixOS to generate audit records for all execution of privileged functions. Add or update the "security.audit.rules" configuration in /etc/nixos/configuration.nix to include the following rules: security.audit.rules = [ "-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv " "-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv " ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS enables auditing of processes that start prior to the audit daemon with the following command: $ grep audit=1 /proc/cmdline BOOT_IMAGE=(hd0,msdos1)/nix/store/glc0midc78caq9sc7pzciymx4c3in7kn-linux-6.1.64/bzImage init=/nix/store/grl4baymr9q60mbcz3sidm4agckn3bx5-nixos-system-nixos-23.1.1.20231129.057f9ae/init audit=1 loglevel=4 If the "audit" entry does not equal "1" or is missing, this is a finding.
Configure NixOS to audit processes that start prior to the audit daemon. Add or update the "boot.kernelParams" configuration in /etc/nixos/configuration.nix to include the following rule: boot.kernelParams = [ "audit=1" ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following command: $ grep backlog_limit /proc/cmdline BOOT_IMAGE=(hd0,msdos1)/nix/store/glc0midc78caq9sc7pzciymx4c3in7kn-linux-6.1.64/bzImage init=/nix/store/grl4baymr9q60mbcz3sidm4agckn3bx5-nixos-system-nixos-23.1.1.20231129.057f9ae/init audit=1 audit_backlog_limit=8192 loglevel=4 If the "audit_backlog_limit" entry does not equal "8192" or greater or is missing, this is a finding.
Configure NixOS to allocate sufficient audit_backlog_limit to capture processes that start prior to the audit daemon. Add or update the "boot.kernelParams" configuration in /etc/nixos/configuration.nix to include the following rule: boot.kernelParams = [ "audit_backlog_limit=8192" ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS generates an audit record for any successful/unsuccessful use of the "mount" syscall with the following command: $ sudo auditctl -l | grep -w "\-S mount" -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -k privileged-mount -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=-1 -k privileged-mount If the command does not return the example output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.
Configure NixOS to generate audit records for any successful/unsuccessful use of the "mount" syscall. Add or update the "security.audit.rules" configuration in /etc/nixos/configuration.nix to include the following rule: security.audit.rules = [ "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount" "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount" ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS generates an audit record upon successful/unsuccessful attempts to use the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls with the following command: $ sudo auditctl -l | grep -w 'rename\|unlink\|rmdir' -a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=-1 -k delete -a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=-1 -k delete If the command does not return an audit rule for "rename", "unlink", "rmdir", "renameat", and "unlinkat", this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.
Configure NixOS to generate audit records for any successful/unsuccessful attempts to use the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls. Add or update the "security.audit.rules" configuration in /etc/nixos/configuration.nix to include the following rule: security.audit.rules = [ "-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete" "-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete" ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS generates an audit record upon successful/unsuccessful attempts to use the "init_module", "finit_module", and "delete_module" system calls. Check the auditing rules currently loaded into the audit daemon with the following command: $ sudo auditctl -l | grep -w init_module -a always,exit -F arch=b32 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=-1 -k module_chng -a always,exit -F arch=b64 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=-1 -k module_chng If the command does not return an audit rule for "init_module", "finit_module", and "delete_module", this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.
Configure /etc/nixos/configuration.nix to log successful/unsuccessful attempts to use the "init_module", "finit_module", and "delete_module" system calls. Add or update the "security.audit.rules" configuration in /etc/nixos/configuration.nix to include the following rule: security.audit.rules = [ "-a always,exit -F arch=b32 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=unset -k module_chng" "-a always,exit -F arch=b64 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=unset -k module_chng" ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS generates an audit record when successful/unsuccessful attempts to modify the cron configuration. Check the auditing rules currently loaded into the audit daemon with the following command: $ sudo auditctl -l | grep -w cron -w /var/cron/tabs/ -p wa -k services -w /var/cron/cron.allow -p wa -k services -w /var/cron/cron.deny -p wa -k services If the command does not return the example output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.
Configure NixOS to generate audit records when successful/unsuccessful attempts to modify the cron configuration occur. Add or update the "security.audit.rules" configuration in /etc/nixos/configuration.nix to include the following rule: security.audit.rules = [ "-w /var/cron/tabs/ -p wa -k services" "-w /var/cron/cron.allow -p wa -k services" "-w /var/cron/cron.deny -p wa -k services" ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS generates an audit record upon unsuccessful attempts to use the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls. Check the auditing rules currently loaded into the audit daemon with the following command: $ sudo auditctl -l | grep 'open\|truncate\|creat' -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access If the command does not return an audit rule for "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at", this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.
Configure NixOS to generate audit records for any unsuccessful attempts to use the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls. Add or update the "security.audit.rules" configuration in /etc/nixos/configuration.nix to include the following rule: security.audit.rules = [ "-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" "-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" "-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" "-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS generates an audit record upon attempts to use the "chown", "fchown", "fchownat", and "lchown" system calls. Check the auditing rules currently loaded into the audit daemon with the following command: $ sudo auditctl -l | grep chown -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod -a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod If the command does not return an audit rule for "chown", "fchown", "fchownat", and "lchown", this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.
Configure NixOS to generate audit records for any attempts to use the "chown", "fchown", "fchownat", and "lchown" system calls. Add or update the "security.audit.rules" configuration in /etc/nixos/configuration.nix to include the following rule: security.audit.rules = [ "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS generates an audit record upon attempts to use the "chmod", "fchmod", and "fchmodat" system calls. Check the auditing rules currently loaded into the audit daemon with the following command: $ sudo auditctl -l | grep chmod -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod If the command does not return an audit rule for "chmod", "fchmod", and "fchmodat, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.
Configure NixOS to generate audit records for any attempts to use the "chmod", "fchmod", and "fchmodat" system calls. Add or update the "security.audit.rules" configuration in /etc/nixos/configuration.nix to include the following rule: security.audit.rules = [ "-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod" "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod" ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command: $ sudo grep -w space_left_action /etc/audit/auditd.conf space_left_action = syslog If the "space_left_action" parameter is missing, commented out, or set to blanks, this is a finding. If the "space_left_action" is set to "syslog", the system logs the event, but does not generate a notification, this is a finding. If the "space_left_action" is set to "exec", the system executes a designated script. If this script does not inform the SA of the event, this is a finding. If the "space_left_action" is set to "email" check the value of the "action_mail_acct" parameter with the following command: $ sudo grep action_mail_acct /etc/audit/auditd.conf action_mail_acct root@localhost The "action_mail_acct" parameter, if missing, defaults to "root". If the "action_mail_acct" parameter is not set to the email address of the SA and/or ISSO, this is a finding. Note: If the email address of the SA is on a remote system, a mail package must be available.
Configure NixOS to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. If the space_left_action parameter is set to "syslog", make sure the event being logged generates a notification to the SA and ISSO. If the space_left_action parameter is set to "exec", make sure the command being executed notifies the SA and ISSO. If the space_left_action parameter is set to "email" set the action_mail_acct parameter to an email address for the SA and ISSO. Add or update the 'environment.etc."audit/auditd.conf".text' configuration in /etc/nixos/configuration.nix to include the following: space_left_action = syslog For example, an updated configuration of 'environment.etc."audit/auditd.conf".text' would look like the following in /etc/nixos/configuration.nix ('...' denoting that the 'environment.etc."audit/auditd.conf".text' configuration may have other options configured): environment.etc."audit/auditd.conf".text = [ '' ... space_left_action = syslog ... '' ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity with the following command: $ sudo grep -w admin_space_left_action /etc/audit/auditd.conf admin_space_left_action = syslog If the "admin_space_left_action" parameter is missing, commented out, or set to blanks, this is a finding. If the "admin_space_left_action" is set to "syslog", the system logs the event, but does not generate a notification, this is a finding. If the "admin_space_left_action" is set to "exec", the system executes a designated script. If this script does not inform the SA of the event, this is a finding. If the "admin_space_left_action" is set to "email" check the value of the "action_mail_acct" parameter with the following command: $ sudo grep action_mail_acct /etc/audit/auditd.conf action_mail_acct root@localhost The "action_mail_acct" parameter, if missing, defaults to "root". If the "action_mail_acct" parameter is not set to the email address of the SA and/or ISSO, this is a finding. Note: If the email address of the SA is on a remote system, a mail package must be available.
Configure NixOS to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity. If the space_left_action parameter is set to "syslog", make sure the event being logged generates a notification to the SA and ISSO. If the space_left_action parameter is set to "exec", make sure the command being execute notifies the SA and ISSO. If the space_left_action parameter is set to "email" set the action_mail_acct parameter to an email address for the SA and ISSO. Add or update the 'environment.etc."audit/auditd.conf".text' configuration in /etc/nixos/configuration.nix to include the following: admin_space_left_action = syslog For example, an updated configuration of 'environment.etc."audit/auditd.conf".text' would look like the following in /etc/nixos/configuration.nix ('...' denoting that the 'environment.etc."audit/auditd.conf".text' configuration may have other options configured): environment.etc."audit/auditd.conf".text = [ '' ... admin_space_left_action = syslog ... '' ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS takes action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following commands: $ sudo grep -w space_left /etc/audit/auditd.conf space_left = 25% If the value of the "space_left" keyword is not set to "25%" or if the line is commented out, this is a finding.
Configure the operating system to initiate an action to notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage. Add or update the 'environment.etc."audit/auditd.conf".text' configuration in /etc/nixos/configuration.nix to include the following: environment.etc."audit/auditd.conf".text = [ '' space_left = 25% '' ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS takes action when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity with the following commands: $ sudo grep -w admin_space_left /etc/audit/auditd.conf admin_space_left = 10% If the value of the "admin_space_left" keyword is not set to "10%" or if the line is commented out, this is a finding.
Configure the operating system to initiate an action to notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity. Add or update the 'environment.etc."audit/auditd.conf".text' configuration in /etc/nixos/configuration.nix to include the following: environment.etc."audit/auditd.conf".text = [ '' admin_space_left = 10% '' ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS takes the appropriate action when the audit storage volume is full. Check that NixOS takes the appropriate action when the audit storage volume is full using the following command: $ sudo grep disk_full_action /etc/audit/auditd.conf disk_full_action = HALT If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator (SA) to indicate how the system takes appropriate action when an audit storage volume is full. If there is no evidence of appropriate action, this is a finding.
Configure NixOS to shut down by default upon audit failure (unless availability is an overriding concern). If availability has been determined to be more important, and this decision is documented with the information system security officer (ISSO), configure the operating system to notify SA staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG". Add or update the 'environment.etc."audit/auditd.conf".text' configuration in /etc/nixos/configuration.nix to include the following (depending on configuration "disk_full_action" can be set to "SYSLOG" or "SINGLE" depending on configuration): environment.etc."audit/auditd.conf".text = [ '' disk_full_action = HALT '' ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS takes the appropriate action when an audit processing failure occurs. Check that NixOS takes the appropriate action when an audit processing failure occurs with the following command: $ sudo grep disk_error_action /etc/audit/auditd.conf disk_error_action = HALT If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator (SA) to indicate how the system takes appropriate action when an audit process failure occurs. If there is no evidence of appropriate action, this is a finding.
Configure NixOS to shut down by default upon audit failure (unless availability is an overriding concern). If availability has been determined to be more important, and this decision is documented with the information system security officer (ISSO), configure the operating system to notify SA staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG". Add or update the 'environment.etc."audit/auditd.conf".text' configuration in /etc/nixos/configuration.nix to include the following (depending on configuration "disk_error_action" can be set to "SYSLOG" or "SINGLE" depending on configuration): environment.etc."audit/auditd.conf".text = [ '' disk_error_action = HALT '' ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify that the syslog-ng service is running with the following command: $ systemctl status syslog-ng.service syslog-ng.service - syslog-ng daemon Loaded: loaded (/etc/systemd/system/syslog-ng.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2022-06-04 02:51:43 UTC; 13min ago If the syslog-ng service is not "active" and "running", this is a finding.
Configure the operating system to offload audit logs. Install the syslog-ng service (if the syslog-ng service is not already installed) and ensure the syslog-ng service is enabled by adding or updating the following configuration in /etc/nixos/configuration.nix: services.syslog-ng.enable = true; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify the audit system off-loads audit records onto a different system or media from the system being audited. List the configured destinations with the following command: $ cat $(egrep -o 'cfgfile=.*\.conf' $(nix-store --query --requisites /run/current-system | grep syslog-ng.service)/syslog-ng.service | awk -F '=' '{print $2}') @version: 4.4 @include "scl.conf" options { keep-hostname(yes); create_dirs(yes); owner(root); group(root); perm(0644); dir_owner(root); dir_group(root); dir_perm(0755); }; source s_local { system(); internal(); }; destination d_local { file("/var/log/messages"); }; destination d_network { syslog( "<remote-logging-server>" port(<port>) transport(tls) tls( cert-file("/var/syslog-ng/certs.d/certificate.crt") key-file("/var/syslog-ng/certs.d/certificate.key") ca-file("/var/syslog-ng/certs.d/cert-bundle.crt") peer-verify(yes) ) ); }; log { source(s_local); destination(d_local); destination(d_network); }; If the configuration does not specify a "log" directive for sources to be sent to a remote destination, or the lines are commented out, ask the system administrator (SA) to indicate how the audit logs are off-loaded to a different system or media. If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.
Configure the operating system to off-load audit records onto a different system or media from the system being audited by specifying a remote destination in the syslog-ng configuration. Add or update the "services.syslog-ng.extraConfig" configuration in /etc/nixos/configuration.nix to include the following: source s_local { system(); internal(); }; destination d_network { syslog( "<remote-logging-server>" port(<port>) }; log { source(s_local); destination(d_network); }; For example, an updated configuration of services.rsyslogd.extraConfig' would look like the following in /etc/nixos/configuration.nix ('...' denoting that the 'services.rsyslogd.extraConfig' configuration may have other options configured): services.rsyslogd.extraConfig = '' ... source s_local { system(); internal(); }; destination d_network { syslog( "<remote-logging-server>" port(<port>) ... }; log { source(s_local); destination(d_network); }; ... ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify the operating system authenticates the remote logging server for off-loading audit logs. List the configured destinations with the following command: $ cat $(egrep -o 'cfgfile=.*\.conf' $(nix-store --query --requisites /run/current-system | grep syslog-ng.service)/syslog-ng.service | awk -F '=' '{print $2}') @version: 4.4 @include "scl.conf" options { keep-hostname(yes); create_dirs(yes); owner(root); group(root); perm(0644); dir_owner(root); dir_group(root); dir_perm(0755); }; source s_local { system(); internal(); }; destination d_local { file("/var/log/messages"); }; destination d_network { syslog( "<remote-logging-server>" port(<port>) transport(tls) tls( cert-file("/var/syslog-ng/certs.d/certificate.crt") key-file("/var/syslog-ng/certs.d/certificate.key") ca-file("/var/syslog-ng/certs.d/cert-bundle.crt") peer-verify(yes) ) ); }; log { source(s_local); destination(d_local); destination(d_network); }; If the remote destination does not specify "transport(tls)", the remote destination tls configuration does not specify "peer-verify(yes)" or "peer-verify(required-trusted)", or the lines are commented out, ask the system administrator (SA) to indicate how the audit logs are off-loaded to a different system or media. If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.
Configure the operating system to authenticate the remote logging server for off-loading audit logs. Add or update the "services.syslog-ng.extraConfig" configuration in /etc/nixos/configuration.nix to include the following: destination d_network { syslog( "<remote-logging-server>" port(<port>) transport(tls) tls( cert-file("/var/syslog-ng/certs.d/certificate.crt") key-file("/var/syslog-ng/certs.d/certificate.key") ca-file("/var/syslog-ng/certs.d/cert-bundle.crt") peer-verify(yes) ) ); }; log { source(s_local); destination(d_local); destination(d_network); }; For example, an updated configuration of 'services.rsyslogd.extraConfig' would look like the following in /etc/nixos/configuration.nix ('...' denoting that the 'services.rsyslogd.extraConfig' configuration may have other options configured): services.rsyslogd.extraConfig = '' ... destination d_network { syslog( "<remote-logging-server>" port(<port>) transport(tls) tls( cert-file("/var/syslog-ng/certs.d/certificate.crt") key-file("/var/syslog-ng/certs.d/certificate.key") ca-file("/var/syslog-ng/certs.d/cert-bundle.crt") peer-verify(yes) ) ); }; log { source(s_local); destination(d_local); destination(d_network); }; ... ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify the audit daemon is configured to generate logs that are group-owned by root with the following command: $ sudo grep log_group /etc/audit/auditd.conf log_group = root If the audit daemon is not configured to generate logs that are group-owned by "root", this is a finding.
Configure the audit daemon to generate logs that are group-owned by root. Add or update the 'environment.etc."audit/auditd.conf".text' configuration in /etc/nixos/configuration.nix to include the following: environment.etc."audit/auditd.conf".text = [ '' log_group = root '' ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify the audit directory and logs are owned by "root". First, determine where the audit logs are stored with the following command: $ sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the location of the audit log file (if not specified, the default location is "/var/log/audit/audit.log"), determine if the audit log is owned by "root" using the following command: $ sudo find /var/log/audit -exec stat -c "%U %n" {} \; root /var/log/audit root /var/log/audit/audit.log If the audit directory and logs are not owned by "root", this is a finding.
Configure the audit directory and logs to be protected from unauthorized read access, by setting the correct owner as "root". Using the path of the directory containing the audit logs (if not specified, the default location is "/var/log/audit/audit.log"), configure the audit directory and log files to be owned by "root" by using the following command: $ sudo chown -R root /var/log/audit
Verify the audit directory and logs are group-owned by "root". First, determine where the audit logs are stored with the following command: $ sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the location of the audit log file (if not specified, the default location is "/var/log/audit/audit.log"), determine if the audit log is group-owned by "root" using the following command: $ sudo find /var/log/audit -exec stat -c "%G %n" {} \; root /var/log/audit root /var/log/audit/audit.log If the audit directory and logs are not group-owned by "root", this is a finding.
Configure the audit directory and logs to be protected from unauthorized read access, by setting the correct group-owner as "root". Using the path of the directory containing the audit logs (if not specified, the default location is "/var/log/audit/audit.log"), configure the audit directory and log files to be group-owned by "root" by using the following command: $ sudo chown -R :root /var/log/audit
Verify that the audit log directory has a mode of "0700" or less permissive. First, determine where the audit logs are stored with the following command: $ sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the path of the directory containing the audit logs, check if the audit log directory has a mode of "0700" or less by using the following command: $ sudo find /var/log/audit -type d -exec stat -c "%a %n" {} \; 700 /var/log/audit If the audit log directory (or any subfolders) has a mode more permissive than "0700", this is a finding.
Configure the audit log directory to have a mode of "0700" or less permissive. Using the path of the directory containing the audit logs, configure the audit log directory to have a mode of "0700" or less permissive by using the following command: $ sudo chmod 0700 /var/log/audit
Verify that the audit log files have a mode of "0600" or less permissive. First, determine where the audit logs are stored with the following command: $ sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the path of the directory containing the audit logs, check if the audit log files have a mode of "0600" or less by using the following command: $ sudo find /var/log/audit -type f -exec stat -c "%a %n" {} \; 600 /var/log/audit/audit.log If the audit log files have a mode more permissive than "0600", this is a finding.
Verify that the audit log files have a mode of "0600" or less permissive. Using the path of the directory containing the audit logs, configure the audit log files have a mode of "0600" or less by using the following command: $ sudo chmod 0600 /var/log/audit/audit.log
Verify the syslog directories and logs are owned by "root" by executing the following command: $ cat $(egrep -o 'cfgfile=.*\.conf' $(nix-store --query --requisites /run/current-system | grep syslog-ng.service)/syslog-ng.service | awk -F '=' '{print $2}') | grep owner owner(root); dir_owner(root); If any occurrences of "owner" and "dir_owner" are not configured as "root", they are not specified, or they are commented out, this is a finding.
Configure the syslog-ng service to create directories and logs to be protected from unauthorized read access, by setting the correct owner as "root". Note: By specifying these configurations in the "options" sections, these configurations apply globally and take effect when these configuration options are not specified later on specific file-based destinations. If there are also related configurations specified at the destination level, these will either need to be updated or removed such that the global specifications apply. Add or update the "services.syslog-ng.extraConfig" configuration in /etc/nixos/configuration.nix to include the following: services.syslog-ng.extraConfig = '' options { owner(root); dir_owner(root); }; ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify the syslog directories and logs are group-owned by "root" by executing the following command: $ cat $(egrep -o 'cfgfile=.*\.conf' $(nix-store --query --requisites /run/current-system | grep syslog-ng.service)/syslog-ng.service | awk -F '=' '{print $2}') | grep group group(root); dir_group(root); If any occurrences of "group" and "dir_group" are not configured as "root", they are not specified, or they are commented out, this is a finding.
Configure the syslog-ng service to create directories and logs to be protected from unauthorized read access, by setting the correct group-owner as "root". Note: By specifying these configurations in the "options" sections, these configurations apply globally and take effect when these configuration options are not specified later on specific file-based destinations. If there are also related configurations specified at the destination level, these will either need to be updated or removed such that the global specifications apply. Add or update the "services.syslog-ng.extraConfig" configuration in /etc/nixos/configuration.nix to include the following: services.syslog-ng.extraConfig = '' options { group(root); dir_group(root); }; ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS protects audit information from unauthorized read access by implementing a mode of 0750 or less on the creation of log directories with the following command: $ cat $(egrep -o 'cfgfile=.*\.conf' $(nix-store --query --requisites /run/current-system | grep syslog-ng.service)/syslog-ng.service | awk -F '=' '{print $2}') | grep dir_perm dir_perm(0750); If the syslog log directory is not a mode of 0750 or less permissive, this is a finding.
Configure the syslog-ng service to create log directories with a mode of "0750" or less permissive. Note: By specifying these configurations in the "options" sections, these configurations apply globally and take effect when these configuration options are not specified later on specific file-based destinations. If there are also related configurations specified at the destination level, these will either need to be updated or removed such that the global specifications apply. Add or update the "services.syslog-ng.extraConfig" configuration in /etc/nixos/configuration.nix to include the following: services.syslog-ng.extraConfig = '' options { dir_perm(0750); }; ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify that syslog log files have a mode of "0640" or less permissive by executing the following command: $ cat $(egrep -o 'cfgfile=.*\.conf' $(nix-store --query --requisites /run/current-system | grep syslog-ng.service)/syslog-ng.service | awk -F '=' '{print $2}') | grep -w perm perm(0640); If any occurrences of "perm" are not configured as "0640" or less permissive, they are not specified, or they are commented out, this is a finding.
Configure the syslog-ng service to create log files with a mode of "0640" or less permissive. Note: By specifying these configurations in the "options" sections, these configurations apply globally and take effect when these configuration options are not specified later on specific file-based destinations. If there are also related configurations specified at the destination level, these will either need to be updated or removed such that the global specifications apply. Add or update the "services.syslog-ng.extraConfig" configuration in /etc/nixos/configuration.nix to include the following: services.syslog-ng.extraConfig = '' options { perm(0640); }; ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify the audit system prevents unauthorized changes to login UIDs with the following command: $ sudo auditctl -s | grep -i immutable loginuid_immutable 1 locked If the command does not return "loginuid_immutable 1 locked", this is a finding.
Configure NixOS to prevent unauthorized changes to login UIDs. Add or update the "security.audit.rules" configuration in /etc/nixos/configuration.nix to include the following rule: security.audit.rules = [ "--loginuid-immutable" ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify that the NixOS system configuration files have a mode of "0644" or less permissive with the following command: $ sudo find /etc/nixos -type f -exec stat -c "%a %n" {} \; 644 /etc/nixos/configuration.nix 644 /etc/nixos/hardware-configuration.nix If the system configuration files have a mode more permissive than "0644", this is a finding.
Configure the NixOS system configuration files to have a mode of "0644" or less permissive by using the following command: $ sudo find /etc/nixos -type f -exec chmod -R 644 {} \; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify that the NixOS system configuration file directories have a mode of "0755" or less permissive with the following command: $ sudo find /etc/nixos -type d -exec stat -c "%a %n" {} \; 755 /etc/nixos If the system configuration file directories have a mode more permissive than "0755", this is a finding.
Configure the NixOS system configuration file directories to have a mode of "0755" or less permissive by using the following commands: $ sudo find /etc/nixos -type d -exec chmod -R 755 {} \; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify that the NixOS system configuration files and directories are owned by root with the following command: $ sudo find /etc/nixos -exec stat -c "%U %n" {} \; root /etc/nixos root /etc/nixos/configuration.nix root /etc/nixos/hardware-configuration.nix If the system configuration files and directories are not owned by root, this is a finding.
Configure the NixOS system configuration files and directories to be owned by root by using the following command: $ sudo find /etc/nixos -exec chown -R root {} \; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify that the NixOS system configuration files and directories are group-owned by root with the following command: $ sudo find /etc/nixos -exec stat -c "%G %n" {} \; root /etc/nixos root /etc/nixos/configuration.nix root /etc/nixos/hardware-configuration.nix If the system configuration files and directories are not group-owned by root, this is a finding.
Configure the NixOS system configuration files and directories to be group-owned by root by using the following command: $ sudo find /etc/nixos -exec chown -R :root {} \; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS only allows the use of DOD PKI-established certificate authorities by running the following: $ nix-env -iA nixos.openssl $ openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = U.S. Government, OU = DOD, OU = PKI, CN = DOD Root CA 3 Validity Not Before: Mar 20 18:46:41 2012 GMT Not After : Dec 30 18:46:41 2029 GMT Subject: C = US, O = U.S. Government, OU = DOD, OU = PKI, CN = DOD Root CA 3 Subject Public Key Info: Public Key Algorithm: rsaEncryption If the root CA file is not a DOD-issued certificate with a valid date and installed in the /etc/sssd/pki/sssd_auth_ca_db.pem location, this is a finding.
Configure /etc/nixos/configuration.nix to authenticate using DOD's root CA by adding the following configuration settings: services.sssd.enable = true; environment.etc."sssd/pki/sssd_auth_ca_db.pem".source = let certzip = pkgs.fetchzip { url = "https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_v5-6_dod.zip"; sha256 = "sha256-iwwJRXCnONk/LFddQlwy8KX9e9kVXW/QWDnX5qZFZjc="; }; in "${certzip}/DOD_PKE_CA_chain.pem"; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify the SSH private key files have a passcode. For each private key stored on the system, use the following command: $ sudo ssh-keygen -y -f /path/to/file If the contents of the key are displayed, this is a finding.
Create new private/public key pairs that use a passcode using the following command: $ sudo ssh-keygen -n [passphrase]
Verify NixOS enforces password complexity by requiring at least one uppercase character with the following command: $ grep ucredit /etc/security/pwquality.conf ucredit=-1 If the value of "ucredit" is a positive number or is commented out, this is a finding.
Configure NixOS to enforce password complexity. Add/modify /etc/nixos/configuration.nix to include the following lines: environment.etc."/security/pwquality.conf".text = '' ucredit=-1 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS enforces password complexity by requiring at least one lowercase character with the following command: $ grep lcredit /etc/security/pwquality.conf lcredit=-1 If the value of "lcredit" is a positive number or is commented out, this is a finding.
Configure NixOS to enforce password complexity. Add/modify /etc/nixos/configuration.nix to include the following lines: environment.etc."/security/pwquality.conf".text = '' lcredit=-1 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS enforces password complexity by requiring at least one numeric character with the following command: $ grep dcredit /etc/security/pwquality.conf dcredit=-1 If the value of "dcredit" is a positive number or is commented out, this is a finding.
Configure NixOS to enforce password complexity. Add/modify /etc/nixos/configuration.nix to include the following lines: environment.etc."/security/pwquality.conf".text = '' dcredit=-1 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS enforces password complexity by requiring that at least 50 percent of the characters are changed with the following command: $ grep difok /etc/security/pwquality.conf difok=8 If the value of "difok" is set to less than "8", or is commented out, this is a finding.
Configure NixOS to enforce password complexity. Add/modify /etc/nixos/configuration.nix to include the following lines: environment.etc."/security/pwquality.conf".text = '' difok=8 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS stores only encrypted representations of passwords with the following command: $ grep ENCRYPT_METHOD /etc/login.defs ENCRYPT_METHOD SHA512 If "ENCRYPT_METHOD" does not equal SHA512 or greater, is commented out, or is missing, this is a finding.
Configure NixOS to store only encrypted representations of passwords. Add/modify /etc/nixos/configuration.nix to include the following lines: environment.etc."login.defs".text = pkgs.lib.mkForce '' ENCRYPT_METHOD SHA256 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Ensure the telnet package is not installed and available with the following command: $ whereis telnet telnet: If there is a path, and the output looks like "telnet: /nix/store/sqiphymcpky1yysgdc1aj4lr9jg9n53a-inetutils-2.2/bin/telnet", this is a finding.
Edit the NixOS Configuration file with "nano /etc/nixos/configuration.nix" and remove any references to pkgs.libtelnet, pkgs.busybox, or pkgs.inetutils from the environment.systemPackages list. Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS enforces 24 hours/one day as the minimum password lifetime with the following command: $ grep PASS_MIN_DAYS /etc/login.defs PASS_MIN_DAYS 1 If PASS_MIN_DAYS_1 is not present, is commented out, or is a value different from 1, this is a finding.
Configure NixOS operating system to enforce 24 hours/one day as the minimum password lifetime. Add/modify /etc/nixos/configuration.nix to include the following lines: environment.etc."login.defs".text = pkgs.lib.mkForce '' PASS_MIN_DAYS 1 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS enforces a 60-day maximum password lifetime for new user accounts by running the following command: $ grep PASS_MAX_DAYS /etc/login.defs PASS_MAX_DAYS 60 If the "PASS_MAX_DAYS" parameter value is less than 60 or commented out, this is a finding.
Configure NixOS operating system to enforce a 60-day maximum password lifetime. Add/modify /etc/nixos/configuration.nix to include the following lines: environment.etc."login.defs".text = pkgs.lib.mkForce '' PASS_MAX_DAYS 60 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS enforces a minimum 15-character password length with the following command: $ grep minlen /etc/security/pwquality.conf minlen=15 If the value of "minlen" is set to less than "15", or is commented out, this is a finding.
Configure NixOS to enforce password complexity. Add/modify /etc/nixos/configuration.nix to include the following lines: environment.etc."/security/pwquality.conf".text = '' minlen=15 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify the NixOS operating system contains no duplicate User IDs (UIDs) for interactive users with the following command: $ awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd If output is produced and the accounts listed are interactive user accounts, this is a finding.
Configure the NixOS to uniquely identify and authenticate nonorganizational users by editing the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.
Verify NixOS has the packages required for multifactor authentication installed with the following command: $ grep -R pkgs.opencrypto /etc/nixos pkgs.opencryptoki If the "pkgs.opencryptoki" package is not installed, this is a finding.
Configure NixOS to have a package that enforces multifactor authentication installed. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix: environment.systemPackages = [ pkgs.opencryptoki ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify the NixOS configuration disallows directly logging into the root account via SSH with the following command: $ grep PermitRootLogin /etc/ssh/sshd_config PermitRootLogin no If the value is anything other than "no", this is a finding.
Edit the NixOS Configuration file "/etc/nixos/configuration.nix" to ensure the root user login via SSH is disabled by adding the following text: services.openssh.permitRootLogin = "no"; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify the NixOS operating system prevents directly logging in to the root account with the following command: $ sudo passwd -S root root L 01/02/1970 -1 -1 -1 -1 If the second field in the output is not "L", then the root account is not locked, and this is a finding.
Edit the NixOS Configuration file "/etc/nixos/configuration.nix" to ensure that the root user is locked by adding the following text: users.mutableUsers = false; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS had enabled the use of the USBGuard with the following command: $ systemctl status usbguard usbguard.service - USBGuard daemon Loaded: loaded (/etc/systemd/system/usbguard.service; enabled; present: enabled) Active: active (running) since Sat 2022-06-04 02:51:43 UTC; 13min ago If the usbguard.service is not "active" and "running", this is a finding.
Configure NixOS to enable USBGuard and generate a USBGuard ruleset. Edit /etc/nixos/configuration.nix and add the following: services.usbguard.enable = true; Rebuild the system configuration by running the following command: $ sudo nixos-rebuild switch Then, as root, generate a usbguard configuration. Using the "usbguard" command, use "usbguard list-devices" to list connected USB devices, "usbguard block-device" to block a device, and "usbguard allow-device" to allow a device. Note that the default behavior is to block devices. When all connected USB devices have been permitted, generate a ruleset by running the following command as root: # usbguard generate-policy Then, edit /etc/nixos/configuration.nix to add the policy: services.usbguard.rules = '' allow id 1d6b:0001 serial "0000:00:01.2" name "UHCI Host Controller" hash "FRDEjz7OhdJbNjmJ8zityiNX/LuO+ovKC07I0bOFjao=" parent-hash "9+Zsfvo9IR/AEQ/Fn4mzdoPGk0rqpjku6uErfS09K4c=" with-interface 09:00:00 with-connect-type "" allow id 0627:0001 serial "28754-0000:00:01.2-1" name "QEMU USB Tablet" hash "5TyVK8wyL5GmiIbZV2Sf/ehIRMCP83miy4kOzG6O+2M=" parent-hash "FRDEjz7OhdJbNjmJ8zityiNX/LuO+ovKC07I0bOFjao=" with-interface 03:00:00 with-connect-type "unknown" ''; Note: This ruleset is only an example; generate a policy using the process described above. Rebuild the system configuration by running the following command: $ sudo nixos-rebuild switch
Verify NixOS is configured with the sticky bit on world-writable directories with the following command: $ sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null If any of the returned directories are world-writable and do not have the sticky bit set, this is a finding.
Configure all public directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources. Set the sticky bit on all public directories using the following command, replacing "[Public Directory]" with any directory path missing the sticky bit: $ sudo chmod +t [Public Directory]
Verify NixOS is configured to use IPv4 TCP syncookies with the following command: $ sudo sysctl net.ipv4.tcp_syncookies net.ipv4.tcp_syncookies = 1 If the network parameter "ipv4.tcp_syncookies" is not equal to "1" or nothing is returned, this is a finding.
Configure NixOS to use IPv4 TCP syncookies by editing the following in the NixOS configuration /etc/nixos/configuration.nix: boot.kernel.sysctl = { "net.ipv4.tcp_syncookies"=1; }; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify that all network connections associated with SSH traffic are automatically terminated after 10 minutes of becoming unresponsive with the following command: $ grep -i clientaliveinterval /etc/ssh/sshd_config ClientAliveInterval 600 If "ClientAliveInterval" does not have a value of "600" or less, is commented out, or is missing, this is a finding.
Configure NixOS to automatically terminate all network connections associated with SSH traffic after being unresponsive for 10 minutes. Add or edit the following in the NixOS configuration: /etc/nixos/configuration.nix: services.openssh.extraConfig = '' ClientAliveInterval 600 ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify that all network connections associated with SSH traffic are automatically terminated after becoming unresponsive with the following command: $ grep -i clientalivecount /etc/ssh/sshd_config ClientAliveCountMax 1 If "ClientAliveCountMax" is not set to "1", is commented out, or is missing, this is a finding.
Configure NixOS to automatically terminate all network connections associated with SSH traffic after being unresponsive. Add or edit the following in the NixOS configuration: /etc/nixos/configuration.nix: services.openssh.extraConfig = '' ClientAliveCountMax 1 ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. Verify all system partitions are encrypted with the following command: $ sudo blkid /dev/sda1: LABEL="nixos" UUID="67b7d7fe-de60-6fd0-befb-e6748cf97743" TYPE="crypto_LUKS" Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that these partitions are encrypted, this is a finding.
Configure NixOS to prevent unauthorized modification of all information at rest by using disk encryption. Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. Refer to the NixOS manual Section 8.1 "LUKS-Encrypted File Systems" for further details. NixOS Wiki: https://nixos.wiki/wiki/Full_Disk_Encryption
Verify NixOS enforces the use of at least one special character in passwords with the following command: $ grep minlen /etc/security/pwquality.conf ocredit=-1 If the value of "ocredit" is a positive number or is commented out, this is a finding.
Configure NixOS to enforce password complexity. Add/modify /etc/nixos/configuration.nix to include the following lines: environment.etc."/security/pwquality.conf".text = '' ocredit=-1 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS disables wireless adapters by running the following command: $ grep -R networking.wireless /etc/nixos/ /etc/nixos/configuratino.nix:networking.wireless.enable = false; If " networking.wireless.enable", does not equal false, is missing, or is commented out, this is a finding.
Configure /etc/nixos/configuration.nix to disable wireless interfaces by adding the following configuration settings: networking.wireless.enable = false; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS disables Bluetooth adapters by running the following command: $ grep -R hardware.bluetooth /etc/nixos/ /etc/nixos/configuration.nix:hardware.bluetooth.enable = false; If "hardware.bluetooth.enable", does not equal false, is missing, or is commented out, this is a finding.
Configure /etc/nixos/configuration.nix to disable Bluetooth adapters by adding the following configuration settings: hardware.bluetooth.enable = false; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS audits and provides alerts of audit failures by running the following command: $grep A -15 security.auditd /etc/nixos/configuration.nix /etc/nixos/configuration.nix: security.auditd.enable = true; security.audit.enable = true; security.audit.rules = [ '' <audit_rules> '' ]; security.audit.rules = [ "-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv" "-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv" ]; If "security.auditd", "security.audit" and the additional modifications do not equal true, are missing, or are commented out, this is a finding.
Configure the audit service to produce audit records. Install the audit service (if the audit service is not already installed) and ensure the audit service is enabled by adding or updating the following configurations in /etc/nixos/configuration.nix: security.auditd.enable = true; security.audit.enable = true; Additionally, add the following audit rules: security.audit.rules = [ "-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv" "-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv" ]; Then, rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS is configured with an approved time server with the following command: $ timedatectl show-timesync | grep NTPServers SystemNTPServers=tick.usnogps.navy.mil FallbackNTPServers=tock.usnogps.navy.mil If the output of the command does not list authorized time servers, this is a finding.
Configure /etc/nixos/configuration.nix to use approved timeservers by adding the following configuration settings: networking.timeServers = [ "tick.usnogps.navy.mil" "tock.usnogps.navy.mil" ]; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS synchronizes internal information system clocks to the authoritative time source when the time difference is greater than one second with the following command: $ grep -iR pollinterval /etc/nixos/ services.timesyncd.extraConfig = "PollIntervalMaxSec=60"; If "PollIntervalMaxSec" is greater than "60", is commented out, or is missing, this is a finding.
Configure /etc/nixos/configuration.nix to regularly synchronize the system clock by adding the following configuration settings: services.timesyncd.extraConfig = '' PollIntervalMaxSec=60 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS synchronizes internal information system clocks to the authoritative time source when the time difference is greater than one second with the following command: $ grep -iR timesyncd.enable /etc/nixos/ services.timesyncd.enable = true; If "services.timesyncd.enable" is not set to "true", is commented out, or is missing, this is a finding.
Configure /etc/nixos/configuration.nix to regularly synchronize the system clock by adding the following configuration settings: services.timesyncd.enable = true; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS prevents unauthorized users from using nix with the following command: $ grep -R allowed-users /etc/nixos/ /etc/nixos/configuration.nix:nix.settings.allowed-users = [ "root" "@wheel" ]; If any other groups or users are included in "nix.settings.allowed-users" other than "root" and "wheel", or the configuration setting does not exist, this is a finding.
Configure /etc/nixos/configuration.nix to prevent unauthorized users from using nix by adding the following configuration settings: nix.settings.allowed-users = [ "root" "@wheel" ]; Note: extra usergroups may be permitted by adding them with the format "@group" (e.g.: "@users"). Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS notifies if baseline configurations are changed with Advanced Intrusion Detection Environment with the following commands: $ nix-store --query --requisites /run/current-system | cut -d- -f2- | sort | uniq | grep aide aide-0.18.6 etc-aide.conf $ cat /etc/nixos/configuration.nix | grep -A 5 aide.conf If aide is not installed and is not configured to alert on file system changes, this is a finding.
Configure /etc/nixos/configuration.nix to notify when baseline configuration changes by adding the following configuration settings: nixpkgs.overlays = [ (final: prev: { aide = prev.aide.overrideAttrs (old: { configureFlags = (old.configureFlags or [ ]) ++ [ "--sysconfdir=/etc" ]; }); }) ]; environment.systemPackages = [ pkgs.aide ]; environment.etc = { # Creates /etc/aide.conf "aide.conf" = { text = '' <CONFIG_TEXT> ''; mode = "0444"; }; }; services.cron = { enable = true; systemCronJobs = [ "00 0 * * 0\troot\taide -c /etc/aide.conf --check | /bin/mail -s "aide integrity check run for ${config.networking.hostName}" root@notareal.email" ]; };
Verify NixOS prevents installations that have not been digitally signed with the following command: $ grep -R require-sigs /etc/nixos/ /etc/nixos/configuration.nix:nix.settings.require-sigs = true; If "nix.settings.require-sigs" is not set to "true", is commented out, or is missing, this is a finding.
Configure NixOS to require signatures by adding the following configuration settings: Add or edit the following in the NixOS configuration "/etc/nixos/configuration.nix" file: nix.settings.require-sigs = true; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS enforces reauthentication with sudo with the following command: $ sudo grep timestamp_timeout /etc/sudoers Defaults timestamp_timeout=0 If "timestamp_timeout" is greater than 0, is commented out, or is missing, this is a finding.
Configure /etc/nixos/configuration.nix to enforce reauthentication with sudo by adding the following configuration settings: security.sudo.extraConfig = '' Defaults timestamp_timeout=0 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS requires users to reauthenticate when changing roles with the following command: $ grep -iR wheelneedspassword /etc/nixos/ /etc/nixos/configuration.nix:security.sudo.wheelNeedsPassword = true; If the returned line does not have a value of "true" or is commented out, this is a finding.
Configure NixOS to require reauthentication for sudo by editing the /etc/nixos/configuration.nix with the following: security.sudo.wheelNeedsPassword = true; Rebuild the system configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS uses the following FIPS 140-3 approved MAC codes in openssh with the following command: $grep services.openssh.macs -A 3 /etc/nixos/configuration.nix services.openssh.macs = [ "hmac-sha2-512" "hmac-sha2-256" ]; If "services.openssh.macs" contains any ciphers other than "hmac-sha2-512" or "hmac-sha2-256", this is a finding.
Configure /etc/nixos/configuration.nix to use the following FIPS 140-3 approved MAC codes in openssh by adding the following configuration settings: services.openssh.macs = [ "hmac-sha2-512" "hmac-sha2-256" ]; Then, rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS firewall enforces rate limits using the hashlimit module. $ sudo iptables -L | grep limit nixos-fw-refuse tcp -- anywhere anywhere tcp dpt:ssh limit: above 1000000b/s mode srcip nixos-fw-refuse tcp -- anywhere anywhere tcp dpt:http limit: above 1000/min burst 5 mode srcip nixos-fw-refuse tcp -- anywhere anywhere tcp dpt:https limit: above 1000/min burst 5 mode srcip If the command does not produce any rate limiting rules, this is a finding.
Configure the NixOS firewall to enforce rate limits using the hashlimit module. For example, to limit SSH to 1 MB/s and to limit HTTP to 1000 connections / minute per IP, edit /etc/nixos/configuration.nix and add the following configuration settings: networking.firewall.enable = true; networking.firewall.extraCommands = '' ip46tables --append INPUT --protocol tcp --dport 22 --match hashlimit --hashlimit-name stig_byte_limit --hashlimit-mode srcip --hashlimit-above 1000000b/second --jump nixos-fw-refuse ip46tables --append INPUT --protocol tcp --dport 80 --match hashlimit --hashlimit-name stig_conn_limit --hashlimit-mode srcip --hashlimit-above 1000/minute --jump nixos-fw-refuse ip46tables --append INPUT --protocol tcp --dport 443 --match hashlimit --hashlimit-name stig_conn_limit --hashlimit-mode srcip --hashlimit-above 1000/minute --jump nixos-fw-refuse ''; Note: NixOS provides the helper script "ip46tables" to add rules using both "iptables" and "ip6tables". Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS to enables sshd for secure, confidentially preserving remote access with the following command: $ systemctl status sshd sshd.service - SSH daemon Loaded: loaded (/etc/systemd/system/sshd.service; enabled; present: enabled) Active: active (running) since Sat 2022-06-04 02:51:43 UTC; 13min ago If the sshd.service is not "active" and "running", this is a finding.
Configure NixOS to enable sshd for secure, confidentially-preserving remote access by adding the following option to /etc/nixos/configuration.nix. services.sshd.enable = true; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS prevents internal kernel addresses from being leaked with the following command: $ sudo sysctl kernel.kptr_restrict kernel.kptr_restrict = 1 If "kernel.kptr_restrict" does not have a value of "1" or is missing, this is a finding.
Configure NixOS to prevent internal kernel addresses from being leaked by editing /etc/nixos/configuration.nix to add the following: boot.kernel.sysctl = { "kernel.kptr_restrict" = 1; }; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS enables address space layout randomization with the following command: $ sudo sysctl kernel.randomize_va_space kernel.randomize_va_space = 2 If "kernel.randomize_va_space" does not have a value of "2" or is missing, this is a finding.
Configure /etc/nixos/configuration.nix to enable ASLR by adding the following configuration settings: boot.kernel.sysctl = { "kernel.randomize_va_space" = 2; }; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS removes all software components after updated versions have been installed by reviewing /etc/nixos/configuration.nix and remove any references to outdated versions of nixpkgs. If any outdated versions of nixpkgs are present in the configuration.nix file, this is a finding.
After updating NixOS (either via "cd /etc/nixos; sudo nix flake update; sudo nixos-rebuild switch" or "sudo nixos-rebuild switch –upgrade"), reboot the system to ensure all running software comes from the current active NixOS generation. Edit /etc/nixos/configuration.nix and remove any references to outdated versions of nixpkgs.
Verify the NixOS generates audit records when successful/unsuccessful attempts to modify security objects occur with the following command: $ sudo auditctl -l | grep xattr -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod If the command does not return an audit rule for "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr", this is a finding.
Configure /etc/nixos/configuration.nix to log attempts to modify security objects by adding the following configuration settings: security.audit.rules = [ "-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod" "-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod" "-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod" "-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod" ]; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS generates audit records when attempts to delete privileges occur with the following command: $ sudo auditctl -l | grep usermod -a always,exit -S all -F path=/run/current-system/sw/bin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-usermod If the command does not return an audit rule for "usermod", this is a finding.
Configure /etc/nixos/configuration.nix to record attempts to delete privileges by adding the following configuration settings: security.audit.rules = [ "-a always,exit -F path=/run/current-system/sw/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod" ]; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify that NixOS generates audit records when successful/unsuccessful attempts to delete security objects occur with the following command: $ sudo auditctl -l | grep /bin/ch -a always,exit -S all -F path=/run/current-system/sw/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chage -a always,exit -S all -F path=/run/current-system/sw/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_mod If the command does not return an audit rule for "chage" and "chcon", this is a finding.
Configure /etc/nixos/configuration.nix to audit attempts to delete security objects by adding the following configuration settings: security.audit.rules = [ "-a always,exit -F path=/run/current-system/sw/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage" "-a always,exit -F path=/run/current-system/sw/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod" ]; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS is configured to generate audit records with the following command: $ sudo auditctl -l | grep -w lastlog -w /var/log/lastlog -p wa -k logins If the command does not return a watch for the lastlog file, this is a finding.
Modify NixOS to generate audit logs on account creations and modifications. Edit /etc/nixos/configuration.nix and ensure the following options are configured: security.audit.rules = [ "-w /var/log/lastlog -p wa -k logins" ]; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS is configured to generate audit records on account events with the following command: $ sudo auditctl -l | grep /etc -w /etc/sudoers -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/group -p wa -k identity -w /etc/security/opasswd -p wa -k identity If the output from the command does not include the example output, this is a finding.
Modify NixOS to generate audit logs on account creations and modifications. Edit /etc/nixos/configuration.nix and ensure the following options are configured: security.audit.rules = [ "-w /etc/sudoers -p wa -k identity" "-w /etc/passwd -p wa -k identity" "-w /etc/shadow -p wa -k identity" "-w /etc/gshadow -p wa -k identity" "-w /etc/group -p wa -k identity" "-w /etc/security/opasswd -p wa -k identity" ]; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS is configured to operate in FIPS mode with the following command: $ grep fips /proc/cmdline BOOT_IMAGE=(hd0,msdos1)/nix/store/glc0midc78caq9sc7pzciymx4c3in7kn-linux-6.1.64/bzImage init=/nix/store/grl4baymr9q60mbcz3sidm4agckn3bx5-nixos-system-nixos-23.1.1.20231129.057f9ae/init audit=1 audit_backlog_limit=8192 fips=1 loglevel=4 If the "fips" entry does not equal "1" or is missing, this is a finding.
Configure NixOS to run in FIPS mode. Add "fips=1" to the kernel parameters by adding to the boot.kernelParams option in /etc/nixos/configuration.nix: boot.kernelParams = [ "fips=1" ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch A reboot is required for the changes to take effect.
Verify NixOS prevents the use of dictionary words for passwords with the following command: $ grep dict /etc/security/pwquality.conf dictcheck=1 If the value of "ocredit" is a positive number or is commented out, this is a finding.
Configure NixOS to check password change attempts against a dictionary. Add/modify /etc/nixos/configuration.nix to include the following lines: environment.etc."/security/pwquality.conf".text = '' dictcheck=1 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS prevents the use of dictionary words for passwords with the following command: $ grep -i pam_pwquality /etc/pam.d/passwd /etc/pam.d/chpasswd /etc/pam.d/sudo /etc/pam.d/passwd:password requisite /nix/store/db96zr26w71dzx0bzf47d88kw19fr0l7-libpwquality-1.4.5.-lib/lib/security/pam_pwquality.so /etc/pam.d/chpasswd:password requisite /nix/store/db96zr26w71dzx0bzf47d88kw19fr0l7-libpwquality-1.4.5.-lib/lib/security/pam_pwquality.so /etc/pam.d/sudo:password requisite /nix/store/db96zr26w71dzx0bzf47d88kw19fr0l7-libpwquality-1.4.5.-lib/lib/security/pam_pwquality.so If the pam_pwquality.so module is not present in the passwd, chpasswd, and sudo pam files, this is a finding.
Configure NixOS to check password change attempts against a dictionary. Add the following Nix code to the NixOS Configuration usually located in /etc/nixos/configuration.nix security.pam.services.passwd.text = pkgs.lib.mkDefault (pkgs.lib.mkBefore "password requisite ${pkgs.libpwquality.lib}/lib/security/pam_pwquality.so"); security.pam.services.chpasswd.text = pkgs.lib.mkDefault (pkgs.lib.mkBefore "password requisite ${pkgs.libpwquality.lib}/lib/security/pam_pwquality.so"); security.pam.services.sudo.text = pkgs.lib.mkDefault (pkgs.lib.mkBefore "password requisite ${pkgs.libpwquality.lib}/lib/security/pam_pwquality.so"); Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify the NixOS operating system enforces a four-second delay between login attempts with the following command: $ grep -I delay /etc/login.defs FAIL_DELAY 4 If "FAIL_DELAY" is not set to "4" or greater, is commented out, or is missing, this is a finding.
Configure NixOS operating system to enforce a four-second delay between login attempts. Add the following Nix code to the NixOS Configuration usually located in /etc/nixos/configuration.nix environment.etc."login.defs".text = pkgs.lib.mkForce '' FAIL_DELAY 4 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS does not allow an unattended or automatic login to the system via the console with the following command: $ grep -iR autologin.user /etc/nixos If "services.xserver.displayManager.autoLogin.user" is defined and is not "null", this is a finding.
Configure the operating system to not allow an unattended or automatic login to the system via the console. Note: Once set, the system must be rebooted for any changes to apply. Add or update the following configuration in /etc/nixos/configuration.nix: services.xserver.displayManager.autoLogin.user = null; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS is configured to use AppArmor with the following command: $ sudo systemctl status apparmor.service apparmor.service - Load AppArmor policies Loaded: loaded (/etc/systemd/system/apparmor.service; enabled; present: enabled) Active: active (running) since Sat 2022-06-04 02:51:43 UTC; 13min ago If the "apparmor.service" is not enabled and active, this is a finding.
Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix. security.apparmor.enable = true; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch && reboot
Verify NixOS disables account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity with the following command: $ grep -i inactive /etc/default/useradd INACTIVE=35 If INACTIVE is not set to 35 or less, or is missing or commented out, this is a finding.
Configure the NixOS operating system to disable inactive users. Add the following Nix code to the NixOS Configuration usually located in /etc/nixos/configuration.nix. Ensure that utils and lib modules are available { config, pkgs, lib, utils, ... }: environment.etc."/default/useradd".text = pkgs.lib.mkForce '' INACTIVE=35 ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS uses employs approved cryptographic hashing algorithms for all stored passwords with the following command: (Change <unique-username> to the desired user to verify.) $ sudo cat /etc/shadow | grep "<unique-username>" | cut -d'$' -f2 If the command does not return 6 for SHA512, this is a finding.
Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512.
Verify NixOS employs strong authentication in the establishment of nonlocal sessions with SSH by the following command: $ sudo /run/current-system/sw/bin/sshd -G | grep pam usepam yes If usepam is not yes, this is a finding.
Configure the NixOS operating system to use strong authentication when establishing nonlocal maintenance and diagnostic sessions. Add or modify the following line to /etc/nixos/configuration.nix: openssh.settings.UsePAM = ''yes''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS provides authentication via the security and pam modules with the following command: $ cat /etc/nixos/configuration.nix | grep -A 1 security.pam.p11 security.pam.p11.enable = true; If security.pam.p11.enable is not. "true", is not present or is commented out, this is a finding.
Configure the NixOS operating system to use strong authentication when establishing nonlocal maintenance and diagnostic sessions. Add or modify the following line to /etc/nixos/configuration.nix: security.pam.p11.enable = true; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS, for PKI-based authentication, only caches authenticators for one day with the following command: $ sudo grep expiration /etc/sssd/sssd.conf offline_credentials_expiration = 1 If the offline_credentials_expiration is not set to "1" or is commented out, this is a finding.
Configure /etc/nixos/configuration.nix to prohibit the use of cached credentials older than one day by adding the following configuration settings. Note that the entire sssd.conf must be entered in this option: services.sssd.config = '' ... [pam] offline_credentials_expiration = 1 ... ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch
Verify NixOS, for PKI-based authentication, uses local revocation data when unable to access the network to obtain it remotely with the following command: $ grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf cert_policy = ca,signature,ocsp_on, crl_auto; If the cert_policy does not contain the options in the example output, this is a finding.
Configure the NixOS operating system, for PKI-based authentication, to use local revocation data when unable to access the network to obtain it remotely. Add the following Nix code to the NixOS Configuration usually located in /etc/nixos/configuration.nix: security.pam.p11.enable = true; environment.etc."pam_pkcs11/pam_pkcs11.conf".text = '' cert_policy = ca,signature,ocsp_on, crl_auto; ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Verify NixOS is running a supported version with the following command: $ nixos-version 23.11.20231129.057f9ae (Tapir) If the NixOS is not running a supported version, this is a finding.
Update to a supported version of the operating system.
Verify the NixOS operating system to change default file permissions so users may only modify their own files. Ensure the following settings are present in the /etc/nixos/configuration.nix file: { config, pkgs, lib, ... }: environment.etc = { ""login.defs"".source = lib.mkForce (pkgs.writeText ""login.defs"" '' DEFAULT_HOME yes SYS_UID_MIN 400 SYS_UID_MAX 999 UID_MIN 1000 UID_MAX 29999 SYS_GID_MIN 400 SYS_GID_MAX 999 GID_MIN 1000 GID_MAX 29999 TTYGROUP tty TTYPERM 0620 # Ensure privacy for newly created home directories. UMASK 077 # Uncomment this and install chfn SUID to allow nonroot # users to change their account GECOS information. # This should be made configurable. #CHFN_RESTRICT frwh ''; }; If the above configurations are not present in the configuration.nix file, this is a finding.
Configure the NixOS operating system to change default file permissions so users may only modify their own files. Add the following Nix code to the NixOS Configuration usually located in /etc/nixos/configuration.nix: { config, pkgs, lib, ... }: environment.etc = { ""login.defs"".source = lib.mkForce (pkgs.writeText ""login.defs"" '' DEFAULT_HOME yes SYS_UID_MIN 400 SYS_UID_MAX 999 UID_MIN 1000 UID_MAX 29999 SYS_GID_MIN 400 SYS_GID_MAX 999 GID_MIN 1000 GID_MAX 29999 TTYGROUP tty TTYPERM 0620 # Ensure privacy for newly created home directories. UMASK 077 # Uncomment this and install chfn SUID to allow nonroot # users to change their account GECOS information. # This should be made configurable. #CHFN_RESTRICT frwh ''; }; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch