Anduril NixOS Security Technical Implementation Guide

  • Version/Release: V1R1
  • Published: 2024-10-25
  • Released: 2024-10-22
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
NixOS must enable the built-in firewall.
AC-17 - Medium - CCI-002322 - V-268078 - SV-268078r1039122_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-002322
Version
ANIX-00-000010
Vuln IDs
  • V-268078
Rule IDs
  • SV-268078r1039122_rule
Without the ability to immediately disconnect or disable remote access, an attack or other compromise taking place would not be immediately stopped. Operating system remote access functionality must have the capability to immediately disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of mission's functions and the need to eliminate immediate or future remote access to organizational information systems. The remote access functionality (e.g., RDP) may implement features such as automatic disconnect (or user-initiated disconnect) in case of adverse information based on an indicator of compromise or attack. Satisfies: SRG-OS-000298-GPOS-00116, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000480-GPOS-00232
Checks: C-72002r1039120_chk

Verify NixOS has the network firewall enabled with the following command: $ grep firewall.enable /etc/nixos/configuration.nix networking.firewall.enable = true; If "networking.firewall.enable" is not set to "true", is commented out, or is missing, this is a finding.

Fix: F-71905r1039121_fix

Configure /etc/nixos/configuration.nix to enforce firewall rules by adding the following configuration settings: networking.firewall.enable = true; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS emergency or temporary user accounts must be provisioned with an expiration time of 72 hours or less.
AC-2 - Medium - CCI-000016 - V-268079 - SV-268079r1039591_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000016
Version
ANIX-00-000020
Vuln IDs
  • V-268079
Rule IDs
  • SV-268079r1039591_rule
If emergency or temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all emergency or temporary accounts must be set upon account creation. Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Emergency accounts are different from infrequently used accounts (i.e., local login accounts used by the organization's system administrators when network or normal login/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts. Satisfies: SRG-OS-000002-GPOS-00002, SRG-OS-000123-GPOS-00064
Checks: C-72003r1039123_chk

Verify that emergency or temporary accounts have been provisioned with an expiration date of 72 hours. For every existing emergency or temporary account, run the following command to obtain its account expiration information. $ sudo chage -l system_account_name If any emergency or temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.

Fix: F-71906r1039124_fix

Configure the system to terminate emergency or temporary accounts after a 72-hour time period with the following command. Substitute "system_account_name" with the account to be created. $ sudo chage -E "date -d "+3 days" +%Y-%m-%d" system_account_name

b
NixOS must enable the audit daemon.
AC-2 - Medium - CCI-000018 - V-268080 - SV-268080r1039128_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000018
Version
ANIX-00-000030
Vuln IDs
  • V-268080
Rule IDs
  • SV-268080r1039128_rule
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes. Note: For the "security.audit.enable" configuration, both "true" and "lock" are valid values. The "true" value allows for loading of audit rules (synonymous with "-e 1" in audit rules), while the "lock" value loads audit rules and enforces that the rules cannot be changed without the system rebooting (synonymous with "-e 2"). Setting this value to "lock" is recommended to be performed as the final step in configuring the audit daemon. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000254-GPOS-00095, SRG-OS-000344-GPOS-00135, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000122-GPOS-00063, SRG-OS-000358-GPOS-00145
Checks: C-72004r1039126_chk

Verify NixOS has the audit service configured with the following command: $ grep security.audit /etc/nixos/configuration.nix security.auditd.enable = true; security.audit.enable = true; If auditd, and audit are not set to true or lock, this is a finding.

Fix: F-71907r1039127_fix

Configure the system to enable the audit service by adding or updating the following configurations in /etc/nixos/configuration.nix: security.auditd.enable = true; security.audit.enable = true; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period.
AC-7 - Medium - CCI-000044 - V-268081 - SV-268081r1039549_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
ANIX-00-000040
Vuln IDs
  • V-268081
Rule IDs
  • SV-268081r1039549_rule
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128, SRG-OS-000470-GPOS-00214
Checks: C-72005r1039547_chk

Verify that NixOS locks an account after three unsuccessful login attempts within 15 minutes with the following commands: $ cat /etc/pam.d/login auth required pam_faillock.so preauth deny=3 even_deny_root fail_interval=900 unlock_time=0 dir=/var/log/faillock If the "fail_interval" option is not set to "900" or less (but not "0") on the "preauth" lines with the "pam_faillock" module, or is missing from this line, this is a finding.

Fix: F-71908r1039548_fix

Configure NixOS to lock an account when three unsuccessful login attempts occur within 15 minutes. Modify /etc/nixos/configuration.nix to include the following lines: security.pam.services = let pamfile = '' auth required pam_faillock.so preauth silent audit deny=3 fail_interval=900 unlock_time=0 auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail audit deny=3 fail_interval=900 unlock_time=0 auth sufficient pam_faillock.so authsucc account required pam_faillock.so ''; in { login.text = pkgs.lib.mkDefault pamfile; sshd.text = pkgs.lib.mkDefault pamfile; }; Note that the entire pam file must be entered as this pamfile string. Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user login.
AC-8 - Medium - CCI-000048 - V-268082 - SV-268082r1039551_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
ANIX-00-000050
Vuln IDs
  • V-268082
Rule IDs
  • SV-268082r1039551_rule
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreement." 2) Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
Checks: C-72006r1039550_chk

Verify that NixOS displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via a command line user login. Check /etc/nixos/configuration.nix and any files imported from it to ensure the attribute "services.getty.helpLine" is defined to the following value with the following command: $ grep -R helpLine /etc/nixos /etc/nixos/configuration.nix:services.getty.helpLine = '' You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ''; If the "services.getty.helpLine" service is not configured with a banner, or the banner does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.

Fix: F-71909r1039133_fix

Configure NixOS to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via a command line. Add the following to the /etc/nix/configuration.nix file: services.getty.helpLine = '' You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via an SSH login.
AC-8 - Medium - CCI-000048 - V-268083 - SV-268083r1039553_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
ANIX-00-000060
Vuln IDs
  • V-268083
Rule IDs
  • SV-268083r1039553_rule
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreement." 2) Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
Checks: C-72007r1039552_chk

Verify the operating system displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via an SSH login. Check /etc/nixos/configuration.nix and any files imported from it to ensure the attribute "services.openssh.banner" is defined with the following value with the following command: $ grep -R openssh.banner /etc/nixos /etc/nixos/configuration.nix:services.openssh.banner = '' You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ''; If the "services.openssh.banner" service is not configured with a banner, or the banner does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.

Fix: F-71910r1039136_fix

Configure NixOS to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via openssh. Add the following to the /etc/nix/configuration.nix file: services.openssh.banner = '' You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user login.
AC-8 - Medium - CCI-000048 - V-268084 - SV-268084r1039592_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
ANIX-00-000070
Vuln IDs
  • V-268084
Rule IDs
  • SV-268084r1039592_rule
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreement." 2) Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088
Checks: C-72008r1039554_chk

Verify NixOS displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the graphical user login with the following command: $ grep -R gdm.banner /etc/nixos /etc/nixos/configuration.nix:services.xserver.displayManager.gdm.banner = "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."; If the "services.xserver.displayManager.gdm.banner" service is not configured with a banner, or the banner does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.

Fix: F-71911r1039555_fix

Configure NixOS to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via a graphical user login. Add the following to the NixOS configuration: services.xserver.displayManager.gdm.banner = "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

a
NixOS must be configured to limit the number of concurrent sessions to ten for all accounts and/or account types.
AC-10 - Low - CCI-000054 - V-268085 - SV-268085r1039143_rule
RMF Control
AC-10
Severity
Low
CCI
CCI-000054
Version
ANIX-00-000090
Vuln IDs
  • V-268085
Rule IDs
  • SV-268085r1039143_rule
Operating system management includes the ability to control the number of users and user sessions that use an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to denial-of-service (DoS) attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.
Checks: C-72009r1039141_chk

Verify NixOS limits the number of concurrent sessions to ten for all accounts and/or account types. Check /etc/nixos/configuration.nix and any files imported from it to ensure the attribute "security.pam.loginLimits" is defined to include the following value with the following command: $ grep -R -A 5 pam.loginLimits /etc/nixos /etc/nixos/configuration.nix:security.pam.loginLimits = [ /etc/nixos/configuration.nix:{ /etc/nixos/configuration.nix:domain = "*"; /etc/nixos/configuration.nix:item = "maxlogins"; /etc/nixos/configuration.nix:type = "hard"; /etc/nixos/configuration.nix:value = "10"; If the "maxlogins" item is missing, commented out, or the value is set greater than "10" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix: F-71912r1039142_fix

Configure the NixOS to limit the number of concurrent sessions to ten for all accounts and/or account types. Add the following to the NixOS configuration: /etc/nixos/configuration.nix security.pam.loginLimits = [ { domain = "*"; item = "maxlogins"; type = "hard"; value = "10"; } ]; Note: Security.pam.loginLimits can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must initiate a session lock after a 10-minute period of inactivity for graphical user login.
AC-11 - Medium - CCI-000057 - V-268086 - SV-268086r1039559_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
ANIX-00-000110
Vuln IDs
  • V-268086
Rule IDs
  • SV-268086r1039559_rule
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled.
Checks: C-72010r1039557_chk

Verify NixOS initiates a session lock after a 10-minute period of inactivity for graphical user login with the following command: $ sudo gsettings get org.gnome.desktop.session idle-delay uint32 600 If "idle-delay" is set to "0" or a value greater than "600", this is a finding.

Fix: F-71913r1039558_fix

Configure NixOS to initiate a session lock after a 10-minute period of inactivity for graphical user login. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix: programs.dconf.profiles.user.databases = with lib.gvariant; [ { settings."org/gnome/desktop/session".idle-delay = mkUint32 600; locks = [ "org/gnome/desktop/session/idle-delay" ]; } ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must provide the capability for users to directly initiate a session lock for all connection types.
AC-11 - Medium - CCI-000057 - V-268087 - SV-268087r1039606_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
ANIX-00-000120
Vuln IDs
  • V-268087
Rule IDs
  • SV-268087r1039606_rule
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, operating systems need to provide users with the ability to manually invoke a session lock so users may secure their session should the need arise for them to temporarily vacate the immediate physical vicinity. Satisfies: SRG-OS-000030-GPOS-00011, SRG-OS-000028-GPOS-00009, SRG-OS-000031-GPOS-00012
Checks: C-72011r1039147_chk

Verify the NixOS operating system has the "vlock" package installed by running the following command: $ nix-store --query --requisites /run/current-system | cut -d- -f2- | sort | uniq | grep vlock vlock-2.2.2 If the "vlock" package is not installed, this is a finding.

Fix: F-71914r1039606_fix

Configure NixOS to have a package that allows user to lock session. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix: environment.systemPackages = [ pkgs.vlock ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must monitor remote access methods.
AC-17 - Medium - CCI-000067 - V-268088 - SV-268088r1039596_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
ANIX-00-000140
Vuln IDs
  • V-268088
Rule IDs
  • SV-268088r1039596_rule
Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Automated monitoring of remote access sessions allows organizations to detect cyberattacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
Checks: C-72012r1039150_chk

Configure the NixOS to monitors remote access methods with the following command: $ grep -R openssh.logLevel /etc/nixos /etc/nixos/configuration.nix:services.openssh.logLevel = "VERBOSE"; If services.openssh.logLevel does not equal VERBOSE, is missing, or is commented out, this is a finding.

Fix: F-71915r1039151_fix

Configure the NixOS to monitor remote access methods by adding the following configuration to the /etc/nixos/configuration.nix: services.openssh.logLevel = "VERBOSE"; Rebuild NixOS with the following command: $ sudo nixos-rebuild switch

c
NixOS must implement DOD-approved encryption to protect the confidentiality of remote access sessions.
AC-17 - High - CCI-000068 - V-268089 - SV-268089r1039597_rule
RMF Control
AC-17
Severity
High
CCI
CCI-000068
Version
ANIX-00-000150
Vuln IDs
  • V-268089
Rule IDs
  • SV-268089r1039597_rule
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000250-GPOS-00093, SRG-OS-000394-GPOS-00174
Checks: C-72013r1039153_chk

Verify NixOS is configured to only use ciphers employing FIPS 140-3 approved algorithms with the following command: $ grep -R -A 4 openssh.setting.Ciphers /etc/nixos/configuration.nix:services.openssh.setting.Ciphers = [ /etc/nixos/configuration.nix- "aes256-ctr" /etc/nixos/configuration.nix- "aes192-ctr" /etc/nixos/configuration.nix- "aes128-ctr" /etc/nixos/configuration.nix- ]; If the cipher entries in the "configuration.nix" file have any ciphers other than "aes256-ctr,aes192-ctr,aes128-ctr", the order differs from the example above, they are missing, or commented out, this is a finding.

Fix: F-71916r1039154_fix

Configure NixOS to use only ciphers employing FIPS 140-3 approved algorithms. To configure OpenSSH, add the following Nix code to the NixOS Configuration usually located in /etc/nixos/configuration.nix: services.openssh.setting.Ciphers = [ "aes256-ctr" "aes192-ctr" "aes128-ctr" ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch A reboot is required for the changes to take effect.

b
The NixOS audit package must be installed.
AU-3 - Medium - CCI-000130 - V-268090 - SV-268090r1039158_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
ANIX-00-000160
Vuln IDs
  • V-268090
Rule IDs
  • SV-268090r1039158_rule
Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000054-GPOS-00025, SRG-OS-000055-GPOS-00026, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000255-GPOS-00096, SRG-OS-000303-GPOS-00120, SRG-OS-000327-GPOS-00127
Checks: C-72014r1039156_chk

Verify that NixOS has the audit service is installed with the following command: $ nix-store --query --requisites /run/current-system | cut -d- -f2- | sort | uniq | grep audit audit-3.1.2 audit-3.1.2-bin audit-3.1.2-man audit-start audit-stop unit-auditd.service unit-audit.service If the "audit" package is not installed, this is a finding.

Fix: F-71917r1039157_fix

Configure NixOS to have the audit service package. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix: environment.systemPackages = [ audit ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must generate audit records for all usage of privileged commands.
AU-3 - Medium - CCI-000135 - V-268091 - SV-268091r1039161_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000135
Version
ANIX-00-000210
Vuln IDs
  • V-268091
Rule IDs
  • SV-268091r1039161_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, SRG-OS-000755-GPOS-00220
Checks: C-72015r1039159_chk

Verify NixOS generates audit records for all execution of privileged functions with the following command: $ sudo auditctl -l | grep execve -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv If the command does not return the example output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-71918r1039160_fix

Configure NixOS to generate audit records for all execution of privileged functions. Add or update the "security.audit.rules" configuration in /etc/nixos/configuration.nix to include the following rules: security.audit.rules = [ "-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv " "-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv " ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must enable auditing of processes that start prior to the audit daemon.
AU-3 - Medium - CCI-000135 - V-268092 - SV-268092r1039560_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000135
Version
ANIX-00-000250
Vuln IDs
  • V-268092
Rule IDs
  • SV-268092r1039560_rule
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DOD has defined the list of events for which NixOS will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful login attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logins from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions.
Checks: C-72016r1039162_chk

Verify NixOS enables auditing of processes that start prior to the audit daemon with the following command: $ grep audit=1 /proc/cmdline BOOT_IMAGE=(hd0,msdos1)/nix/store/glc0midc78caq9sc7pzciymx4c3in7kn-linux-6.1.64/bzImage init=/nix/store/grl4baymr9q60mbcz3sidm4agckn3bx5-nixos-system-nixos-23.1.1.20231129.057f9ae/init audit=1 loglevel=4 If the "audit" entry does not equal "1" or is missing, this is a finding.

Fix: F-71919r1039163_fix

Configure NixOS to audit processes that start prior to the audit daemon. Add or update the "boot.kernelParams" configuration in /etc/nixos/configuration.nix to include the following rule: boot.kernelParams = [ "audit=1" ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.
AU-3 - Medium - CCI-000135 - V-268093 - SV-268093r1039167_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000135
Version
ANIX-00-000260
Vuln IDs
  • V-268093
Rule IDs
  • SV-268093r1039167_rule
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. Audit records can be generated from various components within the information system (e.g., module or policy filter). Allocating an audit_backlog_limit of sufficient size is critical in maintaining a stable boot process. With an insufficient limit allocated, the system is susceptible to boot failures and crashes. Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000341-GPOS-00132
Checks: C-72017r1039165_chk

Verify NixOS allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following command: $ grep backlog_limit /proc/cmdline BOOT_IMAGE=(hd0,msdos1)/nix/store/glc0midc78caq9sc7pzciymx4c3in7kn-linux-6.1.64/bzImage init=/nix/store/grl4baymr9q60mbcz3sidm4agckn3bx5-nixos-system-nixos-23.1.1.20231129.057f9ae/init audit=1 audit_backlog_limit=8192 loglevel=4 If the "audit_backlog_limit" entry does not equal "8192" or greater or is missing, this is a finding.

Fix: F-71920r1039166_fix

Configure NixOS to allocate sufficient audit_backlog_limit to capture processes that start prior to the audit daemon. Add or update the "boot.kernelParams" configuration in /etc/nixos/configuration.nix to include the following rule: boot.kernelParams = [ "audit_backlog_limit=8192" ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
Successful/unsuccessful uses of the mount syscall in NixOS must generate an audit record.
AU-3 - Medium - CCI-000135 - V-268094 - SV-268094r1039561_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000135
Version
ANIX-00-000270
Vuln IDs
  • V-268094
Rule IDs
  • SV-268094r1039561_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "mount" syscall is used to mount a filesystem. When a user logs in, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
Checks: C-72018r1039168_chk

Verify NixOS generates an audit record for any successful/unsuccessful use of the "mount" syscall with the following command: $ sudo auditctl -l | grep -w "\-S mount" -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -k privileged-mount -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=-1 -k privileged-mount If the command does not return the example output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-71921r1039169_fix

Configure NixOS to generate audit records for any successful/unsuccessful use of the "mount" syscall. Add or update the "security.audit.rules" configuration in /etc/nixos/configuration.nix to include the following rule: security.audit.rules = [ "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount" "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount" ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in NixOS must generate an audit record.
AU-3 - Medium - CCI-000135 - V-268095 - SV-268095r1039562_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000135
Version
ANIX-00-000280
Vuln IDs
  • V-268095
Rule IDs
  • SV-268095r1039562_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement. The "unlink" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse. The "rmdir" system call removes empty directories. The "renameat" system call renames a file, moving it between directories if required. The "unlinkat" system call operates in exactly the same way as either "unlink" or "rmdir" except for the differences described in the manual page. When a user logs in, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible.
Checks: C-72019r1039171_chk

Verify NixOS generates an audit record upon successful/unsuccessful attempts to use the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls with the following command: $ sudo auditctl -l | grep -w 'rename\|unlink\|rmdir' -a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=-1 -k delete -a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=-1 -k delete If the command does not return an audit rule for "rename", "unlink", "rmdir", "renameat", and "unlinkat", this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-71922r1039172_fix

Configure NixOS to generate audit records for any successful/unsuccessful attempts to use the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls. Add or update the "security.audit.rules" configuration in /etc/nixos/configuration.nix to include the following rule: security.audit.rules = [ "-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete" "-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete" ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
Successful/unsuccessful uses of the init_module, finit_module, and delete_module system calls in NixOS must generate an audit record.
AU-3 - Medium - CCI-000135 - V-268096 - SV-268096r1039563_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000135
Version
ANIX-00-000290
Vuln IDs
  • V-268096
Rule IDs
  • SV-268096r1039563_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" and "finit_module" system calls are used to load a kernel module, and the "delete_module" is used to unload a kernel module. When a user logs in, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000471-GPOS-00216
Checks: C-72020r1039174_chk

Verify NixOS generates an audit record upon successful/unsuccessful attempts to use the "init_module", "finit_module", and "delete_module" system calls. Check the auditing rules currently loaded into the audit daemon with the following command: $ sudo auditctl -l | grep -w init_module -a always,exit -F arch=b32 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=-1 -k module_chng -a always,exit -F arch=b64 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=-1 -k module_chng If the command does not return an audit rule for "init_module", "finit_module", and "delete_module", this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-71923r1039175_fix

Configure /etc/nixos/configuration.nix to log successful/unsuccessful attempts to use the "init_module", "finit_module", and "delete_module" system calls. Add or update the "security.audit.rules" configuration in /etc/nixos/configuration.nix to include the following rule: security.audit.rules = [ "-a always,exit -F arch=b32 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=unset -k module_chng" "-a always,exit -F arch=b64 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=unset -k module_chng" ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must generate an audit record for successful/unsuccessful modifications to the cron configuration.
AU-3 - Medium - CCI-000135 - V-268097 - SV-268097r1039179_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000135
Version
ANIX-00-000300
Vuln IDs
  • V-268097
Rule IDs
  • SV-268097r1039179_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Cron is a program that is similar to the task scheduler used in other operating systems. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.
Checks: C-72021r1039177_chk

Verify NixOS generates an audit record when successful/unsuccessful attempts to modify the cron configuration. Check the auditing rules currently loaded into the audit daemon with the following command: $ sudo auditctl -l | grep -w cron -w /var/cron/tabs/ -p wa -k services -w /var/cron/cron.allow -p wa -k services -w /var/cron/cron.deny -p wa -k services If the command does not return the example output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-71924r1039178_fix

Configure NixOS to generate audit records when successful/unsuccessful attempts to modify the cron configuration occur. Add or update the "security.audit.rules" configuration in /etc/nixos/configuration.nix to include the following rule: security.audit.rules = [ "-w /var/cron/tabs/ -p wa -k services" "-w /var/cron/cron.allow -p wa -k services" "-w /var/cron/cron.deny -p wa -k services" ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must generate an audit record for successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.
AU-3 - Medium - CCI-000135 - V-268098 - SV-268098r1039593_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000135
Version
ANIX-00-000310
Vuln IDs
  • V-268098
Rule IDs
  • SV-268098r1039593_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. The "creat" system call is used to open and possibly create a file or device. The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". The "openat" system call opens a file specified by a relative pathname. The "name_to_handle_at" and "open_by_handle_at" system calls split the functionality of "openat" into two parts: "name_to_handle_at" returns an opaque handle that corresponds to a specified file; "open_by_handle_at" opens the file corresponding to a handle returned by a previous call to "name_to_handle_at" and returns an open file descriptor. When a user logs in, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000461-GPOS-00205
Checks: C-72022r1039180_chk

Verify NixOS generates an audit record upon unsuccessful attempts to use the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls. Check the auditing rules currently loaded into the audit daemon with the following command: $ sudo auditctl -l | grep 'open\|truncate\|creat' -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access If the command does not return an audit rule for "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at", this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-71925r1039181_fix

Configure NixOS to generate audit records for any unsuccessful attempts to use the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls. Add or update the "security.audit.rules" configuration in /etc/nixos/configuration.nix to include the following rule: security.audit.rules = [ "-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" "-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" "-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" "-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in NixOS must generate an audit record.
AU-3 - Medium - CCI-000135 - V-268099 - SV-268099r1039185_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000135
Version
ANIX-00-000360
Vuln IDs
  • V-268099
Rule IDs
  • SV-268099r1039185_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-72023r1039183_chk

Verify NixOS generates an audit record upon attempts to use the "chown", "fchown", "fchownat", and "lchown" system calls. Check the auditing rules currently loaded into the audit daemon with the following command: $ sudo auditctl -l | grep chown -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod -a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod If the command does not return an audit rule for "chown", "fchown", "fchownat", and "lchown", this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-71926r1039184_fix

Configure NixOS to generate audit records for any attempts to use the "chown", "fchown", "fchownat", and "lchown" system calls. Add or update the "security.audit.rules" configuration in /etc/nixos/configuration.nix to include the following rule: security.audit.rules = [ "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in NixOS must generate an audit record.
AU-3 - Medium - CCI-000135 - V-268100 - SV-268100r1039565_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000135
Version
ANIX-00-000380
Vuln IDs
  • V-268100
Rule IDs
  • SV-268100r1039565_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits. The "fchmod" system call is used to change permissions of a file. The "fchmodat" system call is used to change permissions of a file relative to a directory file descriptor. When a user logs in, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000462-GPOS-00206
Checks: C-72024r1039186_chk

Verify NixOS generates an audit record upon attempts to use the "chmod", "fchmod", and "fchmodat" system calls. Check the auditing rules currently loaded into the audit daemon with the following command: $ sudo auditctl -l | grep chmod -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod If the command does not return an audit rule for "chmod", "fchmod", and "fchmodat, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-71927r1039187_fix

Configure NixOS to generate audit records for any attempts to use the "chmod", "fchmod", and "fchmodat" system calls. Add or update the "security.audit.rules" configuration in /etc/nixos/configuration.nix to include the following rule: security.audit.rules = [ "-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod" "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod" ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent utilization.
AU-5 - Medium - CCI-000139 - V-268101 - SV-268101r1039599_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000139
Version
ANIX-00-000400
Vuln IDs
  • V-268101
Rule IDs
  • SV-268101r1039599_rule
If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00134
Checks: C-72025r1039598_chk

Verify NixOS notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command: $ sudo grep -w space_left_action /etc/audit/auditd.conf space_left_action = syslog If the "space_left_action" parameter is missing, commented out, or set to blanks, this is a finding. If the "space_left_action" is set to "syslog", the system logs the event, but does not generate a notification, this is a finding. If the "space_left_action" is set to "exec", the system executes a designated script. If this script does not inform the SA of the event, this is a finding. If the "space_left_action" is set to "email" check the value of the "action_mail_acct" parameter with the following command: $ sudo grep action_mail_acct /etc/audit/auditd.conf action_mail_acct root@localhost The "action_mail_acct" parameter, if missing, defaults to "root". If the "action_mail_acct" parameter is not set to the email address of the SA and/or ISSO, this is a finding. Note: If the email address of the SA is on a remote system, a mail package must be available.

Fix: F-71928r1039567_fix

Configure NixOS to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. If the space_left_action parameter is set to "syslog", make sure the event being logged generates a notification to the SA and ISSO. If the space_left_action parameter is set to "exec", make sure the command being executed notifies the SA and ISSO. If the space_left_action parameter is set to "email" set the action_mail_acct parameter to an email address for the SA and ISSO. Add or update the 'environment.etc."audit/auditd.conf".text' configuration in /etc/nixos/configuration.nix to include the following: space_left_action = syslog For example, an updated configuration of 'environment.etc."audit/auditd.conf".text' would look like the following in /etc/nixos/configuration.nix ('...' denoting that the 'environment.etc."audit/auditd.conf".text' configuration may have other options configured): environment.etc."audit/auditd.conf".text = [ '' ... space_left_action = syslog ... '' ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 90 percent utilization.
AU-5 - Medium - CCI-000139 - V-268102 - SV-268102r1039601_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000139
Version
ANIX-00-000410
Vuln IDs
  • V-268102
Rule IDs
  • SV-268102r1039601_rule
If security personnel are not notified immediately when storage volume reaches 90 percent utilization, they are unable to plan for audit record storage capacity expansion.
Checks: C-72026r1039600_chk

Verify NixOS notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity with the following command: $ sudo grep -w admin_space_left_action /etc/audit/auditd.conf admin_space_left_action = syslog If the "admin_space_left_action" parameter is missing, commented out, or set to blanks, this is a finding. If the "admin_space_left_action" is set to "syslog", the system logs the event, but does not generate a notification, this is a finding. If the "admin_space_left_action" is set to "exec", the system executes a designated script. If this script does not inform the SA of the event, this is a finding. If the "admin_space_left_action" is set to "email" check the value of the "action_mail_acct" parameter with the following command: $ sudo grep action_mail_acct /etc/audit/auditd.conf action_mail_acct root@localhost The "action_mail_acct" parameter, if missing, defaults to "root". If the "action_mail_acct" parameter is not set to the email address of the SA and/or ISSO, this is a finding. Note: If the email address of the SA is on a remote system, a mail package must be available.

Fix: F-71929r1039570_fix

Configure NixOS to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity. If the space_left_action parameter is set to "syslog", make sure the event being logged generates a notification to the SA and ISSO. If the space_left_action parameter is set to "exec", make sure the command being execute notifies the SA and ISSO. If the space_left_action parameter is set to "email" set the action_mail_acct parameter to an email address for the SA and ISSO. Add or update the 'environment.etc."audit/auditd.conf".text' configuration in /etc/nixos/configuration.nix to include the following: admin_space_left_action = syslog For example, an updated configuration of 'environment.etc."audit/auditd.conf".text' would look like the following in /etc/nixos/configuration.nix ('...' denoting that the 'environment.etc."audit/auditd.conf".text' configuration may have other options configured): environment.etc."audit/auditd.conf".text = [ '' ... admin_space_left_action = syslog ... '' ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
AU-5 - Medium - CCI-000139 - V-268103 - SV-268103r1039197_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000139
Version
ANIX-00-000420
Vuln IDs
  • V-268103
Rule IDs
  • SV-268103r1039197_rule
If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.
Checks: C-72027r1039195_chk

Verify NixOS takes action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following commands: $ sudo grep -w space_left /etc/audit/auditd.conf space_left = 25% If the value of the "space_left" keyword is not set to "25%" or if the line is commented out, this is a finding.

Fix: F-71930r1039196_fix

Configure the operating system to initiate an action to notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage. Add or update the 'environment.etc."audit/auditd.conf".text' configuration in /etc/nixos/configuration.nix to include the following: environment.etc."audit/auditd.conf".text = [ '' space_left = 25% '' ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must take action when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity.
AU-5 - Medium - CCI-000139 - V-268104 - SV-268104r1039200_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000139
Version
ANIX-00-000430
Vuln IDs
  • V-268104
Rule IDs
  • SV-268104r1039200_rule
If security personnel are not notified immediately when storage volume reaches 90 percent utilization, they are unable to plan for audit record storage capacity expansion.
Checks: C-72028r1039198_chk

Verify NixOS takes action when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity with the following commands: $ sudo grep -w admin_space_left /etc/audit/auditd.conf admin_space_left = 10% If the value of the "admin_space_left" keyword is not set to "10%" or if the line is commented out, this is a finding.

Fix: F-71931r1039199_fix

Configure the operating system to initiate an action to notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity. Add or update the 'environment.etc."audit/auditd.conf".text' configuration in /etc/nixos/configuration.nix to include the following: environment.etc."audit/auditd.conf".text = [ '' admin_space_left = 10% '' ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
The NixOS audit system must take appropriate action when the audit storage volume is full.
AU-5 - Medium - CCI-000140 - V-268105 - SV-268105r1039203_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000140
Version
ANIX-00-000440
Vuln IDs
  • V-268105
Rule IDs
  • SV-268105r1039203_rule
It is critical that when NixOS is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. When availability is an overriding concern, other approved actions in response to an audit failure are as follows: 1) If the failure was caused by the lack of audit record storage capacity, NixOS must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner. 2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, NixOS must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.
Checks: C-72029r1039201_chk

Verify NixOS takes the appropriate action when the audit storage volume is full. Check that NixOS takes the appropriate action when the audit storage volume is full using the following command: $ sudo grep disk_full_action /etc/audit/auditd.conf disk_full_action = HALT If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator (SA) to indicate how the system takes appropriate action when an audit storage volume is full. If there is no evidence of appropriate action, this is a finding.

Fix: F-71932r1039202_fix

Configure NixOS to shut down by default upon audit failure (unless availability is an overriding concern). If availability has been determined to be more important, and this decision is documented with the information system security officer (ISSO), configure the operating system to notify SA staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG". Add or update the 'environment.etc."audit/auditd.conf".text' configuration in /etc/nixos/configuration.nix to include the following (depending on configuration "disk_full_action" can be set to "SYSLOG" or "SINGLE" depending on configuration): environment.etc."audit/auditd.conf".text = [ '' disk_full_action = HALT '' ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
The NixOS audit system must take appropriate action when an audit processing failure occurs.
AU-5 - Medium - CCI-000140 - V-268106 - SV-268106r1039206_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000140
Version
ANIX-00-000450
Vuln IDs
  • V-268106
Rule IDs
  • SV-268106r1039206_rule
It is critical that when NixOS is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. When availability is an overriding concern, other approved actions in response to an audit failure are as follows: 1) If the failure was caused by the lack of audit record storage capacity, NixOS must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner. 2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, NixOS must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.
Checks: C-72030r1039204_chk

Verify NixOS takes the appropriate action when an audit processing failure occurs. Check that NixOS takes the appropriate action when an audit processing failure occurs with the following command: $ sudo grep disk_error_action /etc/audit/auditd.conf disk_error_action = HALT If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator (SA) to indicate how the system takes appropriate action when an audit process failure occurs. If there is no evidence of appropriate action, this is a finding.

Fix: F-71933r1039205_fix

Configure NixOS to shut down by default upon audit failure (unless availability is an overriding concern). If availability has been determined to be more important, and this decision is documented with the information system security officer (ISSO), configure the operating system to notify SA staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG". Add or update the 'environment.etc."audit/auditd.conf".text' configuration in /etc/nixos/configuration.nix to include the following (depending on configuration "disk_error_action" can be set to "SYSLOG" or "SINGLE" depending on configuration): environment.etc."audit/auditd.conf".text = [ '' disk_error_action = HALT '' ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must have the packages required for offloading audit logs installed and running.
AU-6 - Medium - CCI-000154 - V-268107 - SV-268107r1039594_rule
RMF Control
AU-6
Severity
Medium
CCI
CCI-000154
Version
ANIX-00-000460
Vuln IDs
  • V-268107
Rule IDs
  • SV-268107r1039594_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. NixOS supports "syslog-ng". "syslog-ng" is a common system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. This utility also natively supports TLS to securely encrypt and off-load auditing. Satisfies: SRG-OS-000051-GPOS-00024, SRG-OS-000269-GPOS-00103
Checks: C-72031r1039207_chk

Verify that the syslog-ng service is running with the following command: $ systemctl status syslog-ng.service syslog-ng.service - syslog-ng daemon Loaded: loaded (/etc/systemd/system/syslog-ng.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2022-06-04 02:51:43 UTC; 13min ago If the syslog-ng service is not "active" and "running", this is a finding.

Fix: F-71934r1039208_fix

Configure the operating system to offload audit logs. Install the syslog-ng service (if the syslog-ng service is not already installed) and ensure the syslog-ng service is enabled by adding or updating the following configuration in /etc/nixos/configuration.nix: services.syslog-ng.enable = true; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
The NixOS audit records must be off-loaded onto a different system or storage media from the system being audited.
AU-6 - Medium - CCI-000154 - V-268108 - SV-268108r1039573_rule
RMF Control
AU-6
Severity
Medium
CCI
CCI-000154
Version
ANIX-00-000480
Vuln IDs
  • V-268108
Rule IDs
  • SV-268108r1039573_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. NixOS supports "syslog-ng". "syslog-ng" is a common system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. This utility also natively supports TLS to securely encrypt and off-load auditing.
Checks: C-72032r1039210_chk

Verify the audit system off-loads audit records onto a different system or media from the system being audited. List the configured destinations with the following command: $ cat $(egrep -o 'cfgfile=.*\.conf' $(nix-store --query --requisites /run/current-system | grep syslog-ng.service)/syslog-ng.service | awk -F '=' '{print $2}') @version: 4.4 @include "scl.conf" options { keep-hostname(yes); create_dirs(yes); owner(root); group(root); perm(0644); dir_owner(root); dir_group(root); dir_perm(0755); }; source s_local { system(); internal(); }; destination d_local { file("/var/log/messages"); }; destination d_network { syslog( "<remote-logging-server>" port(<port>) transport(tls) tls( cert-file("/var/syslog-ng/certs.d/certificate.crt") key-file("/var/syslog-ng/certs.d/certificate.key") ca-file("/var/syslog-ng/certs.d/cert-bundle.crt") peer-verify(yes) ) ); }; log { source(s_local); destination(d_local); destination(d_network); }; If the configuration does not specify a "log" directive for sources to be sent to a remote destination, or the lines are commented out, ask the system administrator (SA) to indicate how the audit logs are off-loaded to a different system or media. If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.

Fix: F-71935r1039211_fix

Configure the operating system to off-load audit records onto a different system or media from the system being audited by specifying a remote destination in the syslog-ng configuration. Add or update the "services.syslog-ng.extraConfig" configuration in /etc/nixos/configuration.nix to include the following: source s_local { system(); internal(); }; destination d_network { syslog( "<remote-logging-server>" port(<port>) }; log { source(s_local); destination(d_network); }; For example, an updated configuration of services.rsyslogd.extraConfig' would look like the following in /etc/nixos/configuration.nix ('...' denoting that the 'services.rsyslogd.extraConfig' configuration may have other options configured): services.rsyslogd.extraConfig = '' ... source s_local { system(); internal(); }; destination d_network { syslog( "<remote-logging-server>" port(<port>) ... }; log { source(s_local); destination(d_network); }; ... ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must authenticate the remote logging server for off-loading audit logs.
AU-6 - Medium - CCI-000154 - V-268109 - SV-268109r1039595_rule
RMF Control
AU-6
Severity
Medium
CCI
CCI-000154
Version
ANIX-00-000490
Vuln IDs
  • V-268109
Rule IDs
  • SV-268109r1039595_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. NixOS supports "syslog-ng". "syslog-ng" is a common system utility providing support for message logging. Support for both internet and Unix domain sockets enables this utility to support both local and remote logging. This utility also natively supports TLS to securely encrypt and off-load auditing. Satisfies: SRG-OS-000051-GPOS-00024, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
Checks: C-72033r1039213_chk

Verify the operating system authenticates the remote logging server for off-loading audit logs. List the configured destinations with the following command: $ cat $(egrep -o 'cfgfile=.*\.conf' $(nix-store --query --requisites /run/current-system | grep syslog-ng.service)/syslog-ng.service | awk -F '=' '{print $2}') @version: 4.4 @include "scl.conf" options { keep-hostname(yes); create_dirs(yes); owner(root); group(root); perm(0644); dir_owner(root); dir_group(root); dir_perm(0755); }; source s_local { system(); internal(); }; destination d_local { file("/var/log/messages"); }; destination d_network { syslog( "&lt;remote-logging-server&gt;" port(&lt;port&gt;) transport(tls) tls( cert-file("/var/syslog-ng/certs.d/certificate.crt") key-file("/var/syslog-ng/certs.d/certificate.key") ca-file("/var/syslog-ng/certs.d/cert-bundle.crt") peer-verify(yes) ) ); }; log { source(s_local); destination(d_local); destination(d_network); }; If the remote destination does not specify "transport(tls)", the remote destination tls configuration does not specify "peer-verify(yes)" or "peer-verify(required-trusted)", or the lines are commented out, ask the system administrator (SA) to indicate how the audit logs are off-loaded to a different system or media. If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.

Fix: F-71936r1039214_fix

Configure the operating system to authenticate the remote logging server for off-loading audit logs. Add or update the "services.syslog-ng.extraConfig" configuration in /etc/nixos/configuration.nix to include the following: destination d_network { syslog( "<remote-logging-server>" port(<port>) transport(tls) tls( cert-file("/var/syslog-ng/certs.d/certificate.crt") key-file("/var/syslog-ng/certs.d/certificate.key") ca-file("/var/syslog-ng/certs.d/cert-bundle.crt") peer-verify(yes) ) ); }; log { source(s_local); destination(d_local); destination(d_network); }; For example, an updated configuration of 'services.rsyslogd.extraConfig' would look like the following in /etc/nixos/configuration.nix ('...' denoting that the 'services.rsyslogd.extraConfig' configuration may have other options configured): services.rsyslogd.extraConfig = '' ... destination d_network { syslog( "<remote-logging-server>" port(<port>) transport(tls) tls( cert-file("/var/syslog-ng/certs.d/certificate.crt") key-file("/var/syslog-ng/certs.d/certificate.key") ca-file("/var/syslog-ng/certs.d/cert-bundle.crt") peer-verify(yes) ) ); }; log { source(s_local); destination(d_local); destination(d_network); }; ... ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS audit daemon must generate logs that are group-owned by root.
AU-9 - Medium - CCI-000162 - V-268110 - SV-268110r1039218_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
ANIX-00-000520
Vuln IDs
  • V-268110
Rule IDs
  • SV-268110r1039218_rule
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000206-GPOS-00084
Checks: C-72034r1039216_chk

Verify the audit daemon is configured to generate logs that are group-owned by root with the following command: $ sudo grep log_group /etc/audit/auditd.conf log_group = root If the audit daemon is not configured to generate logs that are group-owned by "root", this is a finding.

Fix: F-71937r1039217_fix

Configure the audit daemon to generate logs that are group-owned by root. Add or update the 'environment.etc."audit/auditd.conf".text' configuration in /etc/nixos/configuration.nix to include the following: environment.etc."audit/auditd.conf".text = [ '' log_group = root '' ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS audit directory and logs must be owned by root to prevent unauthorized read access.
AU-9 - Medium - CCI-000162 - V-268111 - SV-268111r1039221_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
ANIX-00-000530
Vuln IDs
  • V-268111
Rule IDs
  • SV-268111r1039221_rule
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000206-GPOS-00084
Checks: C-72035r1039219_chk

Verify the audit directory and logs are owned by "root". First, determine where the audit logs are stored with the following command: $ sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the location of the audit log file (if not specified, the default location is "/var/log/audit/audit.log"), determine if the audit log is owned by "root" using the following command: $ sudo find /var/log/audit -exec stat -c "%U %n" {} \; root /var/log/audit root /var/log/audit/audit.log If the audit directory and logs are not owned by "root", this is a finding.

Fix: F-71938r1039220_fix

Configure the audit directory and logs to be protected from unauthorized read access, by setting the correct owner as "root". Using the path of the directory containing the audit logs (if not specified, the default location is "/var/log/audit/audit.log"), configure the audit directory and log files to be owned by "root" by using the following command: $ sudo chown -R root /var/log/audit

b
NixOS audit directory and logs must be group-owned by root to prevent unauthorized read access.
AU-9 - Medium - CCI-000162 - V-268112 - SV-268112r1039224_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
ANIX-00-000540
Vuln IDs
  • V-268112
Rule IDs
  • SV-268112r1039224_rule
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000206-GPOS-00084
Checks: C-72036r1039222_chk

Verify the audit directory and logs are group-owned by "root". First, determine where the audit logs are stored with the following command: $ sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the location of the audit log file (if not specified, the default location is "/var/log/audit/audit.log"), determine if the audit log is group-owned by "root" using the following command: $ sudo find /var/log/audit -exec stat -c "%G %n" {} \; root /var/log/audit root /var/log/audit/audit.log If the audit directory and logs are not group-owned by "root", this is a finding.

Fix: F-71939r1039223_fix

Configure the audit directory and logs to be protected from unauthorized read access, by setting the correct group-owner as "root". Using the path of the directory containing the audit logs (if not specified, the default location is "/var/log/audit/audit.log"), configure the audit directory and log files to be group-owned by "root" by using the following command: $ sudo chown -R :root /var/log/audit

b
NixOS audit log directory must have a mode of 0700 or less permissive.
AU-9 - Medium - CCI-000162 - V-268113 - SV-268113r1039227_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
ANIX-00-000550
Vuln IDs
  • V-268113
Rule IDs
  • SV-268113r1039227_rule
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit NixOS system activity.
Checks: C-72037r1039225_chk

Verify that the audit log directory has a mode of "0700" or less permissive. First, determine where the audit logs are stored with the following command: $ sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the path of the directory containing the audit logs, check if the audit log directory has a mode of "0700" or less by using the following command: $ sudo find /var/log/audit -type d -exec stat -c "%a %n" {} \; 700 /var/log/audit If the audit log directory (or any subfolders) has a mode more permissive than "0700", this is a finding.

Fix: F-71940r1039226_fix

Configure the audit log directory to have a mode of "0700" or less permissive. Using the path of the directory containing the audit logs, configure the audit log directory to have a mode of "0700" or less permissive by using the following command: $ sudo chmod 0700 /var/log/audit

b
NixOS audit logs must have a mode of 0600 or less permissive.
AU-9 - Medium - CCI-000162 - V-268114 - SV-268114r1039230_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
ANIX-00-000560
Vuln IDs
  • V-268114
Rule IDs
  • SV-268114r1039230_rule
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000206-GPOS-00084
Checks: C-72038r1039228_chk

Verify that the audit log files have a mode of "0600" or less permissive. First, determine where the audit logs are stored with the following command: $ sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the path of the directory containing the audit logs, check if the audit log files have a mode of "0600" or less by using the following command: $ sudo find /var/log/audit -type f -exec stat -c "%a %n" {} \; 600 /var/log/audit/audit.log If the audit log files have a mode more permissive than "0600", this is a finding.

Fix: F-71941r1039229_fix

Verify that the audit log files have a mode of "0600" or less permissive. Using the path of the directory containing the audit logs, configure the audit log files have a mode of "0600" or less by using the following command: $ sudo chmod 0600 /var/log/audit/audit.log

b
NixOS syslog directory and logs must be owned by root to prevent unauthorized read access.
AU-9 - Medium - CCI-000162 - V-268115 - SV-268115r1039233_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
ANIX-00-000570
Vuln IDs
  • V-268115
Rule IDs
  • SV-268115r1039233_rule
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000206-GPOS-00084
Checks: C-72039r1039231_chk

Verify the syslog directories and logs are owned by "root" by executing the following command: $ cat $(egrep -o 'cfgfile=.*\.conf' $(nix-store --query --requisites /run/current-system | grep syslog-ng.service)/syslog-ng.service | awk -F '=' '{print $2}') | grep owner owner(root); dir_owner(root); If any occurrences of "owner" and "dir_owner" are not configured as "root", they are not specified, or they are commented out, this is a finding.

Fix: F-71942r1039232_fix

Configure the syslog-ng service to create directories and logs to be protected from unauthorized read access, by setting the correct owner as "root". Note: By specifying these configurations in the "options" sections, these configurations apply globally and take effect when these configuration options are not specified later on specific file-based destinations. If there are also related configurations specified at the destination level, these will either need to be updated or removed such that the global specifications apply. Add or update the "services.syslog-ng.extraConfig" configuration in /etc/nixos/configuration.nix to include the following: services.syslog-ng.extraConfig = '' options { owner(root); dir_owner(root); }; ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS syslog directory and logs must be group-owned by root to prevent unauthorized read access.
AU-9 - Medium - CCI-000162 - V-268116 - SV-268116r1039236_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
ANIX-00-000580
Vuln IDs
  • V-268116
Rule IDs
  • SV-268116r1039236_rule
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000206-GPOS-00084
Checks: C-72040r1039234_chk

Verify the syslog directories and logs are group-owned by "root" by executing the following command: $ cat $(egrep -o 'cfgfile=.*\.conf' $(nix-store --query --requisites /run/current-system | grep syslog-ng.service)/syslog-ng.service | awk -F '=' '{print $2}') | grep group group(root); dir_group(root); If any occurrences of "group" and "dir_group" are not configured as "root", they are not specified, or they are commented out, this is a finding.

Fix: F-71943r1039235_fix

Configure the syslog-ng service to create directories and logs to be protected from unauthorized read access, by setting the correct group-owner as "root". Note: By specifying these configurations in the "options" sections, these configurations apply globally and take effect when these configuration options are not specified later on specific file-based destinations. If there are also related configurations specified at the destination level, these will either need to be updated or removed such that the global specifications apply. Add or update the "services.syslog-ng.extraConfig" configuration in /etc/nixos/configuration.nix to include the following: services.syslog-ng.extraConfig = '' options { group(root); dir_group(root); }; ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS syslog log directory must have a mode of 0750 or less permissive.
AU-9 - Medium - CCI-000162 - V-268117 - SV-268117r1039239_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
ANIX-00-000590
Vuln IDs
  • V-268117
Rule IDs
  • SV-268117r1039239_rule
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit NixOS system activity.
Checks: C-72041r1039237_chk

Verify NixOS protects audit information from unauthorized read access by implementing a mode of 0750 or less on the creation of log directories with the following command: $ cat $(egrep -o 'cfgfile=.*\.conf' $(nix-store --query --requisites /run/current-system | grep syslog-ng.service)/syslog-ng.service | awk -F '=' '{print $2}') | grep dir_perm dir_perm(0750); If the syslog log directory is not a mode of 0750 or less permissive, this is a finding.

Fix: F-71944r1039238_fix

Configure the syslog-ng service to create log directories with a mode of "0750" or less permissive. Note: By specifying these configurations in the "options" sections, these configurations apply globally and take effect when these configuration options are not specified later on specific file-based destinations. If there are also related configurations specified at the destination level, these will either need to be updated or removed such that the global specifications apply. Add or update the "services.syslog-ng.extraConfig" configuration in /etc/nixos/configuration.nix to include the following: services.syslog-ng.extraConfig = '' options { dir_perm(0750); }; ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS syslog logs must have a mode of 0640 or less permissive.
AU-9 - Medium - CCI-000162 - V-268118 - SV-268118r1039602_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
ANIX-00-000600
Vuln IDs
  • V-268118
Rule IDs
  • SV-268118r1039602_rule
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000205-GPOS-00083
Checks: C-72042r1039240_chk

Verify that syslog log files have a mode of "0640" or less permissive by executing the following command: $ cat $(egrep -o 'cfgfile=.*\.conf' $(nix-store --query --requisites /run/current-system | grep syslog-ng.service)/syslog-ng.service | awk -F '=' '{print $2}') | grep -w perm perm(0640); If any occurrences of "perm" are not configured as "0640" or less permissive, they are not specified, or they are commented out, this is a finding.

Fix: F-71945r1039241_fix

Configure the syslog-ng service to create log files with a mode of "0640" or less permissive. Note: By specifying these configurations in the "options" sections, these configurations apply globally and take effect when these configuration options are not specified later on specific file-based destinations. If there are also related configurations specified at the destination level, these will either need to be updated or removed such that the global specifications apply. Add or update the "services.syslog-ng.extraConfig" configuration in /etc/nixos/configuration.nix to include the following: services.syslog-ng.extraConfig = '' options { perm(0640); }; ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS audit system must protect login UIDs from unauthorized change.
AU-9 - Medium - CCI-000163 - V-268119 - SV-268119r1039577_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000163
Version
ANIX-00-000610
Vuln IDs
  • V-268119
Rule IDs
  • SV-268119r1039577_rule
If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit system activity. In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes. Satisfies: SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029
Checks: C-72043r1039575_chk

Verify the audit system prevents unauthorized changes to login UIDs with the following command: $ sudo auditctl -s | grep -i immutable loginuid_immutable 1 locked If the command does not return "loginuid_immutable 1 locked", this is a finding.

Fix: F-71946r1039576_fix

Configure NixOS to prevent unauthorized changes to login UIDs. Add or update the "security.audit.rules" configuration in /etc/nixos/configuration.nix to include the following rule: security.audit.rules = [ "--loginuid-immutable" ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS system configuration files must have a mode of "0644" or less permissive.
AU-12 - Medium - CCI-000171 - V-268120 - SV-268120r1039248_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000171
Version
ANIX-00-000660
Vuln IDs
  • V-268120
Rule IDs
  • SV-268120r1039248_rule
Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Checks: C-72044r1039246_chk

Verify that the NixOS system configuration files have a mode of "0644" or less permissive with the following command: $ sudo find /etc/nixos -type f -exec stat -c "%a %n" {} \; 644 /etc/nixos/configuration.nix 644 /etc/nixos/hardware-configuration.nix If the system configuration files have a mode more permissive than "0644", this is a finding.

Fix: F-71947r1039247_fix

Configure the NixOS system configuration files to have a mode of "0644" or less permissive by using the following command: $ sudo find /etc/nixos -type f -exec chmod -R 644 {} \; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS system configuration file directories must have a mode of "0755" or less permissive.
AU-12 - Medium - CCI-000171 - V-268121 - SV-268121r1039251_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000171
Version
ANIX-00-000670
Vuln IDs
  • V-268121
Rule IDs
  • SV-268121r1039251_rule
Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Checks: C-72045r1039249_chk

Verify that the NixOS system configuration file directories have a mode of "0755" or less permissive with the following command: $ sudo find /etc/nixos -type d -exec stat -c "%a %n" {} \; 755 /etc/nixos If the system configuration file directories have a mode more permissive than "0755", this is a finding.

Fix: F-71948r1039250_fix

Configure the NixOS system configuration file directories to have a mode of "0755" or less permissive by using the following commands: $ sudo find /etc/nixos -type d -exec chmod -R 755 {} \; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS system configuration files and directories must be owned by root.
AU-12 - Medium - CCI-000171 - V-268122 - SV-268122r1039254_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000171
Version
ANIX-00-000680
Vuln IDs
  • V-268122
Rule IDs
  • SV-268122r1039254_rule
Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Checks: C-72046r1039252_chk

Verify that the NixOS system configuration files and directories are owned by root with the following command: $ sudo find /etc/nixos -exec stat -c "%U %n" {} \; root /etc/nixos root /etc/nixos/configuration.nix root /etc/nixos/hardware-configuration.nix If the system configuration files and directories are not owned by root, this is a finding.

Fix: F-71949r1039253_fix

Configure the NixOS system configuration files and directories to be owned by root by using the following command: $ sudo find /etc/nixos -exec chown -R root {} \; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS system configuration files and directories must be group-owned by root.
AU-12 - Medium - CCI-000171 - V-268123 - SV-268123r1039257_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000171
Version
ANIX-00-000690
Vuln IDs
  • V-268123
Rule IDs
  • SV-268123r1039257_rule
Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Checks: C-72047r1039255_chk

Verify that the NixOS system configuration files and directories are group-owned by root with the following command: $ sudo find /etc/nixos -exec stat -c "%G %n" {} \; root /etc/nixos root /etc/nixos/configuration.nix root /etc/nixos/hardware-configuration.nix If the system configuration files and directories are not group-owned by root, this is a finding.

Fix: F-71950r1039256_fix

Configure the NixOS system configuration files and directories to be group-owned by root by using the following command: $ sudo find /etc/nixos -exec chown -R :root {} \; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
IA-5 - Medium - CCI-000185 - V-268124 - SV-268124r1039260_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000185
Version
ANIX-00-000710
Vuln IDs
  • V-268124
Rule IDs
  • SV-268124r1039260_rule
Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182, SRG-OS-000775-GPOS-00230
Checks: C-72048r1039258_chk

Verify NixOS only allows the use of DOD PKI-established certificate authorities by running the following: $ nix-env -iA nixos.openssl $ openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = U.S. Government, OU = DOD, OU = PKI, CN = DOD Root CA 3 Validity Not Before: Mar 20 18:46:41 2012 GMT Not After : Dec 30 18:46:41 2029 GMT Subject: C = US, O = U.S. Government, OU = DOD, OU = PKI, CN = DOD Root CA 3 Subject Public Key Info: Public Key Algorithm: rsaEncryption If the root CA file is not a DOD-issued certificate with a valid date and installed in the /etc/sssd/pki/sssd_auth_ca_db.pem location, this is a finding.

Fix: F-71951r1039259_fix

Configure /etc/nixos/configuration.nix to authenticate using DOD's root CA by adding the following configuration settings: services.sssd.enable = true; environment.etc."sssd/pki/sssd_auth_ca_db.pem".source = let certzip = pkgs.fetchzip { url = "https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_v5-6_dod.zip"; sha256 = "sha256-iwwJRXCnONk/LFddQlwy8KX9e9kVXW/QWDnX5qZFZjc="; }; in "${certzip}/DOD_PKE_CA_chain.pem"; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must enforce authorized access to the corresponding private key for PKI-based authentication.
IA-5 - Medium - CCI-000186 - V-268125 - SV-268125r1039263_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000186
Version
ANIX-00-000720
Vuln IDs
  • V-268125
Rule IDs
  • SV-268125r1039263_rule
If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and nonrepudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.
Checks: C-72049r1039261_chk

Verify the SSH private key files have a passcode. For each private key stored on the system, use the following command: $ sudo ssh-keygen -y -f /path/to/file If the contents of the key are displayed, this is a finding.

Fix: F-71952r1039262_fix

Create new private/public key pairs that use a passcode using the following command: $ sudo ssh-keygen -n [passphrase]

b
NixOS must enforce password complexity by requiring that at least one uppercase character be used.
- Medium - CCI-004066 - V-268126 - SV-268126r1039266_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
ANIX-00-000730
Vuln IDs
  • V-268126
Rule IDs
  • SV-268126r1039266_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Checks: C-72050r1039264_chk

Verify NixOS enforces password complexity by requiring at least one uppercase character with the following command: $ grep ucredit /etc/security/pwquality.conf ucredit=-1 If the value of "ucredit" is a positive number or is commented out, this is a finding.

Fix: F-71953r1039265_fix

Configure NixOS to enforce password complexity. Add/modify /etc/nixos/configuration.nix to include the following lines: environment.etc."/security/pwquality.conf".text = '' ucredit=-1 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must enforce password complexity by requiring that at least one lowercase character be used.
- Medium - CCI-004066 - V-268127 - SV-268127r1039269_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
ANIX-00-000740
Vuln IDs
  • V-268127
Rule IDs
  • SV-268127r1039269_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Checks: C-72051r1039267_chk

Verify NixOS enforces password complexity by requiring at least one lowercase character with the following command: $ grep lcredit /etc/security/pwquality.conf lcredit=-1 If the value of "lcredit" is a positive number or is commented out, this is a finding.

Fix: F-71954r1039268_fix

Configure NixOS to enforce password complexity. Add/modify /etc/nixos/configuration.nix to include the following lines: environment.etc."/security/pwquality.conf".text = '' lcredit=-1 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must enforce password complexity by requiring that at least one numeric character be used.
- Medium - CCI-004066 - V-268128 - SV-268128r1039272_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
ANIX-00-000750
Vuln IDs
  • V-268128
Rule IDs
  • SV-268128r1039272_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Checks: C-72052r1039270_chk

Verify NixOS enforces password complexity by requiring at least one numeric character with the following command: $ grep dcredit /etc/security/pwquality.conf dcredit=-1 If the value of "dcredit" is a positive number or is commented out, this is a finding.

Fix: F-71955r1039271_fix

Configure NixOS to enforce password complexity. Add/modify /etc/nixos/configuration.nix to include the following lines: environment.etc."/security/pwquality.conf".text = '' dcredit=-1 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must require the change of at least 50 percent of the total number of characters when passwords are changed.
- Medium - CCI-004066 - V-268129 - SV-268129r1039275_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
ANIX-00-000760
Vuln IDs
  • V-268129
Rule IDs
  • SV-268129r1039275_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Checks: C-72053r1039273_chk

Verify NixOS enforces password complexity by requiring that at least 50 percent of the characters are changed with the following command: $ grep difok /etc/security/pwquality.conf difok=8 If the value of "difok" is set to less than "8", or is commented out, this is a finding.

Fix: F-71956r1039274_fix

Configure NixOS to enforce password complexity. Add/modify /etc/nixos/configuration.nix to include the following lines: environment.etc."/security/pwquality.conf".text = '' difok=8 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch

c
NixOS must store only encrypted representations of passwords.
- High - CCI-004062 - V-268130 - SV-268130r1039278_rule
RMF Control
Severity
High
CCI
CCI-004062
Version
ANIX-00-000770
Vuln IDs
  • V-268130
Rule IDs
  • SV-268130r1039278_rule
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
Checks: C-72054r1039276_chk

Verify NixOS stores only encrypted representations of passwords with the following command: $ grep ENCRYPT_METHOD /etc/login.defs ENCRYPT_METHOD SHA512 If "ENCRYPT_METHOD" does not equal SHA512 or greater, is commented out, or is missing, this is a finding.

Fix: F-71957r1039277_fix

Configure NixOS to store only encrypted representations of passwords. Add/modify /etc/nixos/configuration.nix to include the following lines: environment.etc."login.defs".text = pkgs.lib.mkForce '' ENCRYPT_METHOD SHA256 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch

c
NixOS must not have the telnet package installed.
IA-5 - High - CCI-000197 - V-268131 - SV-268131r1039281_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000197
Version
ANIX-00-000780
Vuln IDs
  • V-268131
Rule IDs
  • SV-268131r1039281_rule
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
Checks: C-72055r1039279_chk

Ensure the telnet package is not installed and available with the following command: $ whereis telnet telnet: If there is a path, and the output looks like "telnet: /nix/store/sqiphymcpky1yysgdc1aj4lr9jg9n53a-inetutils-2.2/bin/telnet", this is a finding.

Fix: F-71958r1039280_fix

Edit the NixOS Configuration file with "nano /etc/nixos/configuration.nix" and remove any references to pkgs.libtelnet, pkgs.busybox, or pkgs.inetutils from the environment.systemPackages list. Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must enforce 24 hours/one day as the minimum password lifetime.
- Medium - CCI-004066 - V-268132 - SV-268132r1039284_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
ANIX-00-000790
Vuln IDs
  • V-268132
Rule IDs
  • SV-268132r1039284_rule
Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
Checks: C-72056r1039282_chk

Verify NixOS enforces 24 hours/one day as the minimum password lifetime with the following command: $ grep PASS_MIN_DAYS /etc/login.defs PASS_MIN_DAYS 1 If PASS_MIN_DAYS_1 is not present, is commented out, or is a value different from 1, this is a finding.

Fix: F-71959r1039283_fix

Configure NixOS operating system to enforce 24 hours/one day as the minimum password lifetime. Add/modify /etc/nixos/configuration.nix to include the following lines: environment.etc."login.defs".text = pkgs.lib.mkForce '' PASS_MIN_DAYS 1 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must enforce a 60-day maximum password lifetime restriction.
- Medium - CCI-004066 - V-268133 - SV-268133r1039287_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
ANIX-00-000800
Vuln IDs
  • V-268133
Rule IDs
  • SV-268133r1039287_rule
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.
Checks: C-72057r1039285_chk

Verify NixOS enforces a 60-day maximum password lifetime for new user accounts by running the following command: $ grep PASS_MAX_DAYS /etc/login.defs PASS_MAX_DAYS 60 If the "PASS_MAX_DAYS" parameter value is less than 60 or commented out, this is a finding.

Fix: F-71960r1039286_fix

Configure NixOS operating system to enforce a 60-day maximum password lifetime. Add/modify /etc/nixos/configuration.nix to include the following lines: environment.etc."login.defs".text = pkgs.lib.mkForce '' PASS_MAX_DAYS 60 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must enforce a minimum 15-character password length.
- Medium - CCI-004066 - V-268134 - SV-268134r1039290_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
ANIX-00-000810
Vuln IDs
  • V-268134
Rule IDs
  • SV-268134r1039290_rule
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Checks: C-72058r1039288_chk

Verify NixOS enforces a minimum 15-character password length with the following command: $ grep minlen /etc/security/pwquality.conf minlen=15 If the value of "minlen" is set to less than "15", or is commented out, this is a finding.

Fix: F-71961r1039289_fix

Configure NixOS to enforce password complexity. Add/modify /etc/nixos/configuration.nix to include the following lines: environment.etc."/security/pwquality.conf".text = '' minlen=15 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users).
IA-2 - Medium - CCI-000764 - V-268135 - SV-268135r1039293_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
ANIX-00-000840
Vuln IDs
  • V-268135
Rule IDs
  • SV-268135r1039293_rule
To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: 1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and 2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062
Checks: C-72059r1039291_chk

Verify the NixOS operating system contains no duplicate User IDs (UIDs) for interactive users with the following command: $ awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd If output is produced and the accounts listed are interactive user accounts, this is a finding.

Fix: F-71962r1039292_fix

Configure the NixOS to uniquely identify and authenticate nonorganizational users by editing the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.

b
NixOS must use multifactor authentication for network access to privileged accounts.
IA-2 - Medium - CCI-000765 - V-268136 - SV-268136r1039296_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000765
Version
ANIX-00-000850
Vuln IDs
  • V-268136
Rule IDs
  • SV-268136r1039296_rule
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. Factors include: 1) something a user knows (e.g., password/PIN); 2) something a user has (e.g., cryptographic identification device, token); and 3) something a user is (e.g., biometric). A privileged account is defined as an information system account with authorizations of a privileged user. Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet). The DOD CAC with DOD-approved PKI is an example of multifactor authentication. Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055
Checks: C-72060r1039294_chk

Verify NixOS has the packages required for multifactor authentication installed with the following command: $ grep -R pkgs.opencrypto /etc/nixos pkgs.opencryptoki If the "pkgs.opencryptoki" package is not installed, this is a finding.

Fix: F-71963r1039295_fix

Configure NixOS to have a package that enforces multifactor authentication installed. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix: environment.systemPackages = [ pkgs.opencryptoki ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must not allow direct login to the root account via SSH.
- Medium - CCI-004045 - V-268137 - SV-268137r1039578_rule
RMF Control
Severity
Medium
CCI
CCI-004045
Version
ANIX-00-000890
Vuln IDs
  • V-268137
Rule IDs
  • SV-268137r1039578_rule
To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Examples of the group authenticator is the Unix OS "root" user account, the Windows "Administrator" account, the "sa" account, or a "helpdesk" account. For example, the Unix and Windows operating systems offer a "switch user" capability allowing users to authenticate with their individual credentials and, when needed, "switch" to the administrator role. This method provides for unique individual authentication prior to using a group authenticator. Users (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the operating system without identification or authentication. Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.
Checks: C-72061r1039297_chk

Verify the NixOS configuration disallows directly logging into the root account via SSH with the following command: $ grep PermitRootLogin /etc/ssh/sshd_config PermitRootLogin no If the value is anything other than "no", this is a finding.

Fix: F-71964r1039298_fix

Edit the NixOS Configuration file "/etc/nixos/configuration.nix" to ensure the root user login via SSH is disabled by adding the following text: services.openssh.permitRootLogin = "no"; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must not allow direct login to the root account.
- Medium - CCI-004045 - V-268138 - SV-268138r1039579_rule
RMF Control
Severity
Medium
CCI
CCI-004045
Version
ANIX-00-000900
Vuln IDs
  • V-268138
Rule IDs
  • SV-268138r1039579_rule
To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Examples of the group authenticator is the Unix OS "root" user account, the Windows "Administrator" account, the "sa" account, or a "helpdesk" account. For example, the Unix and Windows operating systems offer a "switch user" capability allowing users to authenticate with their individual credentials and, when needed, "switch" to the administrator role. This method provides for unique individual authentication prior to using a group authenticator. Users (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the operating system without identification or authentication. Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.
Checks: C-72062r1039300_chk

Verify the NixOS operating system prevents directly logging in to the root account with the following command: $ sudo passwd -S root root L 01/02/1970 -1 -1 -1 -1 If the second field in the output is not "L", then the root account is not locked, and this is a finding.

Fix: F-71965r1039301_fix

Edit the NixOS Configuration file "/etc/nixos/configuration.nix" to ensure that the root user is locked by adding the following text: users.mutableUsers = false; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must enable USBguard.
IA-3 - Medium - CCI-000778 - V-268139 - SV-268139r1039607_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-000778
Version
ANIX-00-000930
Vuln IDs
  • V-268139
Rule IDs
  • SV-268139r1039607_rule
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000690-GPOS-00140
Checks: C-72063r1039303_chk

Verify NixOS had enabled the use of the USBGuard with the following command: $ systemctl status usbguard usbguard.service - USBGuard daemon Loaded: loaded (/etc/systemd/system/usbguard.service; enabled; present: enabled) Active: active (running) since Sat 2022-06-04 02:51:43 UTC; 13min ago If the usbguard.service is not "active" and "running", this is a finding.

Fix: F-71966r1039607_fix

Configure NixOS to enable USBGuard and generate a USBGuard ruleset. Edit /etc/nixos/configuration.nix and add the following: services.usbguard.enable = true; Rebuild the system configuration by running the following command: $ sudo nixos-rebuild switch Then, as root, generate a usbguard configuration. Using the "usbguard" command, use "usbguard list-devices" to list connected USB devices, "usbguard block-device" to block a device, and "usbguard allow-device" to allow a device. Note that the default behavior is to block devices. When all connected USB devices have been permitted, generate a ruleset by running the following command as root: # usbguard generate-policy Then, edit /etc/nixos/configuration.nix to add the policy: services.usbguard.rules = '' allow id 1d6b:0001 serial "0000:00:01.2" name "UHCI Host Controller" hash "FRDEjz7OhdJbNjmJ8zityiNX/LuO+ovKC07I0bOFjao=" parent-hash "9+Zsfvo9IR/AEQ/Fn4mzdoPGk0rqpjku6uErfS09K4c=" with-interface 09:00:00 with-connect-type "" allow id 0627:0001 serial "28754-0000:00:01.2-1" name "QEMU USB Tablet" hash "5TyVK8wyL5GmiIbZV2Sf/ehIRMCP83miy4kOzG6O+2M=" parent-hash "FRDEjz7OhdJbNjmJ8zityiNX/LuO+ovKC07I0bOFjao=" with-interface 03:00:00 with-connect-type "unknown" ''; Note: This ruleset is only an example; generate a policy using the process described above. Rebuild the system configuration by running the following command: $ sudo nixos-rebuild switch

b
A sticky bit must be set on all NixOS public directories to prevent unauthorized and unintended information transferred via shared system resources.
SC-4 - Medium - CCI-001090 - V-268140 - SV-268140r1039308_rule
RMF Control
SC-4
Severity
Medium
CCI
CCI-001090
Version
ANIX-00-000970
Vuln IDs
  • V-268140
Rule IDs
  • SV-268140r1039308_rule
Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies. There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.
Checks: C-72064r1039306_chk

Verify NixOS is configured with the sticky bit on world-writable directories with the following command: $ sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -print 2&gt;/dev/null If any of the returned directories are world-writable and do not have the sticky bit set, this is a finding.

Fix: F-71967r1039307_fix

Configure all public directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources. Set the sticky bit on all public directories using the following command, replacing "[Public Directory]" with any directory path missing the sticky bit: $ sudo chmod +t [Public Directory]

b
NixOS must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.
SC-5 - Medium - CCI-001095 - V-268141 - SV-268141r1039311_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-001095
Version
ANIX-00-000980
Vuln IDs
  • V-268141
Rule IDs
  • SV-268141r1039311_rule
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.
Checks: C-72065r1039309_chk

Verify NixOS is configured to use IPv4 TCP syncookies with the following command: $ sudo sysctl net.ipv4.tcp_syncookies net.ipv4.tcp_syncookies = 1 If the network parameter "ipv4.tcp_syncookies" is not equal to "1" or nothing is returned, this is a finding.

Fix: F-71968r1039310_fix

Configure NixOS to use IPv4 TCP syncookies by editing the following in the NixOS configuration /etc/nixos/configuration.nix: boot.kernel.sysctl = { "net.ipv4.tcp_syncookies"=1; }; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must terminate all SSH connections after 10 minutes of becoming unresponsive.
SC-10 - Medium - CCI-001133 - V-268142 - SV-268142r1039535_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
ANIX-00-000990
Vuln IDs
  • V-268142
Rule IDs
  • SV-268142r1039535_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175
Checks: C-72066r1039312_chk

Verify that all network connections associated with SSH traffic are automatically terminated after 10 minutes of becoming unresponsive with the following command: $ grep -i clientaliveinterval /etc/ssh/sshd_config ClientAliveInterval 600 If "ClientAliveInterval" does not have a value of "600" or less, is commented out, or is missing, this is a finding.

Fix: F-71969r1039535_fix

Configure NixOS to automatically terminate all network connections associated with SSH traffic after being unresponsive for 10 minutes. Add or edit the following in the NixOS configuration: /etc/nixos/configuration.nix: services.openssh.extraConfig = '' ClientAliveInterval 600 ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must terminate all SSH connections after becoming unresponsive.
SC-10 - Medium - CCI-001133 - V-268143 - SV-268143r1039317_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
ANIX-00-001000
Vuln IDs
  • V-268143
Rule IDs
  • SV-268143r1039317_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
Checks: C-72067r1039315_chk

Verify that all network connections associated with SSH traffic are automatically terminated after becoming unresponsive with the following command: $ grep -i clientalivecount /etc/ssh/sshd_config ClientAliveCountMax 1 If "ClientAliveCountMax" is not set to "1", is commented out, or is missing, this is a finding.

Fix: F-71970r1039316_fix

Configure NixOS to automatically terminate all network connections associated with SSH traffic after being unresponsive. Add or edit the following in the NixOS configuration: /etc/nixos/configuration.nix: services.openssh.extraConfig = '' ClientAliveCountMax 1 ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

c
NixOS must protect the confidentiality and integrity of all information at rest.
SC-28 - High - CCI-001199 - V-268144 - SV-268144r1039320_rule
RMF Control
SC-28
Severity
High
CCI
CCI-001199
Version
ANIX-00-001010
Vuln IDs
  • V-268144
Rule IDs
  • SV-268144r1039320_rule
Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. This requirement addresses protection of user-generated data, as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information. Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184, SRG-OS-000780-GPOS-00240
Checks: C-72068r1039318_chk

Verify NixOS prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. Verify all system partitions are encrypted with the following command: $ sudo blkid /dev/sda1: LABEL="nixos" UUID="67b7d7fe-de60-6fd0-befb-e6748cf97743" TYPE="crypto_LUKS" Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that these partitions are encrypted, this is a finding.

Fix: F-71971r1039319_fix

Configure NixOS to prevent unauthorized modification of all information at rest by using disk encryption. Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. Refer to the NixOS manual Section 8.1 "LUKS-Encrypted File Systems" for further details. NixOS Wiki: https://nixos.wiki/wiki/Full_Disk_Encryption

b
NixOS must enforce password complexity by requiring that at least one special character be used.
- Medium - CCI-004066 - V-268145 - SV-268145r1039323_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
ANIX-00-001160
Vuln IDs
  • V-268145
Rule IDs
  • SV-268145r1039323_rule
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.
Checks: C-72069r1039321_chk

Verify NixOS enforces the use of at least one special character in passwords with the following command: $ grep minlen /etc/security/pwquality.conf ocredit=-1 If the value of "ocredit" is a positive number or is commented out, this is a finding.

Fix: F-71972r1039322_fix

Configure NixOS to enforce password complexity. Add/modify /etc/nixos/configuration.nix to include the following lines: environment.etc."/security/pwquality.conf".text = '' ocredit=-1 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch

c
NixOS must protect wireless access to and from the system using encryption.
AC-18 - High - CCI-001444 - V-268146 - SV-268146r1039326_rule
RMF Control
AC-18
Severity
High
CCI
CCI-001444
Version
ANIX-00-001250
Vuln IDs
  • V-268146
Rule IDs
  • SV-268146r1039326_rule
Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Since wireless communications can be intercepted, it is necessary to use encryption to protect the confidentiality of information in transit. Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. This requirement applies to those operating systems that control wireless devices. Satisfies: SRG-OS-000299-GPOS-00117, SRG-OS-000481-GPOS-00481
Checks: C-72070r1039324_chk

Verify NixOS disables wireless adapters by running the following command: $ grep -R networking.wireless /etc/nixos/ /etc/nixos/configuratino.nix:networking.wireless.enable = false; If " networking.wireless.enable", does not equal false, is missing, or is commented out, this is a finding.

Fix: F-71973r1039325_fix

Configure /etc/nixos/configuration.nix to disable wireless interfaces by adding the following configuration settings: networking.wireless.enable = false; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must protect wireless access to the system using authentication of users and/or devices.
AC-18 - Medium - CCI-001443 - V-268147 - SV-268147r1039329_rule
RMF Control
AC-18
Severity
Medium
CCI
CCI-001443
Version
ANIX-00-001260
Vuln IDs
  • V-268147
Rule IDs
  • SV-268147r1039329_rule
Allowing devices and users to connect to the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. This requirement applies to operating systems that control wireless devices.
Checks: C-72071r1039327_chk

Verify NixOS disables Bluetooth adapters by running the following command: $ grep -R hardware.bluetooth /etc/nixos/ /etc/nixos/configuration.nix:hardware.bluetooth.enable = false; If "hardware.bluetooth.enable", does not equal false, is missing, or is commented out, this is a finding.

Fix: F-71974r1039328_fix

Configure /etc/nixos/configuration.nix to disable Bluetooth adapters by adding the following configuration settings: hardware.bluetooth.enable = false; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must prevent all software from executing at higher privilege levels than users executing the software.
AC-6 - Medium - CCI-002233 - V-268148 - SV-268148r1039332_rule
RMF Control
AC-6
Severity
Medium
CCI
CCI-002233
Version
ANIX-00-001280
Vuln IDs
  • V-268148
Rule IDs
  • SV-268148r1039332_rule
In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by the organizations. Some programs and processes are required to operate at a higher privilege level and therefore should be excluded from the organization-defined software list after review.
Checks: C-72072r1039330_chk

Verify NixOS audits and provides alerts of audit failures by running the following command: $grep A -15 security.auditd /etc/nixos/configuration.nix /etc/nixos/configuration.nix: security.auditd.enable = true; security.audit.enable = true; security.audit.rules = [ '' &lt;audit_rules&gt; '' ]; security.audit.rules = [ "-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv" "-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv" ]; If "security.auditd", "security.audit" and the additional modifications do not equal true, are missing, or are commented out, this is a finding.

Fix: F-71975r1039331_fix

Configure the audit service to produce audit records. Install the audit service (if the audit service is not already installed) and ensure the audit service is enabled by adding or updating the following configurations in /etc/nixos/configuration.nix: security.auditd.enable = true; security.audit.enable = true; Additionally, add the following audit rules: security.audit.rules = [ "-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv" "-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv" ]; Then, rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
- Medium - CCI-004923 - V-268149 - SV-268149r1039335_rule
RMF Control
Severity
Medium
CCI
CCI-004923
Version
ANIX-00-001420
Vuln IDs
  • V-268149
Rule IDs
  • SV-268149r1039335_rule
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000359-GPOS-00146, SRG-OS-000785-GPOS-00250
Checks: C-72073r1039333_chk

Verify NixOS is configured with an approved time server with the following command: $ timedatectl show-timesync | grep NTPServers SystemNTPServers=tick.usnogps.navy.mil FallbackNTPServers=tock.usnogps.navy.mil If the output of the command does not list authorized time servers, this is a finding.

Fix: F-71976r1039334_fix

Configure /etc/nixos/configuration.nix to use approved timeservers by adding the following configuration settings: networking.timeServers = [ "tick.usnogps.navy.mil" "tock.usnogps.navy.mil" ]; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
- Medium - CCI-004926 - V-268150 - SV-268150r1039338_rule
RMF Control
Severity
Medium
CCI
CCI-004926
Version
ANIX-00-001430
Vuln IDs
  • V-268150
Rule IDs
  • SV-268150r1039338_rule
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider setting time periods for different types of systems (e.g., financial, legal, or mission-critical systems). Organizations should also consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). This requirement is related to the comparison done every 24 hours in SRG-OS-000355 because a comparison must be done to determine the time difference.
Checks: C-72074r1039336_chk

Verify NixOS synchronizes internal information system clocks to the authoritative time source when the time difference is greater than one second with the following command: $ grep -iR pollinterval /etc/nixos/ services.timesyncd.extraConfig = "PollIntervalMaxSec=60"; If "PollIntervalMaxSec" is greater than "60", is commented out, or is missing, this is a finding.

Fix: F-71977r1039337_fix

Configure /etc/nixos/configuration.nix to regularly synchronize the system clock by adding the following configuration settings: services.timesyncd.extraConfig = '' PollIntervalMaxSec=60 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must have time synchronization enabled.
- Medium - CCI-004926 - V-268151 - SV-268151r1039341_rule
RMF Control
Severity
Medium
CCI
CCI-004926
Version
ANIX-00-001440
Vuln IDs
  • V-268151
Rule IDs
  • SV-268151r1039341_rule
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider setting time periods for different types of systems (e.g., financial, legal, or mission-critical systems). Organizations should also consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). This requirement is related to the comparison done every 24 hours in SRG-OS-000355 because a comparison must be done to determine the time difference.
Checks: C-72075r1039339_chk

Verify NixOS synchronizes internal information system clocks to the authoritative time source when the time difference is greater than one second with the following command: $ grep -iR timesyncd.enable /etc/nixos/ services.timesyncd.enable = true; If "services.timesyncd.enable" is not set to "true", is commented out, or is missing, this is a finding.

Fix: F-71978r1039340_fix

Configure /etc/nixos/configuration.nix to regularly synchronize the system clock by adding the following configuration settings: services.timesyncd.enable = true; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must prohibit user installation of system software without explicit privileged status.
- Medium - CCI-003980 - V-268152 - SV-268152r1039344_rule
RMF Control
Severity
Medium
CCI
CCI-003980
Version
ANIX-00-001450
Vuln IDs
  • V-268152
Rule IDs
  • SV-268152r1039344_rule
Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user. Operating system functionality will vary, and while users are not permitted to install unapproved software, there may be instances where the organization allows the user to install approved software packages, such as from an approved software repository. The operating system or software configuration management utility must enforce control of software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization.
Checks: C-72076r1039342_chk

Verify NixOS prevents unauthorized users from using nix with the following command: $ grep -R allowed-users /etc/nixos/ /etc/nixos/configuration.nix:nix.settings.allowed-users = [ "root" "@wheel" ]; If any other groups or users are included in "nix.settings.allowed-users" other than "root" and "wheel", or the configuration setting does not exist, this is a finding.

Fix: F-71979r1039343_fix

Configure /etc/nixos/configuration.nix to prevent unauthorized users from using nix by adding the following configuration settings: nix.settings.allowed-users = [ "root" "@wheel" ]; Note: extra usergroups may be permitted by adding them with the format "@group" (e.g.: "@users"). Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must notify designated personnel if baseline configurations are changed in an unauthorized manner.
CM-3 - Medium - CCI-001744 - V-268153 - SV-268153r1039347_rule
RMF Control
CM-3
Severity
Medium
CCI
CCI-001744
Version
ANIX-00-001460
Vuln IDs
  • V-268153
Rule IDs
  • SV-268153r1039347_rule
Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. Satisfies: SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201
Checks: C-72077r1039345_chk

Verify NixOS notifies if baseline configurations are changed with Advanced Intrusion Detection Environment with the following commands: $ nix-store --query --requisites /run/current-system | cut -d- -f2- | sort | uniq | grep aide aide-0.18.6 etc-aide.conf $ cat /etc/nixos/configuration.nix | grep -A 5 aide.conf If aide is not installed and is not configured to alert on file system changes, this is a finding.

Fix: F-71980r1039346_fix

Configure /etc/nixos/configuration.nix to notify when baseline configuration changes by adding the following configuration settings: nixpkgs.overlays = [ (final: prev: { aide = prev.aide.overrideAttrs (old: { configureFlags = (old.configureFlags or [ ]) ++ [ "--sysconfdir=/etc" ]; }); }) ]; environment.systemPackages = [ pkgs.aide ]; environment.etc = { # Creates /etc/aide.conf "aide.conf" = { text = '' <CONFIG_TEXT> ''; mode = "0444"; }; }; services.cron = { enable = true; systemCronJobs = [ "00 0 * * 0\troot\taide -c /etc/aide.conf --check | /bin/mail -s "aide integrity check run for ${config.networking.hostName}" root@notareal.email" ]; };

c
NixOS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
- High - CCI-003992 - V-268154 - SV-268154r1039350_rule
RMF Control
Severity
High
CCI
CCI-003992
Version
ANIX-00-001480
Vuln IDs
  • V-268154
Rule IDs
  • SV-268154r1039350_rule
Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DOD certificates for this purpose; however, the certificate used to verify the software must be from an approved certificate authority (CA).
Checks: C-72078r1039348_chk

Verify NixOS prevents installations that have not been digitally signed with the following command: $ grep -R require-sigs /etc/nixos/ /etc/nixos/configuration.nix:nix.settings.require-sigs = true; If "nix.settings.require-sigs" is not set to "true", is commented out, or is missing, this is a finding.

Fix: F-71981r1039349_fix

Configure NixOS to require signatures by adding the following configuration settings: Add or edit the following in the NixOS configuration "/etc/nixos/configuration.nix" file: nix.settings.require-sigs = true; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must require users to reauthenticate for privilege escalation.
CM-6 - Medium - CCI-000366 - V-268155 - SV-268155r1039536_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ANIX-00-001500
Vuln IDs
  • V-268155
Rule IDs
  • SV-268155r1039536_rule
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.
Checks: C-72079r1039351_chk

Verify NixOS enforces reauthentication with sudo with the following command: $ sudo grep timestamp_timeout /etc/sudoers Defaults timestamp_timeout=0 If "timestamp_timeout" is greater than 0, is commented out, or is missing, this is a finding.

Fix: F-71982r1039352_fix

Configure /etc/nixos/configuration.nix to enforce reauthentication with sudo by adding the following configuration settings: security.sudo.extraConfig = '' Defaults timestamp_timeout=0 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must require users to reauthenticate when changing roles.
CM-6 - Medium - CCI-000366 - V-268156 - SV-268156r1039539_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ANIX-00-001510
Vuln IDs
  • V-268156
Rule IDs
  • SV-268156r1039539_rule
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to change security roles, it is critical the user reauthenticate.
Checks: C-72080r1039537_chk

Verify NixOS requires users to reauthenticate when changing roles with the following command: $ grep -iR wheelneedspassword /etc/nixos/ /etc/nixos/configuration.nix:security.sudo.wheelNeedsPassword = true; If the returned line does not have a value of "true" or is commented out, this is a finding.

Fix: F-71983r1039538_fix

Configure NixOS to require reauthentication for sudo by editing the /etc/nixos/configuration.nix with the following: security.sudo.wheelNeedsPassword = true; Rebuild the system configuration with the following command: $ sudo nixos-rebuild switch

c
NixOS must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.
MA-4 - High - CCI-002890 - V-268157 - SV-268157r1039359_rule
RMF Control
MA-4
Severity
High
CCI
CCI-002890
Version
ANIX-00-001550
Vuln IDs
  • V-268157
Rule IDs
  • SV-268157r1039359_rule
Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms, such as a hash function or digital signature, to protect integrity. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. The operating system can meet this requirement through leveraging a cryptographic module. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch).
Checks: C-72081r1039357_chk

Verify NixOS uses the following FIPS 140-3 approved MAC codes in openssh with the following command: $grep services.openssh.macs -A 3 /etc/nixos/configuration.nix services.openssh.macs = [ "hmac-sha2-512" "hmac-sha2-256" ]; If "services.openssh.macs" contains any ciphers other than "hmac-sha2-512" or "hmac-sha2-256", this is a finding.

Fix: F-71984r1039358_fix

Configure /etc/nixos/configuration.nix to use the following FIPS 140-3 approved MAC codes in openssh by adding the following configuration settings: services.openssh.macs = [ "hmac-sha2-512" "hmac-sha2-256" ]; Then, rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.
SC-5 - Medium - CCI-002385 - V-268158 - SV-268158r1039362_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
ANIX-00-001610
Vuln IDs
  • V-268158
Rule IDs
  • SV-268158r1039362_rule
Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
Checks: C-72082r1039360_chk

Verify NixOS firewall enforces rate limits using the hashlimit module. $ sudo iptables -L | grep limit nixos-fw-refuse tcp -- anywhere anywhere tcp dpt:ssh limit: above 1000000b/s mode srcip nixos-fw-refuse tcp -- anywhere anywhere tcp dpt:http limit: above 1000/min burst 5 mode srcip nixos-fw-refuse tcp -- anywhere anywhere tcp dpt:https limit: above 1000/min burst 5 mode srcip If the command does not produce any rate limiting rules, this is a finding.

Fix: F-71985r1039361_fix

Configure the NixOS firewall to enforce rate limits using the hashlimit module. For example, to limit SSH to 1 MB/s and to limit HTTP to 1000 connections / minute per IP, edit /etc/nixos/configuration.nix and add the following configuration settings: networking.firewall.enable = true; networking.firewall.extraCommands = '' ip46tables --append INPUT --protocol tcp --dport 22 --match hashlimit --hashlimit-name stig_byte_limit --hashlimit-mode srcip --hashlimit-above 1000000b/second --jump nixos-fw-refuse ip46tables --append INPUT --protocol tcp --dport 80 --match hashlimit --hashlimit-name stig_conn_limit --hashlimit-mode srcip --hashlimit-above 1000/minute --jump nixos-fw-refuse ip46tables --append INPUT --protocol tcp --dport 443 --match hashlimit --hashlimit-name stig_conn_limit --hashlimit-mode srcip --hashlimit-above 1000/minute --jump nixos-fw-refuse ''; Note: NixOS provides the helper script "ip46tables" to add rules using both "iptables" and "ip6tables". Rebuild the system with the following command: $ sudo nixos-rebuild switch

c
NixOS must protect the confidentiality and integrity of transmitted information.
SC-8 - High - CCI-002418 - V-268159 - SV-268159r1039541_rule
RMF Control
SC-8
Severity
High
CCI
CCI-002418
Version
ANIX-00-001620
Vuln IDs
  • V-268159
Rule IDs
  • SV-268159r1039541_rule
Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190
Checks: C-72083r1039540_chk

Verify NixOS to enables sshd for secure, confidentially preserving remote access with the following command: $ systemctl status sshd sshd.service - SSH daemon Loaded: loaded (/etc/systemd/system/sshd.service; enabled; present: enabled) Active: active (running) since Sat 2022-06-04 02:51:43 UTC; 13min ago If the sshd.service is not "active" and "running", this is a finding.

Fix: F-71986r1039364_fix

Configure NixOS to enable sshd for secure, confidentially-preserving remote access by adding the following option to /etc/nixos/configuration.nix. services.sshd.enable = true; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must implement nonexecutable data to protect its memory from unauthorized code execution.
SI-16 - Medium - CCI-002824 - V-268160 - SV-268160r1039368_rule
RMF Control
SI-16
Severity
Medium
CCI
CCI-002824
Version
ANIX-00-001660
Vuln IDs
  • V-268160
Rule IDs
  • SV-268160r1039368_rule
Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks. Satisfies: SRG-OS-000433-GPOS-00192, SRG-OS-000132-GPOS-00067
Checks: C-72084r1039366_chk

Verify NixOS prevents internal kernel addresses from being leaked with the following command: $ sudo sysctl kernel.kptr_restrict kernel.kptr_restrict = 1 If "kernel.kptr_restrict" does not have a value of "1" or is missing, this is a finding.

Fix: F-71987r1039367_fix

Configure NixOS to prevent internal kernel addresses from being leaked by editing /etc/nixos/configuration.nix to add the following: boot.kernel.sysctl = { "kernel.kptr_restrict" = 1; }; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must implement address space layout randomization to protect its memory from unauthorized code execution.
SI-16 - Medium - CCI-002824 - V-268161 - SV-268161r1039371_rule
RMF Control
SI-16
Severity
Medium
CCI
CCI-002824
Version
ANIX-00-001670
Vuln IDs
  • V-268161
Rule IDs
  • SV-268161r1039371_rule
Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks.
Checks: C-72085r1039369_chk

Verify NixOS enables address space layout randomization with the following command: $ sudo sysctl kernel.randomize_va_space kernel.randomize_va_space = 2 If "kernel.randomize_va_space" does not have a value of "2" or is missing, this is a finding.

Fix: F-71988r1039370_fix

Configure /etc/nixos/configuration.nix to enable ASLR by adding the following configuration settings: boot.kernel.sysctl = { "kernel.randomize_va_space" = 2; }; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must remove all software components after updated versions have been installed.
SI-2 - Medium - CCI-002617 - V-268162 - SV-268162r1039374_rule
RMF Control
SI-2
Severity
Medium
CCI
CCI-002617
Version
ANIX-00-001680
Vuln IDs
  • V-268162
Rule IDs
  • SV-268162r1039374_rule
Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.
Checks: C-72086r1039372_chk

Verify NixOS removes all software components after updated versions have been installed by reviewing /etc/nixos/configuration.nix and remove any references to outdated versions of nixpkgs. If any outdated versions of nixpkgs are present in the configuration.nix file, this is a finding.

Fix: F-71989r1039373_fix

After updating NixOS (either via "cd /etc/nixos; sudo nix flake update; sudo nixos-rebuild switch" or "sudo nixos-rebuild switch –upgrade"), reboot the system to ensure all running software comes from the current active NixOS generation. Edit /etc/nixos/configuration.nix and remove any references to outdated versions of nixpkgs.

b
NixOS must generate audit records when successful/unsuccessful attempts to modify security objects occur.
AU-12 - Medium - CCI-000172 - V-268163 - SV-268163r1039377_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
ANIX-00-001720
Vuln IDs
  • V-268163
Rule IDs
  • SV-268163r1039377_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000463-GPOS-00207, SRG-OS-000042-GPOS-00020, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219
Checks: C-72087r1039375_chk

Verify the NixOS generates audit records when successful/unsuccessful attempts to modify security objects occur with the following command: $ sudo auditctl -l | grep xattr -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid&gt;=1000 -F auid!=-1 -k perm_mod -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid&gt;=1000 -F auid!=-1 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod If the command does not return an audit rule for "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr", this is a finding.

Fix: F-71990r1039376_fix

Configure /etc/nixos/configuration.nix to log attempts to modify security objects by adding the following configuration settings: security.audit.rules = [ "-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod" "-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod" "-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod" "-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod" ]; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must generate audit records when successful/unsuccessful attempts to delete privileges occur.
AU-12 - Medium - CCI-000172 - V-268164 - SV-268164r1039380_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
ANIX-00-001730
Vuln IDs
  • V-268164
Rule IDs
  • SV-268164r1039380_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-72088r1039378_chk

Verify NixOS generates audit records when attempts to delete privileges occur with the following command: $ sudo auditctl -l | grep usermod -a always,exit -S all -F path=/run/current-system/sw/bin/usermod -F perm=x -F auid&gt;=1000 -F auid!=-1 -k privileged-usermod If the command does not return an audit rule for "usermod", this is a finding.

Fix: F-71991r1039379_fix

Configure /etc/nixos/configuration.nix to record attempts to delete privileges by adding the following configuration settings: security.audit.rules = [ "-a always,exit -F path=/run/current-system/sw/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod" ]; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must generate audit records when successful/unsuccessful attempts to delete security objects occur.
AU-12 - Medium - CCI-000172 - V-268165 - SV-268165r1039383_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
ANIX-00-001740
Vuln IDs
  • V-268165
Rule IDs
  • SV-268165r1039383_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-72089r1039381_chk

Verify that NixOS generates audit records when successful/unsuccessful attempts to delete security objects occur with the following command: $ sudo auditctl -l | grep /bin/ch -a always,exit -S all -F path=/run/current-system/sw/bin/chage -F perm=x -F auid&gt;=1000 -F auid!=-1 -k privileged-chage -a always,exit -S all -F path=/run/current-system/sw/bin/chcon -F perm=x -F auid&gt;=1000 -F auid!=-1 -k perm_mod If the command does not return an audit rule for "chage" and "chcon", this is a finding.

Fix: F-71992r1039382_fix

Configure /etc/nixos/configuration.nix to audit attempts to delete security objects by adding the following configuration settings: security.audit.rules = [ "-a always,exit -F path=/run/current-system/sw/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage" "-a always,exit -F path=/run/current-system/sw/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod" ]; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must generate audit records when concurrent logins to the same account occur from different sources.
AU-12 - Medium - CCI-000172 - V-268166 - SV-268166r1039580_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
ANIX-00-001790
Vuln IDs
  • V-268166
Rule IDs
  • SV-268166r1039580_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000473-GPOS-00218, SRG-OS-000042-GPOS-00020, SRG-OS-000475-GPOS-00220
Checks: C-72090r1039384_chk

Verify NixOS is configured to generate audit records with the following command: $ sudo auditctl -l | grep -w lastlog -w /var/log/lastlog -p wa -k logins If the command does not return a watch for the lastlog file, this is a finding.

Fix: F-71993r1039385_fix

Modify NixOS to generate audit logs on account creations and modifications. Edit /etc/nixos/configuration.nix and ensure the following options are configured: security.audit.rules = [ "-w /var/log/lastlog -p wa -k logins" ]; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must generate audit records for all account creations, modifications, disabling, and termination events.
AU-12 - Medium - CCI-000172 - V-268167 - SV-268167r1039389_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
ANIX-00-001820
Vuln IDs
  • V-268167
Rule IDs
  • SV-268167r1039389_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000476-GPOS-00221, SRG-OS-000042-GPOS-00020, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, SRG-OS-000477-GPOS-00222, SRG-OS-000304-GPOS-00121
Checks: C-72091r1039387_chk

Verify NixOS is configured to generate audit records on account events with the following command: $ sudo auditctl -l | grep /etc -w /etc/sudoers -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/group -p wa -k identity -w /etc/security/opasswd -p wa -k identity If the output from the command does not include the example output, this is a finding.

Fix: F-71994r1039388_fix

Modify NixOS to generate audit logs on account creations and modifications. Edit /etc/nixos/configuration.nix and ensure the following options are configured: security.audit.rules = [ "-w /etc/sudoers -p wa -k identity" "-w /etc/passwd -p wa -k identity" "-w /etc/shadow -p wa -k identity" "-w /etc/gshadow -p wa -k identity" "-w /etc/group -p wa -k identity" "-w /etc/security/opasswd -p wa -k identity" ]; Rebuild the system with the following command: $ sudo nixos-rebuild switch

c
NixOS must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
SC-13 - High - CCI-002450 - V-268168 - SV-268168r1039392_rule
RMF Control
SC-13
Severity
High
CCI
CCI-002450
Version
ANIX-00-001840
Vuln IDs
  • V-268168
Rule IDs
  • SV-268168r1039392_rule
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. Satisfies: SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176
Checks: C-72092r1039390_chk

Verify NixOS is configured to operate in FIPS mode with the following command: $ grep fips /proc/cmdline BOOT_IMAGE=(hd0,msdos1)/nix/store/glc0midc78caq9sc7pzciymx4c3in7kn-linux-6.1.64/bzImage init=/nix/store/grl4baymr9q60mbcz3sidm4agckn3bx5-nixos-system-nixos-23.1.1.20231129.057f9ae/init audit=1 audit_backlog_limit=8192 fips=1 loglevel=4 If the "fips" entry does not equal "1" or is missing, this is a finding.

Fix: F-71995r1039391_fix

Configure NixOS to run in FIPS mode. Add "fips=1" to the kernel parameters by adding to the boot.kernelParams option in /etc/nixos/configuration.nix: boot.kernelParams = [ "fips=1" ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch A reboot is required for the changes to take effect.

b
NixOS must prevent the use of dictionary words for passwords.
CM-6 - Medium - CCI-000366 - V-268169 - SV-268169r1039395_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ANIX-00-001860
Vuln IDs
  • V-268169
Rule IDs
  • SV-268169r1039395_rule
If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.
Checks: C-72093r1039393_chk

Verify NixOS prevents the use of dictionary words for passwords with the following command: $ grep dict /etc/security/pwquality.conf dictcheck=1 If the value of "ocredit" is a positive number or is commented out, this is a finding.

Fix: F-71996r1039394_fix

Configure NixOS to check password change attempts against a dictionary. Add/modify /etc/nixos/configuration.nix to include the following lines: environment.etc."/security/pwquality.conf".text = '' dictcheck=1 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must enable the use of pwquality.
CM-6 - Medium - CCI-000366 - V-268170 - SV-268170r1039398_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ANIX-00-001861
Vuln IDs
  • V-268170
Rule IDs
  • SV-268170r1039398_rule
If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.
Checks: C-72094r1039396_chk

Verify NixOS prevents the use of dictionary words for passwords with the following command: $ grep -i pam_pwquality /etc/pam.d/passwd /etc/pam.d/chpasswd /etc/pam.d/sudo /etc/pam.d/passwd:password requisite /nix/store/db96zr26w71dzx0bzf47d88kw19fr0l7-libpwquality-1.4.5.-lib/lib/security/pam_pwquality.so /etc/pam.d/chpasswd:password requisite /nix/store/db96zr26w71dzx0bzf47d88kw19fr0l7-libpwquality-1.4.5.-lib/lib/security/pam_pwquality.so /etc/pam.d/sudo:password requisite /nix/store/db96zr26w71dzx0bzf47d88kw19fr0l7-libpwquality-1.4.5.-lib/lib/security/pam_pwquality.so If the pam_pwquality.so module is not present in the passwd, chpasswd, and sudo pam files, this is a finding.

Fix: F-71997r1039397_fix

Configure NixOS to check password change attempts against a dictionary. Add the following Nix code to the NixOS Configuration usually located in /etc/nixos/configuration.nix security.pam.services.passwd.text = pkgs.lib.mkDefault (pkgs.lib.mkBefore "password requisite ${pkgs.libpwquality.lib}/lib/security/pam_pwquality.so"); security.pam.services.chpasswd.text = pkgs.lib.mkDefault (pkgs.lib.mkBefore "password requisite ${pkgs.libpwquality.lib}/lib/security/pam_pwquality.so"); security.pam.services.sudo.text = pkgs.lib.mkDefault (pkgs.lib.mkBefore "password requisite ${pkgs.libpwquality.lib}/lib/security/pam_pwquality.so"); Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
NixOS must enforce a delay of at least four seconds between login prompts following a failed login attempt.
CM-6 - Medium - CCI-000366 - V-268171 - SV-268171r1039583_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ANIX-00-001870
Vuln IDs
  • V-268171
Rule IDs
  • SV-268171r1039583_rule
Limiting the number of login attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.
Checks: C-72095r1039581_chk

Verify the NixOS operating system enforces a four-second delay between login attempts with the following command: $ grep -I delay /etc/login.defs FAIL_DELAY 4 If "FAIL_DELAY" is not set to "4" or greater, is commented out, or is missing, this is a finding.

Fix: F-71998r1039582_fix

Configure NixOS operating system to enforce a four-second delay between login attempts. Add the following Nix code to the NixOS Configuration usually located in /etc/nixos/configuration.nix environment.etc."login.defs".text = pkgs.lib.mkForce '' FAIL_DELAY 4 ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch

c
NixOS must not allow an unattended or automatic login to the system via the console.
CM-6 - High - CCI-000366 - V-268172 - SV-268172r1039586_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
ANIX-00-001880
Vuln IDs
  • V-268172
Rule IDs
  • SV-268172r1039586_rule
Failure to restrict system access via the console to authenticated users negatively impacts operating system security.
Checks: C-72096r1039584_chk

Verify NixOS does not allow an unattended or automatic login to the system via the console with the following command: $ grep -iR autologin.user /etc/nixos If "services.xserver.displayManager.autoLogin.user" is defined and is not "null", this is a finding.

Fix: F-71999r1039585_fix

Configure the operating system to not allow an unattended or automatic login to the system via the console. Note: Once set, the system must be rebooted for any changes to apply. Add or update the following configuration in /etc/nixos/configuration.nix: services.xserver.displayManager.autoLogin.user = null; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must be configured to use AppArmor.
CM-6 - Medium - CCI-000366 - V-268173 - SV-268173r1039407_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ANIX-00-001890
Vuln IDs
  • V-268173
Rule IDs
  • SV-268173r1039407_rule
Users' home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any sharing of information with a system administrator (SA) through shared resources. Satisfies: SRG-OS-000480-GPOS-00230, SRG-OS-000368-GPOS-00154
Checks: C-72097r1039405_chk

Verify NixOS is configured to use AppArmor with the following command: $ sudo systemctl status apparmor.service apparmor.service - Load AppArmor policies Loaded: loaded (/etc/systemd/system/apparmor.service; enabled; present: enabled) Active: active (running) since Sat 2022-06-04 02:51:43 UTC; 13min ago If the "apparmor.service" is not enabled and active, this is a finding.

Fix: F-72000r1039406_fix

Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix. security.apparmor.enable = true; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch && reboot

b
NixOS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
- Medium - CCI-003627 - V-268174 - SV-268174r1039410_rule
RMF Control
Severity
Medium
CCI
CCI-003627
Version
ANIX-00-001930
Vuln IDs
  • V-268174
Rule IDs
  • SV-268174r1039410_rule
Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Operating systems need to track periods of inactivity and disable application identifiers after 35 days of inactivity.
Checks: C-72098r1039408_chk

Verify NixOS disables account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity with the following command: $ grep -i inactive /etc/default/useradd INACTIVE=35 If INACTIVE is not set to 35 or less, or is missing or commented out, this is a finding.

Fix: F-72001r1039409_fix

Configure the NixOS operating system to disable inactive users. Add the following Nix code to the NixOS Configuration usually located in /etc/nixos/configuration.nix. Ensure that utils and lib modules are available { config, pkgs, lib, utils, ... }: environment.etc."/default/useradd".text = pkgs.lib.mkForce '' INACTIVE=35 ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must employ approved cryptographic hashing algorithms for all stored passwords.
IA-7 - Medium - CCI-000803 - V-268175 - SV-268175r1039413_rule
RMF Control
IA-7
Severity
Medium
CCI
CCI-000803
Version
ANIX-00-001940
Vuln IDs
  • V-268175
Rule IDs
  • SV-268175r1039413_rule
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.
Checks: C-72099r1039411_chk

Verify NixOS uses employs approved cryptographic hashing algorithms for all stored passwords with the following command: (Change &lt;unique-username&gt; to the desired user to verify.) $ sudo cat /etc/shadow | grep "&lt;unique-username&gt;" | cut -d'$' -f2 If the command does not return 6 for SHA512, this is a finding.

Fix: F-72002r1039412_fix

Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512.

c
NixOS must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
MA-4 - High - CCI-000877 - V-268176 - SV-268176r1039416_rule
RMF Control
MA-4
Severity
High
CCI
CCI-000877
Version
ANIX-00-001960
Vuln IDs
  • V-268176
Rule IDs
  • SV-268176r1039416_rule
If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access sensitive application information, such as system configuration details, diagnostic information, user information, and potentially sensitive application data. Some maintenance and test tools are either standalone devices with their own operating systems or are applications bundled with an operating system. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric.
Checks: C-72100r1039414_chk

Verify NixOS employs strong authentication in the establishment of nonlocal sessions with SSH by the following command: $ sudo /run/current-system/sw/bin/sshd -G | grep pam usepam yes If usepam is not yes, this is a finding.

Fix: F-72003r1039415_fix

Configure the NixOS operating system to use strong authentication when establishing nonlocal maintenance and diagnostic sessions. Add or modify the following line to /etc/nixos/configuration.nix: openssh.settings.UsePAM = ''yes''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.
- Medium - CCI-004046 - V-268177 - SV-268177r1039419_rule
RMF Control
Severity
Medium
CCI
CCI-004046
Version
ANIX-00-002010
Vuln IDs
  • V-268177
Rule IDs
  • SV-268177r1039419_rule
Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD Common Access Card (CAC). A privileged account is defined as an information system account with authorizations of a privileged user. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). This requires further clarification from NIST. Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000068-GPOS-00036, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162, SRG-OS-000705-GPOS-00150
Checks: C-72101r1039417_chk

Verify NixOS provides authentication via the security and pam modules with the following command: $ cat /etc/nixos/configuration.nix | grep -A 1 security.pam.p11 security.pam.p11.enable = true; If security.pam.p11.enable is not. "true", is not present or is commented out, this is a finding.

Fix: F-72004r1039418_fix

Configure the NixOS operating system to use strong authentication when establishing nonlocal maintenance and diagnostic sessions. Add or modify the following line to /etc/nixos/configuration.nix: security.pam.p11.enable = true; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must prohibit the use of cached authenticators after one day.
IA-5 - Medium - CCI-002007 - V-268178 - SV-268178r1039543_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-002007
Version
ANIX-00-002050
Vuln IDs
  • V-268178
Rule IDs
  • SV-268178r1039543_rule
If cached authentication information is out-of-date, the validity of the authentication information may be questionable.
Checks: C-72102r1039420_chk

Verify NixOS, for PKI-based authentication, only caches authenticators for one day with the following command: $ sudo grep expiration /etc/sssd/sssd.conf offline_credentials_expiration = 1 If the offline_credentials_expiration is not set to "1" or is commented out, this is a finding.

Fix: F-72005r1039542_fix

Configure /etc/nixos/configuration.nix to prohibit the use of cached credentials older than one day by adding the following configuration settings. Note that the entire sssd.conf must be entered in this option: services.sssd.config = '' ... [pam] offline_credentials_expiration = 1 ... ''; Rebuild the system with the following command: $ sudo nixos-rebuild switch

b
For PKI-based authentication, NixOS must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
- Medium - CCI-004068 - V-268179 - SV-268179r1039545_rule
RMF Control
Severity
Medium
CCI
CCI-004068
Version
ANIX-00-002060
Vuln IDs
  • V-268179
Rule IDs
  • SV-268179r1039545_rule
Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).
Checks: C-72103r1039423_chk

Verify NixOS, for PKI-based authentication, uses local revocation data when unable to access the network to obtain it remotely with the following command: $ grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf cert_policy = ca,signature,ocsp_on, crl_auto; If the cert_policy does not contain the options in the example output, this is a finding.

Fix: F-72006r1039544_fix

Configure the NixOS operating system, for PKI-based authentication, to use local revocation data when unable to access the network to obtain it remotely. Add the following Nix code to the NixOS Configuration usually located in /etc/nixos/configuration.nix: security.pam.p11.enable = true; environment.etc."pam_pkcs11/pam_pkcs11.conf".text = '' cert_policy = ca,signature,ocsp_on, crl_auto; ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

b
NixOS must run a supported release of the operating system.
SI-2 - Medium - CCI-002605 - V-268180 - SV-268180r1039428_rule
RMF Control
SI-2
Severity
Medium
CCI
CCI-002605
Version
ANIX-00-002160
Vuln IDs
  • V-268180
Rule IDs
  • SV-268180r1039428_rule
Security flaws with operating systems are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.
Checks: C-72104r1039426_chk

Verify NixOS is running a supported version with the following command: $ nixos-version 23.11.20231129.057f9ae (Tapir) If the NixOS is not running a supported version, this is a finding.

Fix: F-72007r1039427_fix

Update to a supported version of the operating system.

b
NixOS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
CM-6 - Medium - CCI-000366 - V-268181 - SV-268181r1039431_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
ANIX-00-002180
Vuln IDs
  • V-268181
Rule IDs
  • SV-268181r1039431_rule
Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.
Checks: C-72105r1039429_chk

Verify the NixOS operating system to change default file permissions so users may only modify their own files. Ensure the following settings are present in the /etc/nixos/configuration.nix file: { config, pkgs, lib, ... }: environment.etc = { ""login.defs"".source = lib.mkForce (pkgs.writeText ""login.defs"" '' DEFAULT_HOME yes SYS_UID_MIN 400 SYS_UID_MAX 999 UID_MIN 1000 UID_MAX 29999 SYS_GID_MIN 400 SYS_GID_MAX 999 GID_MIN 1000 GID_MAX 29999 TTYGROUP tty TTYPERM 0620 # Ensure privacy for newly created home directories. UMASK 077 # Uncomment this and install chfn SUID to allow nonroot # users to change their account GECOS information. # This should be made configurable. #CHFN_RESTRICT frwh ''; }; If the above configurations are not present in the configuration.nix file, this is a finding.

Fix: F-72008r1039430_fix

Configure the NixOS operating system to change default file permissions so users may only modify their own files. Add the following Nix code to the NixOS Configuration usually located in /etc/nixos/configuration.nix: { config, pkgs, lib, ... }: environment.etc = { ""login.defs"".source = lib.mkForce (pkgs.writeText ""login.defs"" '' DEFAULT_HOME yes SYS_UID_MIN 400 SYS_UID_MAX 999 UID_MIN 1000 UID_MAX 29999 SYS_GID_MIN 400 SYS_GID_MAX 999 GID_MIN 1000 GID_MAX 29999 TTYGROUP tty TTYPERM 0620 # Ensure privacy for newly created home directories. UMASK 077 # Uncomment this and install chfn SUID to allow nonroot # users to change their account GECOS information. # This should be made configurable. #CHFN_RESTRICT frwh ''; }; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch