Anduril NixOS Security Technical Implementation Guide

Version

ANIX-00-000210

Vuln IDs

V-268091

Rule IDs

SV-268091r1130983_rule

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, SRG-OS-000755-GPOS-00220

Checks: C-72015r1039159_chk

Verify NixOS generates audit records for all execution of privileged functions with the following command: $ sudo auditctl -l | grep execve -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv If the command does not return the example output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-71918r1130982_fix

Configure NixOS to generate audit records for all execution of privileged functions. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.audit.rules = [ "-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv " "-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv " ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must enable auditing of processes that start prior to the audit daemon.

AU-3 - Medium - CCI-000135 - V-268092 - SV-268092r1130985_rule

RMF Control

AU-3

Severity

M

CCI

Version

ANIX-00-000250

Vuln IDs

V-268092

Rule IDs

SV-268092r1130985_rule

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DOD has defined the list of events for which NixOS will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions.

Checks: C-72016r1039162_chk

Verify NixOS enables auditing of processes that start prior to the audit daemon with the following command: $ grep audit=1 /proc/cmdline BOOT_IMAGE=(hd0,msdos1)/nix/store/glc0midc78caq9sc7pzciymx4c3in7kn-linux-6.1.64/bzImage init=/nix/store/grl4baymr9q60mbcz3sidm4agckn3bx5-nixos-system-nixos-23.1.1.20231129.057f9ae/init audit=1 loglevel=4 If the "audit" entry does not equal "1" or is missing, this is a finding.

Fix: F-71919r1130984_fix

Configure NixOS to audit processes that start prior to the audit daemon. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: boot.kernelParams = [ "audit=1" ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.

AU-3 - Medium - CCI-000135 - V-268093 - SV-268093r1130988_rule

RMF Control

AU-3

Severity

M

CCI

Version

ANIX-00-000260

Vuln IDs

V-268093

Rule IDs

SV-268093r1130988_rule

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. Audit records can be generated from various components within the information system (e.g., module or policy filter). Allocating an audit_backlog_limit of sufficient size is critical in maintaining a stable boot process. With an insufficient limit allocated, the system is susceptible to boot failures and crashes. Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000341-GPOS-00132

Checks: C-72017r1130986_chk

Verify NixOS allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following command: $ sudo auditctl -s | grep backlog_limit backlog_limit 8192 If the "backlog_limit" entry does not equal "8192" or greater or is missing, this is a finding.

Fix: F-71920r1130987_fix

Configure NixOS to allocate sufficient audit_backlog_limit to capture processes that start prior to the audit daemon. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: boot.kernelParams = [ "audit_backlog_limit=8192" ]; security.audit.backlogLimit = 8192; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

Successful/unsuccessful uses of the mount syscall in NixOS must generate an audit record.

AU-3 - Medium - CCI-000135 - V-268094 - SV-268094r1130990_rule

RMF Control

AU-3

Severity

M

CCI

Version

ANIX-00-000270

Vuln IDs

V-268094

Rule IDs

SV-268094r1130990_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "mount" syscall is used to mount a filesystem. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.

Checks: C-72018r1039168_chk

Verify NixOS generates an audit record for any successful/unsuccessful use of the "mount" syscall with the following command: $ sudo auditctl -l | grep -w "\-S mount" -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -k privileged-mount -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=-1 -k privileged-mount If the command does not return the example output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-71921r1130989_fix

Configure NixOS to generate audit records for any successful/unsuccessful use of the "mount" syscall. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.audit.rules = [ "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount" "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount" ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in NixOS must generate an audit record.

AU-3 - Medium - CCI-000135 - V-268095 - SV-268095r1130992_rule

RMF Control

AU-3

Severity

M

CCI

Version

ANIX-00-000280

Vuln IDs

V-268095

Rule IDs

SV-268095r1130992_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "rename" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement. The "unlink" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse. The "rmdir" system call removes empty directories. The "renameat" system call renames a file, moving it between directories if required. The "unlinkat" system call operates in exactly the same way as either "unlink" or "rmdir" except for the differences described in the manual page. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible.

Checks: C-72019r1039171_chk

Verify NixOS generates an audit record upon successful/unsuccessful attempts to use the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls with the following command: $ sudo auditctl -l | grep -w 'rename\|unlink\|rmdir' -a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=-1 -k delete -a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=-1 -k delete If the command does not return an audit rule for "rename", "unlink", "rmdir", "renameat", and "unlinkat", this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-71922r1130991_fix

Configure NixOS to generate audit records for any successful/unsuccessful attempts to use the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.audit.rules = [ "-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete" "-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete" ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

Successful/unsuccessful uses of the init_module, finit_module, and delete_module system calls in NixOS must generate an audit record.

AU-3 - Medium - CCI-000135 - V-268096 - SV-268096r1130994_rule

RMF Control

AU-3

Severity

M

CCI

Version

ANIX-00-000290

Vuln IDs

V-268096

Rule IDs

SV-268096r1130994_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "init_module" and "finit_module" system calls are used to load a kernel module, and the "delete_module" is used to unload a kernel module. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000471-GPOS-00216

Checks: C-72020r1039174_chk

Verify NixOS generates an audit record upon successful/unsuccessful attempts to use the "init_module", "finit_module", and "delete_module" system calls. Check the auditing rules currently loaded into the audit daemon with the following command: $ sudo auditctl -l | grep -w init_module -a always,exit -F arch=b32 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=-1 -k module_chng -a always,exit -F arch=b64 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=-1 -k module_chng If the command does not return an audit rule for "init_module", "finit_module", and "delete_module", this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-71923r1130993_fix

Configure /etc/nixos/configuration.nix to log successful/unsuccessful attempts to use the "init_module", "finit_module", and "delete_module" system calls. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.audit.rules = [ "-a always,exit -F arch=b32 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=unset -k module_chng" "-a always,exit -F arch=b64 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=unset -k module_chng" ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must generate an audit record for successful/unsuccessful modifications to the cron configuration.

AU-3 - Medium - CCI-000135 - V-268097 - SV-268097r1130996_rule

RMF Control

AU-3

Severity

M

CCI

Version

ANIX-00-000300

Vuln IDs

V-268097

Rule IDs

SV-268097r1130996_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Cron is a program that is similar to the task scheduler used in other operating systems. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.

Checks: C-72021r1039177_chk

Verify NixOS generates an audit record when successful/unsuccessful attempts to modify the cron configuration. Check the auditing rules currently loaded into the audit daemon with the following command: $ sudo auditctl -l | grep -w cron -w /var/cron/tabs/ -p wa -k services -w /var/cron/cron.allow -p wa -k services -w /var/cron/cron.deny -p wa -k services If the command does not return the example output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-71924r1130995_fix

Configure NixOS to generate audit records when successful/unsuccessful attempts to modify the cron configuration occur. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.audit.rules = [ "-w /var/cron/tabs/ -p wa -k services" "-w /var/cron/cron.allow -p wa -k services" "-w /var/cron/cron.deny -p wa -k services" ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must generate an audit record for successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.

AU-3 - Medium - CCI-000135 - V-268098 - SV-268098r1130998_rule

RMF Control

AU-3

Severity

M

CCI

Version

ANIX-00-000310

Vuln IDs

V-268098

Rule IDs

SV-268098r1130998_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "truncate" and "ftruncate" functions are used to truncate a file to a specified length. The "creat" system call is used to open and possibly create a file or device. The "open" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by "open". The "openat" system call opens a file specified by a relative pathname. The "name_to_handle_at" and "open_by_handle_at" system calls split the functionality of "openat" into two parts: "name_to_handle_at" returns an opaque handle that corresponds to a specified file; "open_by_handle_at" opens the file corresponding to a handle returned by a previous call to "name_to_handle_at" and returns an open file descriptor. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000461-GPOS-00205

Checks: C-72022r1039180_chk

Verify NixOS generates an audit record upon unsuccessful attempts to use the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls. Check the auditing rules currently loaded into the audit daemon with the following command: $ sudo auditctl -l | grep 'open\|truncate\|creat' -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access If the command does not return an audit rule for "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at", this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-71925r1130997_fix

Configure NixOS to generate audit records for any unsuccessful attempts to use the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.audit.rules = [ "-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" "-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" "-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" "-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in NixOS must generate an audit record.

AU-3 - Medium - CCI-000135 - V-268099 - SV-268099r1131000_rule

RMF Control

AU-3

Severity

M

CCI

Version

ANIX-00-000360

Vuln IDs

V-268099

Rule IDs

SV-268099r1131000_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-72023r1039183_chk

Verify NixOS generates an audit record upon attempts to use the "chown", "fchown", "fchownat", and "lchown" system calls. Check the auditing rules currently loaded into the audit daemon with the following command: $ sudo auditctl -l | grep chown -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod -a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod If the command does not return an audit rule for "chown", "fchown", "fchownat", and "lchown", this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-71926r1130999_fix

Configure NixOS to generate audit records for any attempts to use the "chown", "fchown", "fchownat", and "lchown" system calls. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.audit.rules = [ "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in NixOS must generate an audit record.

AU-3 - Medium - CCI-000135 - V-268100 - SV-268100r1131002_rule

RMF Control

AU-3

Severity

M

CCI

Version

ANIX-00-000380

Vuln IDs

V-268100

Rule IDs

SV-268100r1131002_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The "chmod" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits. The "fchmod" system call is used to change permissions of a file. The "fchmodat" system call is used to change permissions of a file relative to a directory file descriptor. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way. The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000462-GPOS-00206

Checks: C-72024r1039186_chk

Verify NixOS generates an audit record upon attempts to use the "chmod", "fchmod", and "fchmodat" system calls. Check the auditing rules currently loaded into the audit daemon with the following command: $ sudo auditctl -l | grep chmod -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod If the command does not return an audit rule for "chmod", "fchmod", and "fchmodat, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-71927r1131001_fix

Configure NixOS to generate audit records for any attempts to use the "chmod", "fchmod", and "fchmodat" system calls. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.audit.rules = [ "-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod" "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod" ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent utilization.

AU-5 - Medium - CCI-000139 - V-268101 - SV-268101r1131004_rule

RMF Control

AU-5

Severity

M

CCI

Version

ANIX-00-000400

Vuln IDs

V-268101

Rule IDs

SV-268101r1131004_rule

If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00134

Checks: C-72025r1039598_chk

Verify NixOS notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command: $ sudo grep -w space_left_action /etc/audit/auditd.conf space_left_action = syslog If the "space_left_action" parameter is missing, commented out, or set to blanks, this is a finding. If the "space_left_action" is set to "syslog", the system logs the event, but does not generate a notification, this is a finding. If the "space_left_action" is set to "exec", the system executes a designated script. If this script does not inform the SA of the event, this is a finding. If the "space_left_action" is set to "email" check the value of the "action_mail_acct" parameter with the following command: $ sudo grep action_mail_acct /etc/audit/auditd.conf action_mail_acct root@localhost The "action_mail_acct" parameter, if missing, defaults to "root". If the "action_mail_acct" parameter is not set to the email address of the SA and/or ISSO, this is a finding. Note: If the email address of the SA is on a remote system, a mail package must be available.

Fix: F-71928r1131003_fix

Configure NixOS to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. If the space_left_action parameter is set to "syslog", make sure the event being logged generates a notification to the SA and ISSO. If the space_left_action parameter is set to "exec", make sure the command being executed notifies the SA and ISSO. If the space_left_action parameter is set to "email", set the action_mail_acct parameter to an email address for the SA and ISSO. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: space_left_action = syslog For example, an updated configuration of 'environment.etc."audit/auditd.conf".text' would look like the following ('...' denoting that the 'environment.etc."audit/auditd.conf".text' configuration may have other options configured): environment.etc."audit/auditd.conf".text = [ '' ... space_left_action = syslog ... '' ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 90 percent utilization.

AU-5 - Medium - CCI-000139 - V-268102 - SV-268102r1131006_rule

RMF Control

AU-5

Severity

M

CCI

Version

ANIX-00-000410

Vuln IDs

V-268102

Rule IDs

SV-268102r1131006_rule

If security personnel are not notified immediately when storage volume reaches 90 percent utilization, they are unable to plan for audit record storage capacity expansion.

Checks: C-72026r1039600_chk

Verify NixOS notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity with the following command: $ sudo grep -w admin_space_left_action /etc/audit/auditd.conf admin_space_left_action = syslog If the "admin_space_left_action" parameter is missing, commented out, or set to blanks, this is a finding. If the "admin_space_left_action" is set to "syslog", the system logs the event, but does not generate a notification, this is a finding. If the "admin_space_left_action" is set to "exec", the system executes a designated script. If this script does not inform the SA of the event, this is a finding. If the "admin_space_left_action" is set to "email" check the value of the "action_mail_acct" parameter with the following command: $ sudo grep action_mail_acct /etc/audit/auditd.conf action_mail_acct root@localhost The "action_mail_acct" parameter, if missing, defaults to "root". If the "action_mail_acct" parameter is not set to the email address of the SA and/or ISSO, this is a finding. Note: If the email address of the SA is on a remote system, a mail package must be available.

Fix: F-71929r1131005_fix

Configure NixOS to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity. If the space_left_action parameter is set to "syslog", make sure the event being logged generates a notification to the SA and ISSO. If the space_left_action parameter is set to "exec", make sure the command being execute notifies the SA and ISSO. If the space_left_action parameter is set to "email", set the action_mail_acct parameter to an email address for the SA and ISSO. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: admin_space_left_action = syslog For example, an updated configuration of 'environment.etc."audit/auditd.conf".text' would look like the following ('...' denoting that the 'environment.etc."audit/auditd.conf".text' configuration may have other options configured): environment.etc."audit/auditd.conf".text = [ '' ... admin_space_left_action = syslog ... '' ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.

AU-5 - Medium - CCI-000139 - V-268103 - SV-268103r1131008_rule

RMF Control

AU-5

Severity

M

CCI

Version

ANIX-00-000420

Vuln IDs

V-268103

Rule IDs

SV-268103r1131008_rule

If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.

Checks: C-72027r1039195_chk

Verify NixOS takes action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following commands: $ sudo grep -w space_left /etc/audit/auditd.conf space_left = 25% If the value of the "space_left" keyword is not set to "25%" or if the line is commented out, this is a finding.

Fix: F-71930r1131007_fix

Configure the operating system to initiate an action to notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: environment.etc."audit/auditd.conf".text = [ '' space_left = 25% '' ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must take action when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity.

AU-5 - Medium - CCI-000139 - V-268104 - SV-268104r1131010_rule

RMF Control

AU-5

Severity

M

CCI

Version

ANIX-00-000430

Vuln IDs

V-268104

Rule IDs

SV-268104r1131010_rule

If security personnel are not notified immediately when storage volume reaches 90 percent utilization, they are unable to plan for audit record storage capacity expansion.

Checks: C-72028r1039198_chk

Verify NixOS takes action when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity with the following commands: $ sudo grep -w admin_space_left /etc/audit/auditd.conf admin_space_left = 10% If the value of the "admin_space_left" keyword is not set to "10%" or if the line is commented out, this is a finding.

Fix: F-71931r1131009_fix

Configure the operating system to initiate an action to notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: environment.etc."audit/auditd.conf".text = [ '' admin_space_left = 10% '' ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

The NixOS audit system must take appropriate action when the audit storage volume is full.

AU-5 - Medium - CCI-000140 - V-268105 - SV-268105r1131012_rule

RMF Control

AU-5

Severity

M

CCI

CCI-000140

Version

ANIX-00-000440

Vuln IDs

V-268105

Rule IDs

SV-268105r1131012_rule

It is critical that when NixOS is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. When availability is an overriding concern, other approved actions in response to an audit failure are as follows: 1) If the failure was caused by the lack of audit record storage capacity, NixOS must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner. 2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, NixOS must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.

Checks: C-72029r1039201_chk

Verify NixOS takes the appropriate action when the audit storage volume is full. Check that NixOS takes the appropriate action when the audit storage volume is full using the following command: $ sudo grep disk_full_action /etc/audit/auditd.conf disk_full_action = HALT If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator (SA) to indicate how the system takes appropriate action when an audit storage volume is full. If there is no evidence of appropriate action, this is a finding.

Fix: F-71932r1131011_fix

Configure NixOS to shut down by default upon audit failure (unless availability is an overriding concern). If availability has been determined to be more important, and this decision is documented with the information system security officer (ISSO), configure the operating system to notify SA staff and information system security officer (ISSO) staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG". Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: (depending on configuration, "disk_full_action" can be set to "SYSLOG" or "SINGLE") environment.etc."audit/auditd.conf".text = [ '' disk_full_action = HALT '' ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

The NixOS audit system must take appropriate action when an audit processing failure occurs.

AU-5 - Medium - CCI-000140 - V-268106 - SV-268106r1131014_rule

RMF Control

AU-5

Severity

M

CCI

CCI-000140

Version

ANIX-00-000450

Vuln IDs

V-268106

Rule IDs

SV-268106r1131014_rule

It is critical that when NixOS is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. When availability is an overriding concern, other approved actions in response to an audit failure are as follows: 1) If the failure was caused by the lack of audit record storage capacity, NixOS must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner. 2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, NixOS must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.

Checks: C-72030r1039204_chk

Verify NixOS takes the appropriate action when an audit processing failure occurs. Check that NixOS takes the appropriate action when an audit processing failure occurs with the following command: $ sudo grep disk_error_action /etc/audit/auditd.conf disk_error_action = HALT If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator (SA) to indicate how the system takes appropriate action when an audit process failure occurs. If there is no evidence of appropriate action, this is a finding.

Fix: F-71933r1131013_fix

Configure NixOS to shut down by default upon audit failure (unless availability is an overriding concern). If availability has been determined to be more important, and this decision is documented with the information system security officer (ISSO), configure the operating system to notify SA staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG". Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: (depending on configuration, "disk_error_action" can be set to "SYSLOG" or "SINGLE"): environment.etc."audit/auditd.conf".text = [ '' disk_error_action = HALT '' ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must have the packages required for offloading audit logs installed and running.

AU-6 - Medium - CCI-000154 - V-268107 - SV-268107r1131017_rule

RMF Control

AU-6

Severity

M

CCI

CCI-000154

Version

ANIX-00-000460

Vuln IDs

V-268107

Rule IDs

SV-268107r1131017_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. NixOS supports "systemd-journald", which is a common system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. This utility also natively supports TLS to securely encrypt and off-load auditing. Satisfies: SRG-OS-000051-GPOS-00024, SRG-OS-000269-GPOS-00103

Checks: C-72031r1131015_chk

Verify that the systemd-journald service is running with the following command: $ systemctl status systemd-journald.service systemd-journald.service - Journal Service Loaded: loaded (/etc/systemd/system/systemd-journald.service; enabled; preset: ignored) Drop-In: /nix/store/z8klzmxqgpmn8ganwrsqizy3qdxnirr8-system-units/systemd-journald.service.d +-overrides.conf Active: active (running) since Mon 2025-03-10 10:41:08 PDT; 1 day 2h ago If the systemd-journald.service is not "active" and "running", this is a finding.

Fix: F-71934r1131016_fix

Configure the operating system to off-load audit logs. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: services.journald.audit = true; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

The NixOS audit records must be off-loaded onto a different system or storage media from the system being audited.

AU-6 - Medium - CCI-000154 - V-268108 - SV-268108r1131020_rule

RMF Control

AU-6

Severity

M

CCI

CCI-000154

Version

ANIX-00-000480

Vuln IDs

V-268108

Rule IDs

SV-268108r1131020_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. NixOS supports "systemd-journald", which is a common system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. This utility also natively supports TLS to securely encrypt and off-load auditing.

Checks: C-72032r1131018_chk

Verify the audit system off-loads audit records onto a different system or media from the system being audited. List the configured destinations with the following command: $ grep -i "Url" /etc/systemd/journal-upload.conf" If no URL is configured, this is a finding.

Fix: F-71935r1131019_fix

Configure the operating system to off-load audit records onto a different system or media from the system being audited by specifying a remote destination in the systemd-journald configuration. On the client, modify /etc/nixos/configuration.nix or /etc/nixos/flake.nix to include the following lines: services.journald.upload = { enable = true; Upload = { ServerKeyFile = $PATH_TO_CLIENT_PEM_SSL_KEY; URL = $URL_OF_REMOTE_SERVER; ServerCertificateFile = $PATH_TO_SSL_CERT; TrustedCertificateFile = $PATH_TO_SERVER_CERT; }; }; } On the server, modify /etc/nixos/configuration.nix or /etc/nixos/flake.nix to include the following lines: services.journald.remote = { enable = true; listen = "https"; URL = $URL_OF_REMOTE_SERVER; ServerKeyFile = $PATH_TO_SERVER_PEM_SSL_KEY; ServerCertificateFile = $PATH_TO_SSL_CERT; }; };

b

NixOS must authenticate the remote logging server for off-loading audit logs.

AU-6 - Medium - CCI-000154 - V-268109 - SV-268109r1131023_rule

RMF Control

AU-6

Severity

M

CCI

CCI-000154

Version

ANIX-00-000490

Vuln IDs

V-268109

Rule IDs

SV-268109r1131023_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. NixOS supports "systemd-journald", which is a common system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. This utility also natively supports TLS to securely encrypt and off-load auditing. Satisfies: SRG-OS-000051-GPOS-00024, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224

Checks: C-72033r1131021_chk

Verify the operating system authenticates the remote logging server for off-loading audit logs. List the configured destinations with the following command: $ grep -i "TrustedCertificateFile" /etc/systemd/journal-upload.conf" If no TrustedCertificateFile is configured or is set to "all", this is a finding.

Fix: F-71936r1131022_fix

Configure the operating system to authenticate the remote logging server for off-loading audit logs. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: destination d_network { syslog( "<remote-logging-server>" port(<port>) transport(tls) tls( cert-file("/var/syslog-ng/certs.d/certificate.crt") key-file("/var/syslog-ng/certs.d/certificate.key") ca-file("/var/syslog-ng/certs.d/cert-bundle.crt") peer-verify(yes) ) ); }; log { source(s_local); destination(d_local); destination(d_network); }; For example, an updated configuration of 'services.rsyslogd.extraConfig' would look like the following in /etc/nixos/configuration.nix ('...' denoting that the 'services.rsyslogd.extraConfig' configuration may have other options configured): services.rsyslogd.extraConfig = '' ... destination d_network { syslog( "<remote-logging-server>" port(<port>) transport(tls) tls( cert-file("/var/syslog-ng/certs.d/certificate.crt") key-file("/var/syslog-ng/certs.d/certificate.key") ca-file("/var/syslog-ng/certs.d/cert-bundle.crt") peer-verify(yes) ) ); }; log { source(s_local); destination(d_local); destination(d_network); }; ... ''; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS audit daemon must generate logs that are group-owned by root.

AU-9 - Medium - CCI-000162 - V-268110 - SV-268110r1131025_rule

RMF Control

AU-9

Severity

M

CCI

Version

ANIX-00-000520

Vuln IDs

V-268110

Rule IDs

SV-268110r1131025_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000206-GPOS-00084

Checks: C-72034r1039216_chk

Verify the audit daemon is configured to generate logs that are group-owned by root with the following command: $ sudo grep log_group /etc/audit/auditd.conf log_group = root If the audit daemon is not configured to generate logs that are group-owned by "root", this is a finding.

Fix: F-71937r1131024_fix

Configure the audit daemon to generate logs that are group-owned by root. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: environment.etc."audit/auditd.conf".text = [ '' log_group = root '' ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS audit directory and logs must be owned by root to prevent unauthorized read access.

AU-9 - Medium - CCI-000162 - V-268111 - SV-268111r1039221_rule

RMF Control

AU-9

Severity

M

CCI

Version

ANIX-00-000530

Vuln IDs

V-268111

Rule IDs

SV-268111r1039221_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000206-GPOS-00084

Checks: C-72035r1039219_chk

Verify the audit directory and logs are owned by "root". First, determine where the audit logs are stored with the following command: $ sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the location of the audit log file (if not specified, the default location is "/var/log/audit/audit.log"), determine if the audit log is owned by "root" using the following command: $ sudo find /var/log/audit -exec stat -c "%U %n" {} \; root /var/log/audit root /var/log/audit/audit.log If the audit directory and logs are not owned by "root", this is a finding.

Fix: F-71938r1039220_fix

Configure the audit directory and logs to be protected from unauthorized read access, by setting the correct owner as "root". Using the path of the directory containing the audit logs (if not specified, the default location is "/var/log/audit/audit.log"), configure the audit directory and log files to be owned by "root" by using the following command: $ sudo chown -R root /var/log/audit

b

NixOS audit directory and logs must be group-owned by root to prevent unauthorized read access.

AU-9 - Medium - CCI-000162 - V-268112 - SV-268112r1039224_rule

RMF Control

AU-9

Severity

M

CCI

Version

ANIX-00-000540

Vuln IDs

V-268112

Rule IDs

SV-268112r1039224_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000206-GPOS-00084

Checks: C-72036r1039222_chk

Verify the audit directory and logs are group-owned by "root". First, determine where the audit logs are stored with the following command: $ sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the location of the audit log file (if not specified, the default location is "/var/log/audit/audit.log"), determine if the audit log is group-owned by "root" using the following command: $ sudo find /var/log/audit -exec stat -c "%G %n" {} \; root /var/log/audit root /var/log/audit/audit.log If the audit directory and logs are not group-owned by "root", this is a finding.

Fix: F-71939r1039223_fix

Configure the audit directory and logs to be protected from unauthorized read access, by setting the correct group-owner as "root". Using the path of the directory containing the audit logs (if not specified, the default location is "/var/log/audit/audit.log"), configure the audit directory and log files to be group-owned by "root" by using the following command: $ sudo chown -R :root /var/log/audit

b

NixOS audit log directory must have a mode of 0700 or less permissive.

AU-9 - Medium - CCI-000162 - V-268113 - SV-268113r1039227_rule

RMF Control

AU-9

Severity

M

CCI

Version

ANIX-00-000550

Vuln IDs

V-268113

Rule IDs

SV-268113r1039227_rule

Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit NixOS system activity.

Checks: C-72037r1039225_chk

Verify that the audit log directory has a mode of "0700" or less permissive. First, determine where the audit logs are stored with the following command: $ sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the path of the directory containing the audit logs, check if the audit log directory has a mode of "0700" or less by using the following command: $ sudo find /var/log/audit -type d -exec stat -c "%a %n" {} \; 700 /var/log/audit If the audit log directory (or any subfolders) has a mode more permissive than "0700", this is a finding.

Fix: F-71940r1039226_fix

Configure the audit log directory to have a mode of "0700" or less permissive. Using the path of the directory containing the audit logs, configure the audit log directory to have a mode of "0700" or less permissive by using the following command: $ sudo chmod 0700 /var/log/audit

b

NixOS audit logs must have a mode of 0600 or less permissive.

AU-9 - Medium - CCI-000162 - V-268114 - SV-268114r1039230_rule

RMF Control

AU-9

Severity

M

CCI

Version

ANIX-00-000560

Vuln IDs

V-268114

Rule IDs

SV-268114r1039230_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000206-GPOS-00084

Checks: C-72038r1039228_chk

Verify that the audit log files have a mode of "0600" or less permissive. First, determine where the audit logs are stored with the following command: $ sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the path of the directory containing the audit logs, check if the audit log files have a mode of "0600" or less by using the following command: $ sudo find /var/log/audit -type f -exec stat -c "%a %n" {} \; 600 /var/log/audit/audit.log If the audit log files have a mode more permissive than "0600", this is a finding.

Fix: F-71941r1039229_fix

Verify that the audit log files have a mode of "0600" or less permissive. Using the path of the directory containing the audit logs, configure the audit log files have a mode of "0600" or less by using the following command: $ sudo chmod 0600 /var/log/audit/audit.log

b

NixOS journald directory and logs must be owned by root to prevent unauthorized read access.

AU-9 - Medium - CCI-000162 - V-268115 - SV-268115r1131028_rule

RMF Control

AU-9

Severity

M

CCI

Version

ANIX-00-000570

Vuln IDs

V-268115

Rule IDs

SV-268115r1131028_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000206-GPOS-00084

Checks: C-72039r1131026_chk

Verify the journald directories and logs are owned by "root" by executing the following command: $ sudo find /var/log/journal -printf "%p %u\n" /var/log/journal root /var/log/journal/8960867736094c2089638a86c43fd755 root If any occurrences of owner are not "root", this is a finding.

Fix: F-71942r1131027_fix

The systemd-journald logs are by design stored with root:systemd-journald owner and group respectively. If any files are found with different ownership, run the following command to correct them: $ sudo chown -R root:systemd-journald /var/log/journald

b

NixOS journald directory and logs must be group-owned by systemd-journald to prevent unauthorized read access.

AU-9 - Medium - CCI-000162 - V-268116 - SV-268116r1131031_rule

RMF Control

AU-9

Severity

M

CCI

Version

ANIX-00-000580

Vuln IDs

V-268116

Rule IDs

SV-268116r1131031_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000206-GPOS-00084

Checks: C-72040r1131029_chk

Verify the journald directories and logs are group-owned by "systemd-journald" by executing the following command: $ sudo find /var/log/journal -not -group systemd-journal If any directories or files are returned, this is a finding.

Fix: F-71943r1131030_fix

The systemd-journald logs are by design stored with root:systemd-journald owner and group respectively. If any files are found with different ownership, run the following command to correct them: $ sudo chown -R root:systemd-journald /var/log/journald

b

NixOS systemd-journald directory must have a mode of 2755 or less permissive.

AU-9 - Medium - CCI-000162 - V-268117 - SV-268117r1131034_rule

RMF Control

AU-9

Severity

M

CCI

Version

ANIX-00-000590

Vuln IDs

V-268117

Rule IDs

SV-268117r1131034_rule

Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit NixOS system activity.

Checks: C-72041r1131032_chk

Verify NixOS protects log information from unauthorized read access by implementing a mode of 2755 or less on the creation of log directories with the following command: $ sudo find /var/log/journal -type d -perm -2755 -not -perm 2755 -printf "%p %m\n" If any directories have a permission of greater than 2755, this is a finding.

Fix: F-71944r1131033_fix

The systemd-journald directories are by design set to 2755 mode. If any directories are found with incorrect perms, correct them with the following command: $ sudo find /var/log/journal -type d -exec chmod 2755 {} \;

b

NixOS systemd-journald logs must have a mode of 0640 or less permissive.

AU-9 - Medium - CCI-000162 - V-268118 - SV-268118r1131037_rule

RMF Control

AU-9

Severity

M

CCI

Version

ANIX-00-000600

Vuln IDs

V-268118

Rule IDs

SV-268118r1131037_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000205-GPOS-00083

Checks: C-72042r1131035_chk

Verify NixOS protects log information from unauthorized read access by implementing a mode of 0640 or less on the creation of log files with the following command: $ sudo find /var/log/journal -type f -perm -640 -not -perm 640 -printf "%p %m\n" If any log files have a permission of greater than 0640, this is a finding.

Fix: F-71945r1131036_fix

The systemd-journald files are by design set to 0640 mode. If any files are found with incorrect perms, correct them with the following command: $ sudo find /var/log/journal -type f -exec chmod 0640 {} \;

b

NixOS audit system must protect logon UIDs from unauthorized change.

AU-9 - Medium - CCI-000163 - V-268119 - SV-268119r1131040_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000163

Version

ANIX-00-000610

Vuln IDs

V-268119

Rule IDs

SV-268119r1131040_rule

If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit system activity. In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes. Satisfies: SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029

Checks: C-72043r1131038_chk

Verify the audit system prevents unauthorized changes to logon UIDs with the following command: $ sudo auditctl -s | grep -i immutable loginuid_immutable 1 locked If the command does not return "loginuid_immutable 1 locked", this is a finding.

Fix: F-71946r1131039_fix

Configure NixOS to prevent unauthorized changes to logon UIDs. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.audit.rules = [ "--loginuid-immutable" ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS audit configuration files must have a mode of 444 or less permissive.

AU-12 - Medium - CCI-000171 - V-268120 - SV-268120r1131043_rule

RMF Control

AU-12

Severity

M

CCI

Version

ANIX-00-000660

Vuln IDs

V-268120

Rule IDs

SV-268120r1131043_rule

Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Checks: C-72044r1131041_chk

Verify that the NixOS audit configuration and service files have a mode of 444 or less permissive with the following commands: $ sudo find -L /etc/audit -type f -exec stat -L -c "%a %n" {} \; $ sudo find -L /etc/systemd/system -iname "audit*" -type f -exec stat -L -c "%a %n" {} \; $ stat -c '%a %n' $(realpath /etc/systemd/system/audit*.service) 444 /etc/audit/auditd.conf 444 /etc/systemd/system/audit.service 444 /etc/systemd/system/auditd.service 444 /etc/systemd/system/basic.target.wants/audit.service 444 /etc/systemd/system/sysinit.target.wants/audit.service 444 /nix/store/dr3i90b3n1fb06fr1gw12jfg9wb8dkrc-unit-auditd.service/auditd.service 444 /nix/store/dc6s6z7ykbmq70i5z8cff0agwsmp9jhm-unit-audit.service/audit.service If the audit configuration files have a mode more permissive than 444, this is a finding.

Fix: F-71947r1131042_fix

Configure NixOS audit configuration and service files to have a mode of 444 or less permissive with the following command: Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS system configuration file directories must have a mode of "0755" or less permissive.

AU-12 - Medium - CCI-000171 - V-268121 - SV-268121r1131046_rule

RMF Control

AU-12

Severity

M

CCI

Version

ANIX-00-000670

Vuln IDs

V-268121

Rule IDs

SV-268121r1131046_rule

Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Checks: C-72045r1131044_chk

Verify that the NixOS audit configuration directories have a mode of "755" or less permissive with the following commands: $ sudo find -L /etc/audit -type d -exec stat -L -c "%a %n" {} \; 755 /etc/audit If the audit configuration files have a mode more permissive than "755", this is a finding.

Fix: F-71948r1131045_fix

Update the NixOS config, typically stored either in /etc/nixos/configuration.nix or /etc/nixos/flake.nix, to use a mode of 755 or less for directories under /etc/audit. Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS system configuration files and directories must be owned by root.

AU-12 - Medium - CCI-000171 - V-268122 - SV-268122r1131049_rule

RMF Control

AU-12

Severity

M

CCI

Version

ANIX-00-000680

Vuln IDs

V-268122

Rule IDs

SV-268122r1131049_rule

Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Checks: C-72046r1131047_chk

Verify that the NixOS audit configuration files and directories are owned by root with the following command: $ sudo find /etc/audit -exec stat -L -c "%U %n" {} \; $ sudo find /etc/systemd/system -follow -iname "audit*service" -exec stat -c "%U %n" {} \; root /etc/audit root /etc/audit/auditd.conf root /etc/systemd/system/audit.service root /etc/systemd/system/auditd.service root /etc/systemd/system/basic.target.wants/audit.service root /etc/systemd/system/sysinit.target.wants/auditd.service If the audit configuration files and directories are not owned by root, this is a finding.

Fix: F-71949r1131048_fix

Update the NixOS config, typically stored either in /etc/nixos/configuration.nix or /etc/nixos/flake.nix, to only use the root user for files under /etc/audit. Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS system configuration files and directories must be group-owned by root.

AU-12 - Medium - CCI-000171 - V-268123 - SV-268123r1131052_rule

RMF Control

AU-12

Severity

M

CCI

Version

ANIX-00-000690

Vuln IDs

V-268123

Rule IDs

SV-268123r1131052_rule

Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Checks: C-72047r1131050_chk

Verify that the NixOS audit configuration files and directories are group-owned by root with the following commands: $ sudo find /etc/audit -exec stat -L -c "%G %n" {} \; $ sudo find /etc/systemd/system -follow -iname "audit*service" -exec stat -c "%G %n" {} \; root /etc/audit root /etc/audit/auditd.conf root /etc/systemd/system/audit.service root /etc/systemd/system/auditd.service root /etc/systemd/system/basic.target.wants/audit.service root /etc/systemd/system/sysinit.target.wants/auditd.service If the system configuration files and directories are not group-owned by root or other privileged group (such as shadow), this is a finding.

Fix: F-71950r1131051_fix

Update the NixOS config, typically stored either in /etc/nixos/configuration.nix or /etc/nixos/flake.nix, to only use the root group for files under /etc/audit. Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

IA-5 - Medium - CCI-000185 - V-268124 - SV-268124r1131055_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000185

Version

ANIX-00-000710

Vuln IDs

V-268124

Rule IDs

SV-268124r1131055_rule

Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182, SRG-OS-000775-GPOS-00230

Checks: C-72048r1131053_chk

Verify NixOS only allows the use of DOD PKI-established certificate authorities by running the following: $ openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = U.S. Government, OU = DOD, OU = PKI, CN = DOD Root CA 3 Validity Not Before: Mar 20 18:46:41 2012 GMT Not After : Dec 30 18:46:41 2029 GMT Subject: C = US, O = U.S. Government, OU = DOD, OU = PKI, CN = DOD Root CA 3 Subject Public Key Info: Public Key Algorithm: rsaEncryption If the root CA file is not a DOD-issued certificate with a valid date and installed in the /etc/sssd/pki/sssd_auth_ca_db.pem location, this is a finding.

Fix: F-71951r1131054_fix

Configure NixOS to authenticate using DOD's root CA. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: services.sssd.enable = true; environment.etc."sssd/pki/sssd_auth_ca_db.pem".source = let certzip = pkgs.fetchzip { url = "https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_v5-6_dod.zip"; sha256 = "sha256-iwwJRXCnONk/LFddQlwy8KX9e9kVXW/QWDnX5qZFZjc="; }; in "${certzip}/DOD_PKE_CA_chain.pem"; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must enforce authorized access to the corresponding private key for PKI-based authentication.

IA-5 - Medium - CCI-000186 - V-268125 - SV-268125r1039263_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000186

Version

ANIX-00-000720

Vuln IDs

V-268125

Rule IDs

SV-268125r1039263_rule

If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and nonrepudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.

Checks: C-72049r1039261_chk

Verify the SSH private key files have a passcode. For each private key stored on the system, use the following command: $ sudo ssh-keygen -y -f /path/to/file If the contents of the key are displayed, this is a finding.

Fix: F-71952r1039262_fix

Create new private/public key pairs that use a passcode using the following command: $ sudo ssh-keygen -n [passphrase]

b

NixOS must enforce password complexity by requiring that at least one uppercase character be used.

Medium - CCI-004066 - V-268126 - SV-268126r1131057_rule

RMF Control

Severity

M

CCI

Version

ANIX-00-000730

Vuln IDs

V-268126

Rule IDs

SV-268126r1131057_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Checks: C-72050r1039264_chk

Verify NixOS enforces password complexity by requiring at least one uppercase character with the following command: $ grep ucredit /etc/security/pwquality.conf ucredit=-1 If the value of "ucredit" is a positive number or is commented out, this is a finding.

Fix: F-71953r1131056_fix

Configure NixOS to enforce password complexity. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: environment.etc."/security/pwquality.conf".text = '' ucredit=-1 ''; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must enforce password complexity by requiring that at least one lowercase character be used.

Medium - CCI-004066 - V-268127 - SV-268127r1131059_rule

RMF Control

Severity

M

CCI

Version

ANIX-00-000740

Vuln IDs

V-268127

Rule IDs

SV-268127r1131059_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Checks: C-72051r1039267_chk

Verify NixOS enforces password complexity by requiring at least one lowercase character with the following command: $ grep lcredit /etc/security/pwquality.conf lcredit=-1 If the value of "lcredit" is a positive number or is commented out, this is a finding.

Fix: F-71954r1131058_fix

Configure NixOS to enforce password complexity. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: environment.etc."/security/pwquality.conf".text = '' lcredit=-1 ''; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must enforce password complexity by requiring that at least one numeric character be used.

Medium - CCI-004066 - V-268128 - SV-268128r1131061_rule

RMF Control

Severity

M

CCI

Version

ANIX-00-000750

Vuln IDs

V-268128

Rule IDs

SV-268128r1131061_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Checks: C-72052r1039270_chk

Verify NixOS enforces password complexity by requiring at least one numeric character with the following command: $ grep dcredit /etc/security/pwquality.conf dcredit=-1 If the value of "dcredit" is a positive number or is commented out, this is a finding.

Fix: F-71955r1131060_fix

Configure NixOS to enforce password complexity. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: environment.etc."/security/pwquality.conf".text = '' dcredit=-1 ''; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must require the change of at least 50 percent of the total number of characters when passwords are changed.

Medium - CCI-004066 - V-268129 - SV-268129r1131063_rule

RMF Control

Severity

M

CCI

Version

ANIX-00-000760

Vuln IDs

V-268129

Rule IDs

SV-268129r1131063_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Checks: C-72053r1039273_chk

Verify NixOS enforces password complexity by requiring that at least 50 percent of the characters are changed with the following command: $ grep difok /etc/security/pwquality.conf difok=8 If the value of "difok" is set to less than "8", or is commented out, this is a finding.

Fix: F-71956r1131062_fix

Configure NixOS to enforce password complexity. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: environment.etc."/security/pwquality.conf".text = '' difok=8 ''; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

c

NixOS must store only encrypted representations of passwords.

High - CCI-004062 - V-268130 - SV-268130r1131065_rule

RMF Control

Severity

H

CCI

CCI-004062

Version

ANIX-00-000770

Vuln IDs

V-268130

Rule IDs

SV-268130r1131065_rule

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.

Checks: C-72054r1039276_chk

Verify NixOS stores only encrypted representations of passwords with the following command: $ grep ENCRYPT_METHOD /etc/login.defs ENCRYPT_METHOD SHA512 If "ENCRYPT_METHOD" does not equal SHA512 or greater, is commented out, or is missing, this is a finding.

Fix: F-71957r1131064_fix

Configure NixOS to store only encrypted representations of passwords. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.loginDefs.settings.ENCRYPT_METHOD = "SHA512"; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

c

NixOS must not have the telnet package installed.

IA-5 - High - CCI-000197 - V-268131 - SV-268131r1131067_rule

RMF Control

IA-5

Severity

H

CCI

CCI-000197

Version

ANIX-00-000780

Vuln IDs

V-268131

Rule IDs

SV-268131r1131067_rule

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.

Checks: C-72055r1039279_chk

Ensure the telnet package is not installed and available with the following command: $ whereis telnet telnet: If there is a path, and the output looks like "telnet: /nix/store/sqiphymcpky1yysgdc1aj4lr9jg9n53a-inetutils-2.2/bin/telnet", this is a finding.

Fix: F-71958r1131066_fix

Edit the NixOS Configuration file /etc/nixos/configuration.nix or /etc/nixos/flake.nix and remove any references to pkgs.libtelnet, pkgs.busybox, or pkgs.inetutils from the environment.systemPackages list. Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must enforce 24 hours/one day as the minimum password lifetime.

Medium - CCI-004066 - V-268132 - SV-268132r1131069_rule

RMF Control

Severity

M

CCI

Version

ANIX-00-000790

Vuln IDs

V-268132

Rule IDs

SV-268132r1131069_rule

Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Checks: C-72056r1039282_chk

Verify NixOS enforces 24 hours/one day as the minimum password lifetime with the following command: $ grep PASS_MIN_DAYS /etc/login.defs PASS_MIN_DAYS 1 If PASS_MIN_DAYS_1 is not present, is commented out, or is a value different from 1, this is a finding.

Fix: F-71959r1131068_fix

Configure NixOS operating system to enforce 24 hours/one day as the minimum password lifetime. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.loginDefs.settings.PASS_MIN_DAYS = "1"; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must enforce a 60-day maximum password lifetime restriction.

Medium - CCI-004066 - V-268133 - SV-268133r1131071_rule

RMF Control

Severity

M

CCI

Version

ANIX-00-000800

Vuln IDs

V-268133

Rule IDs

SV-268133r1131071_rule

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.

Checks: C-72057r1039285_chk

Verify NixOS enforces a 60-day maximum password lifetime for new user accounts by running the following command: $ grep PASS_MAX_DAYS /etc/login.defs PASS_MAX_DAYS 60 If the "PASS_MAX_DAYS" parameter value is less than 60 or commented out, this is a finding.

Fix: F-71960r1131070_fix

Configure NixOS operating system to enforce a 60-day maximum password lifetime. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.loginDefs.settings.PASS_MAX_DAYS = "60"; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must enforce a minimum 15-character password length.

Medium - CCI-004066 - V-268134 - SV-268134r1131073_rule

RMF Control

Severity

M

CCI

Version

ANIX-00-000810

Vuln IDs

V-268134

Rule IDs

SV-268134r1131073_rule

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Checks: C-72058r1039288_chk

Verify NixOS enforces a minimum 15-character password length with the following command: $ grep minlen /etc/security/pwquality.conf minlen=15 If the value of "minlen" is set to less than "15", or is commented out, this is a finding.

Fix: F-71961r1131072_fix

Configure NixOS to enforce password complexity. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: environment.etc."/security/pwquality.conf".text = '' minlen=15 ''; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users).

IA-2 - Medium - CCI-000764 - V-268135 - SV-268135r1039293_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000764

Version

ANIX-00-000840

Vuln IDs

V-268135

Rule IDs

SV-268135r1039293_rule

To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: 1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and 2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062

Checks: C-72059r1039291_chk

Verify the NixOS operating system contains no duplicate User IDs (UIDs) for interactive users with the following command: $ awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd If output is produced and the accounts listed are interactive user accounts, this is a finding.

Fix: F-71962r1039292_fix

Configure the NixOS to uniquely identify and authenticate nonorganizational users by editing the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.

b

NixOS must use multifactor authentication for network access to privileged accounts.

IA-2 - Medium - CCI-000765 - V-268136 - SV-268136r1131076_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000765

Version

ANIX-00-000850

Vuln IDs

V-268136

Rule IDs

SV-268136r1131076_rule

Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. Factors include: 1) something a user knows (e.g., password/PIN); 2) something a user has (e.g., cryptographic identification device, token); and 3) something a user is (e.g., biometric). A privileged account is defined as an information system account with authorizations of a privileged user. Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet). The DOD CAC with DOD-approved PKI is an example of multifactor authentication. Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055

Checks: C-72060r1131074_chk

Verify NixOS has the packages required for multifactor authentication installed with the following command: $ which p11sak /run/current-system/sw/bin/p11sak If the "p11sak" program is not found in PATH, this is a finding.

Fix: F-71963r1131075_fix

Configure NixOS to have a package that enforces multifactor authentication installed. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: environment.systemPackages = [ pkgs.opencryptoki ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must not allow direct login to the root account via SSH.

Medium - CCI-004045 - V-268137 - SV-268137r1131078_rule

RMF Control

Severity

M

CCI

CCI-004045

Version

ANIX-00-000890

Vuln IDs

V-268137

Rule IDs

SV-268137r1131078_rule

To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Examples of the group authenticator are the UNIX OS "root" user account, the Windows "Administrator" account, the "sa" account, or a "helpdesk" account. For example, the UNIX and Windows operating systems offer a "switch user" capability allowing users to authenticate with their individual credentials and, when needed, "switch" to the administrator role. This method provides for unique individual authentication prior to using a group authenticator. Users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses other than those explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the operating system without identification or authentication. Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.

Checks: C-72061r1039297_chk

Verify the NixOS configuration disallows directly logging into the root account via SSH with the following command: $ grep PermitRootLogin /etc/ssh/sshd_config PermitRootLogin no If the value is anything other than "no", this is a finding.

Fix: F-71964r1131077_fix

Configure NixOS to ensure the root user login via SSH is disabled. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: services.openssh.permitRootLogin = "no"; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must not allow direct login to the root account.

Medium - CCI-004045 - V-268138 - SV-268138r1131081_rule

RMF Control

Severity

M

CCI

CCI-004045

Version

ANIX-00-000900

Vuln IDs

V-268138

Rule IDs

SV-268138r1131081_rule

To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Examples of the group authenticator are the UNIX OS "root" user account, the Windows "Administrator" account, the "sa" account, or a "helpdesk" account. For example, the UNIX and Windows operating systems offer a "switch user" capability allowing users to authenticate with their individual credentials and, when needed, "switch" to the administrator role. This method provides for unique individual authentication prior to using a group authenticator. Users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses other than those explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the operating system without identification or authentication. Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.

Checks: C-72062r1131079_chk

Verify the NixOS operating system prevents directly logging in to the root account with the following command: $ sudo passwd -S root root L 01/02/1970 -1 -1 -1 -1 If the second field in the output is not "L" or "NP", then the root account is not locked and has a password configured, and this is a finding.

Fix: F-71965r1131080_fix

Configure NixOS to ensure the root user is locked. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: users.mutableUsers = false; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must enable USBguard.

IA-3 - Medium - CCI-000778 - V-268139 - SV-268139r1131083_rule

RMF Control

IA-3

Severity

M

CCI

CCI-000778

Version

ANIX-00-000930

Vuln IDs

V-268139

Rule IDs

SV-268139r1131083_rule

Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers. Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000690-GPOS-00140

Checks: C-72063r1039303_chk

Verify NixOS had enabled the use of the USBGuard with the following command: $ systemctl status usbguard usbguard.service - USBGuard daemon Loaded: loaded (/etc/systemd/system/usbguard.service; enabled; present: enabled) Active: active (running) since Sat 2022-06-04 02:51:43 UTC; 13min ago If the usbguard.service is not "active" and "running", this is a finding.

Fix: F-71966r1131082_fix

Configure NixOS to enable USBGuard and generate a USBGuard ruleset. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: services.usbguard.enable = true; Rebuild the system configuration by running the following command: $ sudo nixos-rebuild switch As root, generate a usbguard configuration. Using the "usbguard" command, use "usbguard list-devices" to list connected USB devices, "usbguard block-device" to block a device, and "usbguard allow-device" to allow a device. Note that the default behavior is to block devices. When all connected USB devices have been permitted, generate a ruleset by running the following command as root: # usbguard generate-policy Edit the NixOS config to add the policy: services.usbguard.rules = '' allow id 1d6b:0001 serial "0000:00:01.2" name "UHCI Host Controller" hash "FRDEjz7OhdJbNjmJ8zityiNX/LuO+ovKC07I0bOFjao=" parent-hash "9+Zsfvo9IR/AEQ/Fn4mzdoPGk0rqpjku6uErfS09K4c=" with-interface 09:00:00 with-connect-type "" allow id 0627:0001 serial "28754-0000:00:01.2-1" name "QEMU USB Tablet" hash "5TyVK8wyL5GmiIbZV2Sf/ehIRMCP83miy4kOzG6O+2M=" parent-hash "FRDEjz7OhdJbNjmJ8zityiNX/LuO+ovKC07I0bOFjao=" with-interface 03:00:00 with-connect-type "unknown" ''; Note: This ruleset is only an example; generate a policy using the process described above. Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

A sticky bit must be set on all NixOS public directories to prevent unauthorized and unintended information transferred via shared system resources.

SC-4 - Medium - CCI-001090 - V-268140 - SV-268140r1117267_rule

RMF Control

SC-4

Severity

M

CCI

CCI-001090

Version

ANIX-00-000970

Vuln IDs

V-268140

Rule IDs

SV-268140r1117267_rule

Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies. There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.

Checks: C-72064r1039306_chk

Verify NixOS is configured with the sticky bit on world-writable directories with the following command: $ sudo find / -type d $ -perm -0002 -a ! -perm -1000 $ -print 2>/dev/null If any of the returned directories are world-writable and do not have the sticky bit set, this is a finding.

Fix: F-71967r1039307_fix

Configure all public directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources. Set the sticky bit on all public directories using the following command, replacing "[Public Directory]" with any directory path missing the sticky bit: $ sudo chmod +t [Public Directory]

b

NixOS must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.

SC-5 - Medium - CCI-001095 - V-268141 - SV-268141r1131085_rule

RMF Control

SC-5

Severity

M

CCI

CCI-001095

Version

ANIX-00-000980

Vuln IDs

V-268141

Rule IDs

SV-268141r1131085_rule

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.

Checks: C-72065r1039309_chk

Verify NixOS is configured to use IPv4 TCP syncookies with the following command: $ sudo sysctl net.ipv4.tcp_syncookies net.ipv4.tcp_syncookies = 1 If the network parameter "ipv4.tcp_syncookies" is not equal to "1" or nothing is returned, this is a finding.

Fix: F-71968r1131084_fix

Configure the audit service to use IPv4 TCP syncookies. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: boot.kernel.sysctl = { "net.ipv4.tcp_syncookies"=1; }; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must terminate all SSH connections after 10 minutes of becoming unresponsive.

SC-10 - Medium - CCI-001133 - V-268142 - SV-268142r1131087_rule

RMF Control

SC-10

Severity

M

CCI

CCI-001133

Version

ANIX-00-000990

Vuln IDs

V-268142

Rule IDs

SV-268142r1131087_rule

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175

Checks: C-72066r1039312_chk

Verify that all network connections associated with SSH traffic are automatically terminated after 10 minutes of becoming unresponsive with the following command: $ grep -i clientaliveinterval /etc/ssh/sshd_config ClientAliveInterval 600 If "ClientAliveInterval" does not have a value of "600" or less, is commented out, or is missing, this is a finding.

Fix: F-71969r1131086_fix

Configure NixOS to automatically terminate all network connections associated with SSH traffic after being unresponsive for 10 minutes. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: services.openssh.extraConfig = '' ClientAliveInterval 600 ''; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must terminate all SSH connections after becoming unresponsive.

SC-10 - Medium - CCI-001133 - V-268143 - SV-268143r1131089_rule

RMF Control

SC-10

Severity

M

CCI

CCI-001133

Version

ANIX-00-001000

Vuln IDs

V-268143

Rule IDs

SV-268143r1131089_rule

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.

Checks: C-72067r1039315_chk

Verify that all network connections associated with SSH traffic are automatically terminated after becoming unresponsive with the following command: $ grep -i clientalivecount /etc/ssh/sshd_config ClientAliveCountMax 1 If "ClientAliveCountMax" is not set to "1", is commented out, or is missing, this is a finding.

Fix: F-71970r1131088_fix

Configure NixOS to automatically terminate all network connections associated with SSH traffic after being unresponsive. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: services.openssh.extraConfig = '' ClientAliveCountMax 1 ''; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

c

NixOS must protect the confidentiality and integrity of all information at rest.

SC-28 - High - CCI-001199 - V-268144 - SV-268144r1039320_rule

RMF Control

SC-28

Severity

H

CCI

CCI-001199

Version

ANIX-00-001010

Vuln IDs

V-268144

Rule IDs

SV-268144r1039320_rule

Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. This requirement addresses protection of user-generated data, as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information. Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184, SRG-OS-000780-GPOS-00240

Checks: C-72068r1039318_chk

Verify NixOS prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. Verify all system partitions are encrypted with the following command: $ sudo blkid /dev/sda1: LABEL="nixos" UUID="67b7d7fe-de60-6fd0-befb-e6748cf97743" TYPE="crypto_LUKS" Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that these partitions are encrypted, this is a finding.

Fix: F-71971r1039319_fix

Configure NixOS to prevent unauthorized modification of all information at rest by using disk encryption. Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. Refer to the NixOS manual Section 8.1 "LUKS-Encrypted File Systems" for further details. NixOS Wiki: https://nixos.wiki/wiki/Full_Disk_Encryption

b

NixOS must enforce password complexity by requiring that at least one special character be used.

Medium - CCI-004066 - V-268145 - SV-268145r1131091_rule

RMF Control

Severity

M

CCI

Version

ANIX-00-001160

Vuln IDs

V-268145

Rule IDs

SV-268145r1131091_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.

Checks: C-72069r1039321_chk

Verify NixOS enforces the use of at least one special character in passwords with the following command: $ grep minlen /etc/security/pwquality.conf ocredit=-1 If the value of "ocredit" is a positive number or is commented out, this is a finding.

Fix: F-71972r1131090_fix

Configure NixOS to enforce password complexity. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: environment.etc."/security/pwquality.conf".text = '' ocredit=-1 ''; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

c

NixOS must protect wireless access to and from the system using encryption.

AC-18 - High - CCI-001444 - V-268146 - SV-268146r1131093_rule

RMF Control

AC-18

Severity

H

CCI

CCI-001444

Version

ANIX-00-001250

Vuln IDs

V-268146

Rule IDs

SV-268146r1131093_rule

Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Since wireless communications can be intercepted, it is necessary to use encryption to protect the confidentiality of information in transit. Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. This requirement applies to those operating systems that control wireless devices. Satisfies: SRG-OS-000299-GPOS-00117, SRG-OS-000481-GPOS-00481

Checks: C-72070r1039324_chk

Verify NixOS disables wireless adapters by running the following command: $ grep -R networking.wireless /etc/nixos/ /etc/nixos/configuratino.nix:networking.wireless.enable = false; If " networking.wireless.enable", does not equal false, is missing, or is commented out, this is a finding.

Fix: F-71973r1131092_fix

Configure the audit service to disable wireless interfaces. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: networking.wireless.enable = false; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must protect wireless access to the system using authentication of users and/or devices.

AC-18 - Medium - CCI-001443 - V-268147 - SV-268147r1131095_rule

RMF Control

AC-18

Severity

M

CCI

CCI-001443

Version

ANIX-00-001260

Vuln IDs

V-268147

Rule IDs

SV-268147r1131095_rule

Allowing devices and users to connect to the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication. This requirement applies to operating systems that control wireless devices.

Checks: C-72071r1039327_chk

Verify NixOS disables Bluetooth adapters by running the following command: $ grep -R hardware.bluetooth /etc/nixos/ /etc/nixos/configuration.nix:hardware.bluetooth.enable = false; If "hardware.bluetooth.enable", does not equal false, is missing, or is commented out, this is a finding.

Fix: F-71974r1131094_fix

Configure the audit service to disable Bluetooth adapters. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: hardware.bluetooth.enable = false; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must prevent all software from executing at higher privilege levels than users executing the software.

AC-6 - Medium - CCI-002233 - V-268148 - SV-268148r1131097_rule

RMF Control

AC-6

Severity

M

CCI

CCI-002233

Version

ANIX-00-001280

Vuln IDs

V-268148

Rule IDs

SV-268148r1131097_rule

In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by the organizations. Some programs and processes are required to operate at a higher privilege level and therefore should be excluded from the organization-defined software list after review.

Checks: C-72072r1039330_chk

Verify NixOS audits and provides alerts of audit failures by running the following command: $grep A -15 security.auditd /etc/nixos/configuration.nix /etc/nixos/configuration.nix: security.auditd.enable = true; security.audit.enable = true; security.audit.rules = [ '' <audit_rules> '' ]; security.audit.rules = [ "-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv" "-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv" ]; If "security.auditd", "security.audit" and the additional modifications do not equal true, are missing, or are commented out, this is a finding.

Fix: F-71975r1131096_fix

Configure the audit service to produce audit records. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.auditd.enable = true; security.audit.enable = true; Add the following audit rules: security.audit.rules = [ "-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv" "-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv" ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).

Medium - CCI-004923 - V-268149 - SV-268149r1131099_rule

RMF Control

Severity

M

CCI

CCI-004923

Version

ANIX-00-001420

Vuln IDs

V-268149

Rule IDs

SV-268149r1131099_rule

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000359-GPOS-00146, SRG-OS-000785-GPOS-00250

Checks: C-72073r1039333_chk

Verify NixOS is configured with an approved time server with the following command: $ timedatectl show-timesync | grep NTPServers SystemNTPServers=tick.usnogps.navy.mil FallbackNTPServers=tock.usnogps.navy.mil If the output of the command does not list authorized time servers, this is a finding.

Fix: F-71976r1131098_fix

Configure NixOS to use approved timeservers. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: networking.timeServers = [ "tick.usnogps.navy.mil" "tock.usnogps.navy.mil" ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.

Medium - CCI-004926 - V-268150 - SV-268150r1131101_rule

RMF Control

Severity

M

CCI

CCI-004926

Version

ANIX-00-001430

Vuln IDs

V-268150

Rule IDs

SV-268150r1131101_rule

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider setting time periods for different types of systems (e.g., financial, legal, or mission-critical systems). Organizations should also consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). This requirement is related to the comparison done every 24 hours in SRG-OS-000355 because a comparison must be done to determine the time difference.

Checks: C-72074r1039336_chk

Verify NixOS synchronizes internal information system clocks to the authoritative time source when the time difference is greater than one second with the following command: $ grep -iR pollinterval /etc/nixos/ services.timesyncd.extraConfig = "PollIntervalMaxSec=60"; If "PollIntervalMaxSec" is greater than "60", is commented out, or is missing, this is a finding.

Fix: F-71977r1131100_fix

Configure NixOS to regularly synchronize the system clock. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: services.timesyncd.extraConfig = '' PollIntervalMaxSec=60 ''; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must have time synchronization enabled.

Medium - CCI-004926 - V-268151 - SV-268151r1131103_rule

RMF Control

Severity

M

CCI

CCI-004926

Version

ANIX-00-001440

Vuln IDs

V-268151

Rule IDs

SV-268151r1131103_rule

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider setting time periods for different types of systems (e.g., financial, legal, or mission-critical systems). Organizations should also consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). This requirement is related to the comparison done every 24 hours in SRG-OS-000355 because a comparison must be done to determine the time difference.

Checks: C-72075r1039339_chk

Verify NixOS synchronizes internal information system clocks to the authoritative time source when the time difference is greater than one second with the following command: $ grep -iR timesyncd.enable /etc/nixos/ services.timesyncd.enable = true; If "services.timesyncd.enable" is not set to "true", is commented out, or is missing, this is a finding.

Fix: F-71978r1131102_fix

Configure NixOS to regularly synchronize the system clock. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: services.timesyncd.enable = true; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must prohibit user installation of system software without explicit privileged status.

Medium - CCI-003980 - V-268152 - SV-268152r1131105_rule

RMF Control

Severity

M

CCI

CCI-003980

Version

ANIX-00-001450

Vuln IDs

V-268152

Rule IDs

SV-268152r1131105_rule

Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user. Operating system functionality will vary, and while users are not permitted to install unapproved software, there may be instances where the organization allows the user to install approved software packages, such as from an approved software repository. The operating system or software configuration management utility must enforce control of software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization.

Checks: C-72076r1039342_chk

Verify NixOS prevents unauthorized users from using nix with the following command: $ grep -R allowed-users /etc/nixos/ /etc/nixos/configuration.nix:nix.settings.allowed-users = [ "root" "@wheel" ]; If any other groups or users are included in "nix.settings.allowed-users" other than "root" and "wheel", or the configuration setting does not exist, this is a finding.

Fix: F-71979r1131104_fix

Configure NixOS to prevent unauthorized users from using nix. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: nix.settings.allowed-users = [ "root" "@wheel" ]; Note: Extra usergroups may be permitted by adding them with the format "@group" (e.g.: "@users"). Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must notify designated personnel if baseline configurations are changed in an unauthorized manner.

CM-3 - Medium - CCI-001744 - V-268153 - SV-268153r1131108_rule

RMF Control

CM-3

Severity

M

CCI

CCI-001744

Version

ANIX-00-001460

Vuln IDs

V-268153

Rule IDs

SV-268153r1131108_rule

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. Satisfies: SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201

Checks: C-72077r1131106_chk

Verify NixOS notifies if baseline configurations are changed with Advanced Intrusion Detection Environment with the following commands: $ systemctl is-active aide.service active If aide is not active and is not configured to alert on file system changes, this is a finding.

Fix: F-71980r1131107_fix

Configure NixOS to notify when baseline configuration changes. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: nixpkgs.overlays = [ (final: prev: { aide = prev.aide.overrideAttrs (old: { configureFlags = (old.configureFlags or [ ]) ++ [ "--sysconfdir=/etc" ]; }); }) ]; environment.systemPackages = [ pkgs.aide ]; environment.etc = { # Creates /etc/aide.conf "aide.conf" = { text = '' <CONFIG_TEXT> ''; mode = "0444"; }; }; services.cron = { enable = true; systemCronJobs = [ "00 0 * * 0\troot\taide -c /etc/aide.conf --check | /bin/mail -s "aide integrity check run for ${config.networking.hostName}" root@notareal.email" ]; }; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

c

NixOS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.

High - CCI-003992 - V-268154 - SV-268154r1131111_rule

RMF Control

Severity

H

CCI

CCI-003992

Version

ANIX-00-001480

Vuln IDs

V-268154

Rule IDs

SV-268154r1131111_rule

Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DOD certificates for this purpose; however, the certificate used to verify the software must be from an approved certificate authority (CA).

Checks: C-72078r1131109_chk

Verify NixOS prevents installations that have not been digitally signed with the following command: $ grep -R require-sigs /etc/nix/nix.conf require-sigs = true If "require-sigs" is not set to "true" or is missing, this is a finding.

Fix: F-71981r1131110_fix

Configure NixOS to require signatures. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: nix.settings.require-sigs = true; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must require users to reauthenticate for privilege escalation.

CM-6 - Medium - CCI-000366 - V-268155 - SV-268155r1131113_rule

RMF Control

CM-6

Severity

M

CCI

Version

ANIX-00-001500

Vuln IDs

V-268155

Rule IDs

SV-268155r1131113_rule

Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.

Checks: C-72079r1039351_chk

Verify NixOS enforces reauthentication with sudo with the following command: $ sudo grep timestamp_timeout /etc/sudoers Defaults timestamp_timeout=0 If "timestamp_timeout" is greater than 0, is commented out, or is missing, this is a finding.

Fix: F-71982r1131112_fix

Configure NixOS to enforce reauthentication with sudo. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.sudo.extraConfig = '' Defaults timestamp_timeout=0 ''; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must require users to reauthenticate when changing roles.

CM-6 - Medium - CCI-000366 - V-268156 - SV-268156r1131116_rule

RMF Control

CM-6

Severity

M

CCI

Version

ANIX-00-001510

Vuln IDs

V-268156

Rule IDs

SV-268156r1131116_rule

Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to change security roles, it is critical the user reauthenticate.

Checks: C-72080r1131114_chk

Verify NixOS requires users to reauthenticate when changing roles with the following command: $ grep -iR "%wheel" /etc/sudoers %wheel ALL=(ALL:ALL) SETENV: ALL If the returned line contains "NOPASSWD", this is a finding.

Fix: F-71983r1131115_fix

Configure NixOS to require reauthentication for sudo. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.sudo.wheelNeedsPassword = true; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

c

NixOS must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.

MA-4 - High - CCI-002890 - V-268157 - SV-268157r1131119_rule

RMF Control

MA-4

Severity

H

CCI

CCI-002890

Version

ANIX-00-001550

Vuln IDs

V-268157

Rule IDs

SV-268157r1131119_rule

Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms, such as a hash function or digital signature, to protect integrity. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. The operating system can meet this requirement through leveraging a cryptographic module. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch).

Checks: C-72081r1131117_chk

Verify NixOS uses the following FIPS 140-3 approved MAC codes in openssh with the following command: $ grep Mac /etc/ssh/sshd_config Macs hmac-sha2-512 hmac-sha2-256 If "Macs" contains any ciphers other than "hmac-sha2-512" or "hmac-sha2-256", this is a finding.

Fix: F-71984r1131118_fix

Configure /etc/nixos/configuration.nix to use the following FIPS 140-3 approved MAC codes in openssh. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: services.openssh.macs = [ "hmac-sha2-512" "hmac-sha2-256" ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.

SC-5 - Medium - CCI-002385 - V-268158 - SV-268158r1131121_rule

RMF Control

SC-5

Severity

M

CCI

CCI-002385

Version

ANIX-00-001610

Vuln IDs

V-268158

Rule IDs

SV-268158r1131121_rule

Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.

Checks: C-72082r1039360_chk

Verify NixOS firewall enforces rate limits using the hashlimit module. $ sudo iptables -L | grep limit nixos-fw-refuse tcp -- anywhere anywhere tcp dpt:ssh limit: above 1000000b/s mode srcip nixos-fw-refuse tcp -- anywhere anywhere tcp dpt:http limit: above 1000/min burst 5 mode srcip nixos-fw-refuse tcp -- anywhere anywhere tcp dpt:https limit: above 1000/min burst 5 mode srcip If the command does not produce any rate limiting rules, this is a finding.

Fix: F-71985r1131120_fix

Configure the NixOS firewall to enforce rate limits using the hashlimit module. For example, to limit SSH to 1 MB/s and to limit HTTP to 1000 connections / minute per IP, add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: networking.firewall.enable = true; networking.firewall.extraCommands = '' ip46tables --append INPUT --protocol tcp --dport 22 --match hashlimit --hashlimit-name stig_byte_limit --hashlimit-mode srcip --hashlimit-above 1000000b/second --jump nixos-fw-refuse ip46tables --append INPUT --protocol tcp --dport 80 --match hashlimit --hashlimit-name stig_conn_limit --hashlimit-mode srcip --hashlimit-above 1000/minute --jump nixos-fw-refuse ip46tables --append INPUT --protocol tcp --dport 443 --match hashlimit --hashlimit-name stig_conn_limit --hashlimit-mode srcip --hashlimit-above 1000/minute --jump nixos-fw-refuse ''; Note: NixOS provides the helper script "ip46tables" to add rules using both "iptables" and "ip6tables". Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

c

NixOS must protect the confidentiality and integrity of transmitted information.

SC-8 - High - CCI-002418 - V-268159 - SV-268159r1131124_rule

RMF Control

SC-8

Severity

H

CCI

CCI-002418

Version

ANIX-00-001620

Vuln IDs

V-268159

Rule IDs

SV-268159r1131124_rule

Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190

Checks: C-72083r1131122_chk

Verify NixOS enables sshd for remote access with the following command: $ systemctl status sshd sshd.service - SSH daemon Loaded: loaded (/etc/systemd/system/sshd.service; enabled; present: enabled) Active: active (running) since Sat 2022-06-04 02:51:43 UTC; 13min ago If the sshd.service is not "active" and "running", this is a finding.

Fix: F-71986r1131123_fix

Configure NixOS to enable sshd for remote access. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: services.sshd.enable = true; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must implement nonexecutable data to protect its memory from unauthorized code execution.

SI-16 - Medium - CCI-002824 - V-268160 - SV-268160r1131126_rule

RMF Control

SI-16

Severity

M

CCI

CCI-002824

Version

ANIX-00-001660

Vuln IDs

V-268160

Rule IDs

SV-268160r1131126_rule

Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks. Satisfies: SRG-OS-000433-GPOS-00192, SRG-OS-000132-GPOS-00067

Checks: C-72084r1039366_chk

Verify NixOS prevents internal kernel addresses from being leaked with the following command: $ sudo sysctl kernel.kptr_restrict kernel.kptr_restrict = 1 If "kernel.kptr_restrict" does not have a value of "1" or is missing, this is a finding.

Fix: F-71987r1131125_fix

Configure NixOS to prevent internal kernel addresses from being leaked. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: boot.kernel.sysctl = { "kernel.kptr_restrict" = 1; }; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must implement address space layout randomization to protect its memory from unauthorized code execution.

SI-16 - Medium - CCI-002824 - V-268161 - SV-268161r1131128_rule

RMF Control

SI-16

Severity

M

CCI

CCI-002824

Version

ANIX-00-001670

Vuln IDs

V-268161

Rule IDs

SV-268161r1131128_rule

Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks.

Checks: C-72085r1039369_chk

Verify NixOS enables address space layout randomization with the following command: $ sudo sysctl kernel.randomize_va_space kernel.randomize_va_space = 2 If "kernel.randomize_va_space" does not have a value of "2" or is missing, this is a finding.

Fix: F-71988r1131127_fix

Configure /etc/nixos/configuration.nix to enable ASLR. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: boot.kernel.sysctl = { "kernel.randomize_va_space" = 2; }; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must generate audit records when successful/unsuccessful attempts to modify security objects occur.

AU-12 - Medium - CCI-000172 - V-268163 - SV-268163r1131131_rule

RMF Control

AU-12

Severity

M

CCI

Version

ANIX-00-001720

Vuln IDs

V-268163

Rule IDs

SV-268163r1131131_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000463-GPOS-00207, SRG-OS-000042-GPOS-00020, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219

Checks: C-72087r1039375_chk

Verify the NixOS generates audit records when successful/unsuccessful attempts to modify security objects occur with the following command: $ sudo auditctl -l | grep xattr -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod If the command does not return an audit rule for "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr", this is a finding.

Fix: F-71990r1131130_fix

Configure NixOS to log attempts to modify security objects. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.audit.rules = [ "-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod" "-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod" "-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod" "-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod" ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must generate audit records when successful/unsuccessful attempts to delete privileges occur.

AU-12 - Medium - CCI-000172 - V-268164 - SV-268164r1131133_rule

RMF Control

AU-12

Severity

M

CCI

Version

ANIX-00-001730

Vuln IDs

V-268164

Rule IDs

SV-268164r1131133_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-72088r1039378_chk

Verify NixOS generates audit records when attempts to delete privileges occur with the following command: $ sudo auditctl -l | grep usermod -a always,exit -S all -F path=/run/current-system/sw/bin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-usermod If the command does not return an audit rule for "usermod", this is a finding.

Fix: F-71991r1131132_fix

Configure NixOS to record attempts to delete privileges. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.audit.rules = [ "-a always,exit -F path=/run/current-system/sw/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod" ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must generate audit records when successful/unsuccessful attempts to delete security objects occur.

AU-12 - Medium - CCI-000172 - V-268165 - SV-268165r1131135_rule

RMF Control

AU-12

Severity

M

CCI

Version

ANIX-00-001740

Vuln IDs

V-268165

Rule IDs

SV-268165r1131135_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-72089r1039381_chk

Verify that NixOS generates audit records when successful/unsuccessful attempts to delete security objects occur with the following command: $ sudo auditctl -l | grep /bin/ch -a always,exit -S all -F path=/run/current-system/sw/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chage -a always,exit -S all -F path=/run/current-system/sw/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_mod If the command does not return an audit rule for "chage" and "chcon", this is a finding.

Fix: F-71992r1131134_fix

Configure NixOS to audit attempts to delete security objects. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.audit.rules = [ "-a always,exit -F path=/run/current-system/sw/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage" "-a always,exit -F path=/run/current-system/sw/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod" ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must generate audit records when concurrent logons to the same account occur from different sources.

AU-12 - Medium - CCI-000172 - V-268166 - SV-268166r1131137_rule

RMF Control

AU-12

Severity

M

CCI

Version

ANIX-00-001790

Vuln IDs

V-268166

Rule IDs

SV-268166r1131137_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000473-GPOS-00218, SRG-OS-000042-GPOS-00020, SRG-OS-000475-GPOS-00220

Checks: C-72090r1039384_chk

Verify NixOS is configured to generate audit records with the following command: $ sudo auditctl -l | grep -w lastlog -w /var/log/lastlog -p wa -k logins If the command does not return a watch for the lastlog file, this is a finding.

Fix: F-71993r1131136_fix

Configure NixOS to generate audit logs on account creations and modifications. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.audit.rules = [ "-w /var/log/lastlog -p wa -k logins" ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must generate audit records for all account creations, modifications, disabling, and termination events.

AU-12 - Medium - CCI-000172 - V-268167 - SV-268167r1131139_rule

RMF Control

AU-12

Severity

M

CCI

Version

ANIX-00-001820

Vuln IDs

V-268167

Rule IDs

SV-268167r1131139_rule

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000476-GPOS-00221, SRG-OS-000042-GPOS-00020, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, SRG-OS-000477-GPOS-00222, SRG-OS-000304-GPOS-00121

Checks: C-72091r1039387_chk

Verify NixOS is configured to generate audit records on account events with the following command: $ sudo auditctl -l | grep /etc -w /etc/sudoers -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/group -p wa -k identity -w /etc/security/opasswd -p wa -k identity If the output from the command does not include the example output, this is a finding.

Fix: F-71994r1131138_fix

Configure NixOS to generate audit logs on account creations and modifications. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.audit.rules = [ "-w /etc/sudoers -p wa -k identity" "-w /etc/passwd -p wa -k identity" "-w /etc/shadow -p wa -k identity" "-w /etc/gshadow -p wa -k identity" "-w /etc/group -p wa -k identity" "-w /etc/security/opasswd -p wa -k identity" ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

c

NixOS must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

SC-13 - High - CCI-002450 - V-268168 - SV-268168r1131141_rule

RMF Control

SC-13

Severity

H

CCI

CCI-002450

Version

ANIX-00-001840

Vuln IDs

V-268168

Rule IDs

SV-268168r1131141_rule

Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. Satisfies: SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176

Checks: C-72092r1039390_chk

Verify NixOS is configured to operate in FIPS mode with the following command: $ grep fips /proc/cmdline BOOT_IMAGE=(hd0,msdos1)/nix/store/glc0midc78caq9sc7pzciymx4c3in7kn-linux-6.1.64/bzImage init=/nix/store/grl4baymr9q60mbcz3sidm4agckn3bx5-nixos-system-nixos-23.1.1.20231129.057f9ae/init audit=1 audit_backlog_limit=8192 fips=1 loglevel=4 If the "fips" entry does not equal "1" or is missing, this is a finding.

Fix: F-71995r1131140_fix

Configure NixOS to run in FIPS mode. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: boot.kernelParams = [ "fips=1" ]; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch A reboot is required for the changes to take effect.

b

NixOS must prevent the use of dictionary words for passwords.

CM-6 - Medium - CCI-000366 - V-268169 - SV-268169r1131144_rule

RMF Control

CM-6

Severity

M

CCI

Version

ANIX-00-001860

Vuln IDs

V-268169

Rule IDs

SV-268169r1131144_rule

If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.

Checks: C-72093r1131142_chk

Verify NixOS prevents the use of dictionary words for passwords with the following command: $ grep dictcheck /etc/security/pwquality.conf dictcheck=1 If the value of "ocredit" is a positive number or is commented out, this is a finding.

Fix: F-71996r1131143_fix

Configure NixOS to check password change attempts against a dictionary. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: environment.etc."/security/pwquality.conf".text = '' dictcheck=1 ''; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must enable the use of pwquality.

CM-6 - Medium - CCI-000366 - V-268170 - SV-268170r1131146_rule

RMF Control

CM-6

Severity

M

CCI

Version

ANIX-00-001861

Vuln IDs

V-268170

Rule IDs

SV-268170r1131146_rule

If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.

Checks: C-72094r1039396_chk

Verify NixOS prevents the use of dictionary words for passwords with the following command: $ grep -i pam_pwquality /etc/pam.d/passwd /etc/pam.d/chpasswd /etc/pam.d/sudo /etc/pam.d/passwd:password requisite /nix/store/db96zr26w71dzx0bzf47d88kw19fr0l7-libpwquality-1.4.5.-lib/lib/security/pam_pwquality.so /etc/pam.d/chpasswd:password requisite /nix/store/db96zr26w71dzx0bzf47d88kw19fr0l7-libpwquality-1.4.5.-lib/lib/security/pam_pwquality.so /etc/pam.d/sudo:password requisite /nix/store/db96zr26w71dzx0bzf47d88kw19fr0l7-libpwquality-1.4.5.-lib/lib/security/pam_pwquality.so If the pam_pwquality.so module is not present in the passwd, chpasswd, and sudo pam files, this is a finding.

Fix: F-71997r1131145_fix

Configure NixOS to check password change attempts against a dictionary. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.pam.services.passwd.text = pkgs.lib.mkDefault (pkgs.lib.mkBefore "password requisite ${pkgs.libpwquality.lib}/lib/security/pam_pwquality.so"); security.pam.services.chpasswd.text = pkgs.lib.mkDefault (pkgs.lib.mkBefore "password requisite ${pkgs.libpwquality.lib}/lib/security/pam_pwquality.so"); security.pam.services.sudo.text = pkgs.lib.mkDefault (pkgs.lib.mkBefore "password requisite ${pkgs.libpwquality.lib}/lib/security/pam_pwquality.so"); Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.

CM-6 - Medium - CCI-000366 - V-268171 - SV-268171r1134782_rule

RMF Control

CM-6

Severity

M

CCI

Version

ANIX-00-001870

Vuln IDs

V-268171

Rule IDs

SV-268171r1134782_rule

Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.

Checks: C-72095r1134782_chk

Verify NixOS enforces a four-second delay between logon attempts with the following command: $ grep -I delay /etc/login.defs FAIL_DELAY 4 If "FAIL_DELAY" is not set to "4" or greater, is commented out, or is missing, this is a finding.

Fix: F-71998r1131148_fix

Configure NixOS to enforce a four-second delay between logon attempts. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.loginDefs.settings."FAIL_DELAY" = "4"; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

c

NixOS must not allow an unattended or automatic logon to the system via the console.

CM-6 - High - CCI-000366 - V-268172 - SV-268172r1131152_rule

RMF Control

CM-6

Severity

H

CCI

Version

ANIX-00-001880

Vuln IDs

V-268172

Rule IDs

SV-268172r1131152_rule

Failure to restrict system access via the console to authenticated users negatively impacts operating system security.

Checks: C-72096r1131150_chk

Verify NixOS does not allow an unattended or automatic logon to the system via the console with the following command: $ grep -iR autologon.user /etc/nixos If "services.xserver.displayManager.autologon.user" is defined and is not "null", this is a finding.

Fix: F-71999r1131151_fix

Configure NixOS to not allow an unattended or automatic logon to the system via the console. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: services.xserver.displayManager.autologon.user = null; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch A reboot is required for the changes to take effect.

b

NixOS must be configured to use AppArmor.

CM-6 - Medium - CCI-000366 - V-268173 - SV-268173r1131154_rule

RMF Control

CM-6

Severity

M

CCI

Version

ANIX-00-001890

Vuln IDs

V-268173

Rule IDs

SV-268173r1131154_rule

Users' home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any sharing of information with a system administrator (SA) through shared resources. Satisfies: SRG-OS-000480-GPOS-00230, SRG-OS-000368-GPOS-00154

Checks: C-72097r1039405_chk

Verify NixOS is configured to use AppArmor with the following command: $ sudo systemctl status apparmor.service apparmor.service - Load AppArmor policies Loaded: loaded (/etc/systemd/system/apparmor.service; enabled; present: enabled) Active: active (running) since Sat 2022-06-04 02:51:43 UTC; 13min ago If the "apparmor.service" is not enabled and active, this is a finding.

Fix: F-72000r1131153_fix

Configure NixOS to use AppArmor. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.apparmor.enable = true; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch A reboot is required for the changes to take effect.

b

NixOS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.

Medium - CCI-003627 - V-268174 - SV-268174r1131156_rule

RMF Control

Severity

M

CCI

CCI-003627

Version

ANIX-00-001930

Vuln IDs

V-268174

Rule IDs

SV-268174r1131156_rule

Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. Operating systems need to track periods of inactivity and disable application identifiers after 35 days of inactivity.

Checks: C-72098r1039408_chk

Verify NixOS disables account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity with the following command: $ grep -i inactive /etc/default/useradd INACTIVE=35 If INACTIVE is not set to 35 or less, or is missing or commented out, this is a finding.

Fix: F-72001r1131155_fix

Configure NixOS to disable inactive users. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: Ensure the lib functions are available: { config, lib, ... }: environment.etc."/default/useradd".text = lib.mkForce '' INACTIVE=35 ''; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must employ approved cryptographic hashing algorithms for all stored passwords.

IA-7 - Medium - CCI-000803 - V-268175 - SV-268175r1131158_rule

RMF Control

IA-7

Severity

M

CCI

CCI-000803

Version

ANIX-00-001940

Vuln IDs

V-268175

Rule IDs

SV-268175r1131158_rule

Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. Operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.

Checks: C-72099r1039411_chk

Verify NixOS uses employs approved cryptographic hashing algorithms for all stored passwords with the following command: (Change <unique-username> to the desired user to verify.) $ sudo cat /etc/shadow | grep "<unique-username>" | cut -d'$' -f2 If the command does not return 6 for SHA512, this is a finding.

Fix: F-72002r1131157_fix

Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512. $ sudo usermod -L $USERNAME

c

NixOS must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.

MA-4 - High - CCI-000877 - V-268176 - SV-268176r1131160_rule

RMF Control

MA-4

Severity

H

CCI

CCI-000877

Version

ANIX-00-001960

Vuln IDs

V-268176

Rule IDs

SV-268176r1131160_rule

If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access sensitive application information, such as system configuration details, diagnostic information, user information, and potentially sensitive application data. Some maintenance and test tools are either standalone devices with their own operating systems or are applications bundled with an operating system. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric.

Checks: C-72100r1039414_chk

Verify NixOS employs strong authentication in the establishment of nonlocal sessions with SSH by the following command: $ sudo /run/current-system/sw/bin/sshd -G | grep pam usepam yes If usepam is not yes, this is a finding.

Fix: F-72003r1131159_fix

Configure NixOS to use strong authentication when establishing nonlocal maintenance and diagnostic sessions. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: openssh.settings.UsePAM = ''yes''; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.

Medium - CCI-004046 - V-268177 - SV-268177r1131162_rule

RMF Control

Severity

M

CCI

CCI-004046

Version

ANIX-00-002010

Vuln IDs

V-268177

Rule IDs

SV-268177r1131162_rule

Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD Common Access Card (CAC). A privileged account is defined as an information system account with authorizations of a privileged user. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). This requires further clarification from NIST. Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000068-GPOS-00036, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162, SRG-OS-000705-GPOS-00150

Checks: C-72101r1039417_chk

Verify NixOS provides authentication via the security and pam modules with the following command: $ cat /etc/nixos/configuration.nix | grep -A 1 security.pam.p11 security.pam.p11.enable = true; If security.pam.p11.enable is not. "true", is not present or is commented out, this is a finding.

Fix: F-72004r1131161_fix

Configure NixOS to use strong authentication when establishing nonlocal maintenance and diagnostic sessions. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.pam.p11.enable = true; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must prohibit the use of cached authenticators after one day.

IA-5 - Medium - CCI-002007 - V-268178 - SV-268178r1131164_rule

RMF Control

IA-5

Severity

M

CCI

CCI-002007

Version

ANIX-00-002050

Vuln IDs

V-268178

Rule IDs

SV-268178r1131164_rule

If cached authentication information is out-of-date, the validity of the authentication information may be questionable.

Checks: C-72102r1039420_chk

Verify NixOS, for PKI-based authentication, only caches authenticators for one day with the following command: $ sudo grep expiration /etc/sssd/sssd.conf offline_credentials_expiration = 1 If the offline_credentials_expiration is not set to "1" or is commented out, this is a finding.

Fix: F-72005r1131163_fix

Configure NixOS to prohibit the use of cached credentials older than one day. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: Note: The entire sssd.conf must be entered in this option. services.sssd.config = '' ... [pam] offline_credentials_expiration = 1 ... ''; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

For PKI-based authentication, NixOS must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.

Medium - CCI-004068 - V-268179 - SV-268179r1131166_rule

RMF Control

Severity

M

CCI

CCI-004068

Version

ANIX-00-002060

Vuln IDs

V-268179

Rule IDs

SV-268179r1131166_rule

Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).

Checks: C-72103r1039423_chk

Verify NixOS, for PKI-based authentication, uses local revocation data when unable to access the network to obtain it remotely with the following command: $ grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf cert_policy = ca,signature,ocsp_on, crl_auto; If the cert_policy does not contain the options in the example output, this is a finding.

Fix: F-72006r1131165_fix

Configure NixOS, for PKI-based authentication, to use local revocation data when unable to access the network to obtain it remotely. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.pam.p11.enable = true; environment.etc."pam_pkcs11/pam_pkcs11.conf".text = '' cert_policy = ca,signature,ocsp_on, crl_auto; ''; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

b

NixOS must run a supported release of the operating system.

SI-2 - Medium - CCI-002605 - V-268180 - SV-268180r1117152_rule

RMF Control

SI-2

Severity

M

CCI

CCI-002605

Version

ANIX-00-002160

Vuln IDs

V-268180

Rule IDs

SV-268180r1117152_rule

Security flaws with operating systems are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.

Checks: C-72104r1039426_chk

Verify NixOS is running a supported version with the following command: $ nixos-version 23.11.20231129.057f9ae (Tapir) If the NixOS is not running a supported version, this is a finding.

Fix: F-72007r1039427_fix

Update to a supported version of the operating system.

b

NixOS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

CM-6 - Medium - CCI-000366 - V-268181 - SV-268181r1131169_rule

RMF Control

CM-6

Severity

M

CCI