{"stig":{"title":"Anduril NixOS Security Technical Implementation Guide","version":"1","release":"2"},"checks":[{"vulnId":"V-268078","ruleId":"SV-268078r1130947_rule","severity":"medium","ruleTitle":"NixOS must enable the built-in firewall.","description":"Without the ability to immediately disconnect or disable remote access, an attack or other compromise taking place would not be immediately stopped.\n\nOperating system remote access functionality must have the capability to immediately disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of mission's functions and the need to eliminate immediate or future remote access to organizational information systems.\n\nThe remote access functionality (e.g., RDP) may implement features such as automatic disconnect (or user-initiated disconnect) in case of adverse information based on an indicator of compromise or attack.\n\nSatisfies: SRG-OS-000298-GPOS-00116, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000480-GPOS-00232","checkContent":"Verify NixOS has the network firewall enabled with the following command:\n\n$ sudo iptables -L | grep nixos-fw-log-refuse\n\nnixos-fw-log-refuse  all  --  anywhere             anywhere\n\nVerify the firewall panic tools are present:\n$ which firewall-panic\n/run/current-system/sw/bin/firewall-panic\n\n$ which firewall-panic-off\n/run/current-system/sw/bin/firewall-panic-off\n\nIf the \"nixos-fw-log-refuse  all  --  anywhere  anywhere\" firewall rule is not present and the firewall panic commands are not found, this is a finding.","fixText":"Update the NixOS config, typically stored either in /etc/nixos/configuration.nix or /etc/nixos/flake.nix, to enforce firewall rules by adding the following configuration settings:\n\n networking.firewall.enable = true;\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-002322","CCI-000382","CCI-002314","CCI-000366"]},{"vulnId":"V-268079","ruleId":"SV-268079r1130948_rule","severity":"medium","ruleTitle":"NixOS emergency or temporary user accounts must be provisioned with an expiration time of 72 hours or less.","description":"If emergency or temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all emergency or temporary accounts must be set upon account creation.\n\nTemporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation.\n\nEmergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. \n\nEmergency accounts are different from infrequently used accounts (i.e., local login accounts used by the organization's system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts.\n\nSatisfies: SRG-OS-000002-GPOS-00002, SRG-OS-000123-GPOS-00064","checkContent":"Verify that emergency or temporary accounts have been provisioned with an expiration date of 72 hours.\n\nFor every existing emergency or temporary account, run the following command to obtain its account expiration information.\n\n$ sudo chage -l system_account_name\n\nIf any emergency or temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.","fixText":"Configure the system to terminate emergency or temporary accounts after a 72-hour time period with the following command. Substitute \"system_account_name\" with the account to be created.\n\n$ sudo chage -E \"date -d \"+3 days\" +%Y-%m-%d\" system_account_name","ccis":["CCI-000016","CCI-001682"]},{"vulnId":"V-268080","ruleId":"SV-268080r1130951_rule","severity":"medium","ruleTitle":"NixOS must enable the audit daemon.","description":"Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes.\n\nNote: For the \"security.audit.enable\" configuration, both \"true\" and \"lock\" are valid values. The \"true\" value allows for loading of audit rules (synonymous with \"-e 1\" in audit rules), while the \"lock\" value loads audit rules and enforces that the rules cannot be changed without the system rebooting (synonymous with \"-e 2\"). Setting this value to \"lock\" is recommended to be performed as the final step in configuring the audit daemon.\n\nSatisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000254-GPOS-00095, SRG-OS-000344-GPOS-00135, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000122-GPOS-00063, SRG-OS-000358-GPOS-00145","checkContent":"Verify NixOS has the audit service configured with the following commands:\n\n$ systemctl is-active audit.service\nactive\n\n$ systemctl is-active auditd.service\nactive\n\nIf auditd and audit services are not active, this is a finding.","fixText":"Configure NixOS to enable the audit service by updating the NixOS config, typically stored either in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n security.auditd.enable = true;\n security.audit.enable = true;\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000018","CCI-001464","CCI-001858","CCI-001875","CCI-001877","CCI-001878","CCI-001879","CCI-001880","CCI-001881","CCI-001882","CCI-001876","CCI-001889"]},{"vulnId":"V-268081","ruleId":"SV-268081r1130954_rule","severity":"medium","ruleTitle":"NixOS must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.","description":"By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.\n\nSatisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128, SRG-OS-000470-GPOS-00214","checkContent":"Verify that NixOS locks an account after three unsuccessful logon attempts within 15 minutes with the following commands:\n\n$ cat /etc/pam.d/login\n\nauth required pam_faillock.so preauth deny=3 even_deny_root fail_interval=900 unlock_time=0 dir=/var/log/faillock\n\nIf the \"fail_interval\" option is not set to \"900\" or less (but not \"0\") on the \"preauth\" lines with the \"pam_faillock\" module, or is missing from this line, this is a finding.","fixText":"Configure NixOS to lock an account when three unsuccessful logon attempts occur within 15 minutes. \n\nUpdate the NixOS config, typically stored either in /etc/nixos/configuration.nix or /etc/nixos/flake.nix, to include the following lines:\n\n security.pam.services = let pamfile = ''\n  auth required pam_faillock.so preauth silent audit deny=3 fail_interval=900 unlock_time=0\n  auth sufficient pam_unix.so nullok try_first_pass\n  auth [default=die] pam_faillock.so authfail audit deny=3 fail_interval=900 unlock_time=0\n  auth sufficient pam_faillock.so authsucc\n\n  account required pam_faillock.so\n '';\n in {\n  login.text = pkgs.lib.mkDefault pamfile;\n  sshd.text = pkgs.lib.mkDefault pamfile;\n };\n\nNote that the entire pam file must be entered as this pamfile string.\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000044","CCI-002238","CCI-000172"]},{"vulnId":"V-268082","ruleId":"SV-268082r1130957_rule","severity":"medium","ruleTitle":"NixOS must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.","description":"Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreement.\"\n\n2) Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.","checkContent":"Verify that NixOS displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via a command line user logon with the following command:\n\n$ tail -n+3 /etc/issue\n\n You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\n\nIf the /etc/issue does not contain a banner, or the banner does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.","fixText":"Configure NixOS to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via a command line.\n\nUpdate the NixOS config, typically stored either in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nservices.getty.helpLine = ''\n You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\n'';\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000048"]},{"vulnId":"V-268083","ruleId":"SV-268083r1130960_rule","severity":"medium","ruleTitle":"NixOS must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via an SSH logon.","description":"Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreement.\"\n\n2) Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.","checkContent":"Verify the operating system displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via a ssh logon with the following commands:\n\n$ grep Banner /etc/ssh/sshd_config\n$ cat /nix/store/<hash>-ssh_banner\n\n You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\n\nIf the \"Banner\" is not configured in the sshd_config, or the banner does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.","fixText":"Configure NixOS to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via openssh.\n\nUpdate the NixOS config, typically stored either in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nservices.openssh.banner = ''\n You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\n By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n -At any time, the USG may inspect and seize data stored on this IS.\n\n -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\n'';\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000048"]},{"vulnId":"V-268084","ruleId":"SV-268084r1130963_rule","severity":"medium","ruleTitle":"NixOS must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.","description":"Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreement.\"\n\n2) Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088","checkContent":"Verify NixOS displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the graphical user logon with the following command:\n\n$ DCONF_PROFILE=gdm dconf read \"/org/gnome/login-screen/banner-message-text\"\n\nYou are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\n\nIf the dconf tool does not return a banner, or the banner does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.","fixText":"Configure NixOS to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via a graphical user logon.\n\nUpdate the NixOS config, typically stored either in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nservices.xserver.displayManager.gdm.banner = \"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\";\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000048","CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388"]},{"vulnId":"V-268085","ruleId":"SV-268085r1130966_rule","severity":"low","ruleTitle":"NixOS must be configured to limit the number of concurrent sessions to 10 for all accounts and/or account types.","description":"Operating system management includes the ability to control the number of users and user sessions that use an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to denial-of-service (DoS) attacks.\n\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.","checkContent":"Verify NixOS limits the number of concurrent sessions to 10 for all accounts and/or account types.\n\nCheck the pam configuration files and confirm a conf file with maxlogins configured:\n\n$ grep \"limits.conf\" /etc/pam.d/login\n> session required /nix/store/sl3fa5zh61xxl03m64if2wqzbvrb6zly-linux-pam-1.6.1/lib/security/pam_limits.so conf=/nix/store/aq8ni1qh3pdygl9cn3qfb8v583ask67m-limits.conf # limits (order 12200)\n\n$ cat /nix/store/aq8ni1qh3pdygl9cn3qfb8v583ask67m-limits.conf\n\n* hard maxlogins 10\n@pipewire - rtprio 95\n@pipewire - nice -19\n@pipewire - memlock 4194304\n\nIf the \"maxlogins\" item is missing or commented out, or the value is set greater than \"10\" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.","fixText":"Configure NixOS to limit the number of concurrent sessions to 10 for all accounts and/or account types.\n\nUpdate the NixOS config, typically stored either in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nsecurity.pam.loginLimits = [\n {\n  domain = \"*\";\n  item = \"maxlogins\";\n  type = \"hard\";\n  value = \"10\";\n }\n];\n\nNote: Security.pam.loginLimits can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000054"]},{"vulnId":"V-268086","ruleId":"SV-268086r1130969_rule","severity":"medium","ruleTitle":"NixOS must initiate a session lock after a 10-minute period of inactivity for graphical user logon.","description":"A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled.","checkContent":"Verify NixOS initiates a session lock after a 10-minute period of inactivity for graphical user logon with the following command: \n\n$ sudo gsettings get org.gnome.desktop.session idle-delay\n\nuint32 600\n\n$ grep \"IdleAction\" /etc/systemd/logind.conf\n\n IdleAction = lock\n IdleActionSec = 600\n\n$ systemctl --user status xautolock.service\n xautolock.service - xautolock service\n     Loaded: loaded (/etc/systemd/user/xautolock.service; enabled; preset: ignored)\n     Active: active (running) since Wed 2025-03-19 22:56:13 UTC; 6min ago\n Invocation: 836d5b6b79444c62aa3c5285e3c8d92e\n   Main PID: 3233 (xautolock)\n      Tasks: 1 (limit: 38062)\n     Memory: 712K (peak: 2.4M)\n        CPU: 75ms\n     CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/xautolock.service\n             +-3233 /nix/store/4chq53fkkiimbx1qzdbxxs44diiqgj54-xautolock-2.2-7-ga23dd5c/bin/xautolock -noclose -time 10 -locker \"/nix/store/w9qcpyhjrxsqrps91wkz8r4mqvg9zrxc-systemd-256.10/bin/loginctl lock-session\"\n\nMar 19 22:56:13 gcs-generic-5-3 systemd[3136]: Started xautolock service.\n\nIf \"idle-delay\" is set to \"0\" or a value greater than \"600\", this is a finding.\n\nIf \"IdleAction\" is not \"lock\" and \"IdleActionSec\" is not \"600\", this is a finding.\n\nIf the xautolock service is not present or the process line does not contain \"-time 10\", this is a finding.","fixText":"Configure NixOS to initiate a session lock after a 10-minute period of inactivity for graphical user logon.\n\nUpdate the NixOS config, typically stored either in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n  programs.dconf.profiles.user.databases = with lib.gvariant; lib.mkBefore [\n   {\n     settings.\"org/gnome/desktop/session\".idle-delay = (mkUint32 600);\n     locks = [ \"org/gnome/desktop/session/idle-delay\" ];\n   }];\n services.logind.extraConfig = ''\n   IdleAction = lock\n   IdleActionSec = 600\n '';\n services.xserver = {\n   displayManager.gdm.wayland = true;\n   xautolock = {\n     enable = true;\n     time = 10;\n     locker = \"${lib.getExe' config.systemd.package \"loginctl\"} lock-session\";\n   };\n  };\n };\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000057"]},{"vulnId":"V-268087","ruleId":"SV-268087r1130972_rule","severity":"medium","ruleTitle":"NixOS must provide the capability for users to directly initiate a session lock for all connection types.","description":"A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.\n\nThe session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, operating systems need to provide users with the ability to manually invoke a session lock so users may secure their session should the need arise for them to temporarily vacate the immediate physical vicinity.\n\nSatisfies: SRG-OS-000030-GPOS-00011, SRG-OS-000028-GPOS-00009, SRG-OS-000031-GPOS-00012","checkContent":"Verify the NixOS operating system has the \"vlock\" package installed by running the following command: \n\n$ which vlock\n/run/current-system/sw/bin/vlock\n\nIf the \"vlock\" package is not installed, this is a finding.","fixText":"Configure NixOS to have a package that allows user to lock session.\n\nUpdate the NixOS config, typically stored either in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n environment.systemPackages = [\n  pkgs.vlock\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000057","CCI-000056","CCI-000060"]},{"vulnId":"V-268088","ruleId":"SV-268088r1130975_rule","severity":"medium","ruleTitle":"NixOS must monitor remote access methods.","description":"Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best.\n\nRemote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access sessions allows organizations to detect cyberattacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).","checkContent":"Confirm the NixOS monitors remote access methods with the following command:\n\n$ grep \"LogLevel\" /etc/ssh/sshd_config\nLogLevel VERBOSE\n\nIf \"LogLevel\" does not equal \"VERBOSE\", is missing, or is commented out, this is a finding.","fixText":"Configure NixOS to monitor remote access methods by adding the following configuration to the /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nservices.openssh.logLevel = \"VERBOSE\";\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000067"]},{"vulnId":"V-268089","ruleId":"SV-268089r1130978_rule","severity":"high","ruleTitle":"NixOS must implement DOD-approved encryption to protect the confidentiality of remote access sessions.","description":"Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. \n\nRemote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nEncryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information.\n\nSatisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000250-GPOS-00093, SRG-OS-000394-GPOS-00174","checkContent":"Verify NixOS is configured to only use ciphers employing FIPS 140-3 approved algorithms with the following command:\n\n$ grep Ciphers /etc/ssh/sshd_config\nCiphers aes256-ctr,aes192-ctr,aes128-ctr\n   \nIf the cipher entries in the \"sshd_config\" file have any ciphers other than \"aes256-ctr,aes192-ctr,aes128-ctr\", the order differs from the example above, or they are missing or commented out, this is a finding.","fixText":"Configure NixOS to use only ciphers employing FIPS 140-3 approved algorithms.\n\nTo configure OpenSSH, add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n services.openssh.setting.Ciphers = [\n  \"aes256-ctr\"\n  \"aes192-ctr\"\n  \"aes128-ctr\"   \n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000068","CCI-001453","CCI-003123"]},{"vulnId":"V-268090","ruleId":"SV-268090r1130981_rule","severity":"medium","ruleTitle":"The NixOS audit package must be installed.","description":"Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nAudit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nAssociating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.\n\nSatisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000054-GPOS-00025, SRG-OS-000055-GPOS-00026, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000255-GPOS-00096, SRG-OS-000303-GPOS-00120, SRG-OS-000327-GPOS-00127","checkContent":"Verify that NixOS has the audit service installed with the following command:\n\n$ systemctl is-active audit\nactive\n\nIf the \"audit\" service is not active, this is a finding.","fixText":"Configure NixOS to have the audit service package.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n environment.systemPackages = [\n  audit\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000130","CCI-000131","CCI-000132","CCI-000133","CCI-000134","CCI-000135","CCI-000158","CCI-000159","CCI-000163","CCI-000164","CCI-001403","CCI-001404","CCI-001405","CCI-001487","CCI-002130","CCI-002234"]},{"vulnId":"V-268091","ruleId":"SV-268091r1130983_rule","severity":"medium","ruleTitle":"NixOS must generate audit records for all usage of privileged commands.","description":"Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.\n\nAt a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.\n\nMisuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, SRG-OS-000755-GPOS-00220","checkContent":"Verify NixOS generates audit records for all execution of privileged functions with the following command:\n\n$ sudo auditctl -l | grep execve\n\n-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv\n-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv\n-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv \n-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv \n\nIf the command does not return the example output, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure NixOS to generate audit records for all execution of privileged functions.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n security.audit.rules = [\n  \"-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv\"\n  \"-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv\"\n  \"-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv \"\n  \"-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv \"\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000135","CCI-000169","CCI-000172","CCI-003938","CCI-002884","CCI-004188"]},{"vulnId":"V-268092","ruleId":"SV-268092r1130985_rule","severity":"medium","ruleTitle":"NixOS must enable auditing of processes that start prior to the audit daemon.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nIf auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nThe list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDOD has defined the list of events for which NixOS will provide an audit record generation capability as the following:\n\n1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n\n2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system;\n\n3) All account creations, modifications, disabling, and terminations; and \n\n4) All kernel module load, unload, and restart actions.","checkContent":"Verify NixOS enables auditing of processes that start prior to the audit daemon with the following command:\n\n$ grep audit=1 /proc/cmdline\n\nBOOT_IMAGE=(hd0,msdos1)/nix/store/glc0midc78caq9sc7pzciymx4c3in7kn-linux-6.1.64/bzImage init=/nix/store/grl4baymr9q60mbcz3sidm4agckn3bx5-nixos-system-nixos-23.1.1.20231129.057f9ae/init audit=1 loglevel=4\n\nIf the \"audit\" entry does not equal \"1\" or is missing, this is a finding.","fixText":"Configure NixOS to audit processes that start prior to the audit daemon.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n boot.kernelParams = [\n  \"audit=1\"\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000135"]},{"vulnId":"V-268093","ruleId":"SV-268093r1130988_rule","severity":"medium","ruleTitle":"NixOS must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.","description":"Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nIf auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nAllocating an audit_backlog_limit of sufficient size is critical in maintaining a stable boot process. With an insufficient limit allocated, the system is susceptible to boot failures and crashes.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000341-GPOS-00132","checkContent":"Verify NixOS allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following command:\n\n$ sudo auditctl -s | grep backlog_limit\n\nbacklog_limit 8192 \n\nIf the \"backlog_limit\" entry does not equal \"8192\" or greater or is missing, this is a finding.","fixText":"Configure NixOS to allocate sufficient audit_backlog_limit to capture processes that start prior to the audit daemon.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n boot.kernelParams = [\n  \"audit_backlog_limit=8192\"\n ];\nsecurity.audit.backlogLimit = 8192;\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000135","CCI-001849"]},{"vulnId":"V-268094","ruleId":"SV-268094r1130990_rule","severity":"medium","ruleTitle":"Successful/unsuccessful uses of the mount syscall in NixOS must generate an audit record.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"mount\" syscall is used to mount a filesystem.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.","checkContent":"Verify NixOS generates an audit record for any successful/unsuccessful use of the \"mount\" syscall with the following command:\n\n$ sudo auditctl -l | grep -w \"\\-S mount\"\n\n-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -k privileged-mount\n-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=-1 -k privileged-mount\n\nIf the command does not return the example output, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure NixOS to generate audit records for any successful/unsuccessful use of the \"mount\" syscall.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n security.audit.rules = [\n  \"-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount\"\n  \"-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount\"\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000135"]},{"vulnId":"V-268095","ruleId":"SV-268095r1130992_rule","severity":"medium","ruleTitle":"Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in NixOS must generate an audit record.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"rename\" system call will rename the specified files by replacing the first occurrence of expression in their name by replacement.\n\nThe \"unlink\" system call deletes a name from the filesystem. If that name was the last link to a file and no processes have the file open, the file is deleted and the space it was using is made available for reuse.\n\nThe \"rmdir\" system call removes empty directories.\n\nThe \"renameat\" system call renames a file, moving it between directories if required.\n\nThe \"unlinkat\" system call operates in exactly the same way as either \"unlink\" or \"rmdir\" except for the differences described in the manual page.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible.","checkContent":"Verify NixOS generates an audit record upon successful/unsuccessful attempts to use the \"rename\", \"unlink\", \"rmdir\", \"renameat\", and \"unlinkat\" system calls with the following command:\n\n$ sudo auditctl -l | grep -w 'rename\\|unlink\\|rmdir'\n\n-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=-1 -k delete\n-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=-1 -k delete\n\nIf the command does not return an audit rule for \"rename\", \"unlink\", \"rmdir\", \"renameat\", and \"unlinkat\", this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure NixOS to generate audit records for any successful/unsuccessful attempts to use the \"rename\", \"unlink\", \"rmdir\", \"renameat\", and \"unlinkat\" system calls.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n security.audit.rules = [\n  \"-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete\"\n  \"-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete\"\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000135"]},{"vulnId":"V-268096","ruleId":"SV-268096r1130994_rule","severity":"medium","ruleTitle":"Successful/unsuccessful uses of the init_module, finit_module, and delete_module system calls in NixOS must generate an audit record.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"init_module\" and \"finit_module\" system calls are used to load a kernel module, and the \"delete_module\" is used to unload a kernel module.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000471-GPOS-00216","checkContent":"Verify NixOS generates an audit record upon successful/unsuccessful attempts to use the \"init_module\", \"finit_module\", and \"delete_module\" system calls.\n\nCheck the auditing rules currently loaded into the audit daemon with the following command:\n\n$ sudo auditctl -l | grep -w init_module\n\n-a always,exit -F arch=b32 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=-1 -k module_chng\n-a always,exit -F arch=b64 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=-1 -k module_chng\n\nIf the command does not return an audit rule for \"init_module\", \"finit_module\", and \"delete_module\", this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure /etc/nixos/configuration.nix to log successful/unsuccessful attempts to use the \"init_module\", \"finit_module\", and \"delete_module\" system calls.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n security.audit.rules = [\n  \"-a always,exit -F arch=b32 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=unset -k module_chng\"\n  \"-a always,exit -F arch=b64 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=unset -k module_chng\"\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000135","CCI-000172"]},{"vulnId":"V-268097","ruleId":"SV-268097r1130996_rule","severity":"medium","ruleTitle":"NixOS must generate an audit record for successful/unsuccessful modifications to the cron configuration.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). Cron is a program that is similar to the task scheduler used in other operating systems.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.","checkContent":"Verify NixOS generates an audit record when successful/unsuccessful attempts to modify the cron configuration.\n\nCheck the auditing rules currently loaded into the audit daemon with the following command:\n\n$ sudo auditctl -l | grep -w cron\n\n-w /var/cron/tabs/ -p wa -k services\n-w /var/cron/cron.allow -p wa -k services\n-w /var/cron/cron.deny -p wa -k services\n\nIf the command does not return the example output, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure NixOS to generate audit records when successful/unsuccessful attempts to modify the cron configuration occur.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n security.audit.rules = [\n  \"-w /var/cron/tabs/ -p wa -k services\"\n  \"-w /var/cron/cron.allow -p wa -k services\"\n  \"-w /var/cron/cron.deny -p wa -k services\"\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000135"]},{"vulnId":"V-268098","ruleId":"SV-268098r1130998_rule","severity":"medium","ruleTitle":"NixOS must generate an audit record for successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"truncate\" and \"ftruncate\" functions are used to truncate a file to a specified length. \n\nThe \"creat\" system call is used to open and possibly create a file or device.\n\nThe \"open\" system call opens a file specified by a pathname. If the specified file does not exist, it may optionally be created by \"open\".\n\nThe \"openat\" system call opens a file specified by a relative pathname.\n\nThe \"name_to_handle_at\" and \"open_by_handle_at\" system calls split the functionality of \"openat\" into two parts: \"name_to_handle_at\" returns an opaque handle that corresponds to a specified file; \"open_by_handle_at\" opens the file corresponding to a handle returned by a previous call to \"name_to_handle_at\" and returns an open file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000461-GPOS-00205","checkContent":"Verify NixOS generates an audit record upon unsuccessful attempts to use the \"truncate\", \"ftruncate\", \"creat\", \"open\", \"openat\", and \"open_by_handle_at\" system calls.\n\nCheck the auditing rules currently loaded into the audit daemon with the following command:\n\n$ sudo auditctl -l | grep 'open\\|truncate\\|creat'\n\n-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access\n-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access\n-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access\n-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access\n\nIf the command does not return an audit rule for \"truncate\", \"ftruncate\", \"creat\", \"open\", \"openat\", and \"open_by_handle_at\", this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure NixOS to generate audit records for any unsuccessful attempts to use the \"truncate\", \"ftruncate\", \"creat\", \"open\", \"openat\", and \"open_by_handle_at\" system calls.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n security.audit.rules = [\n  \"-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access\"\n  \"-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access\"\n  \"-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access\"\n  \"-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access\"\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000135","CCI-000172"]},{"vulnId":"V-268099","ruleId":"SV-268099r1131000_rule","severity":"medium","ruleTitle":"Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in NixOS must generate an audit record.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Verify NixOS generates an audit record upon attempts to use the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nCheck the auditing rules currently loaded into the audit daemon with the following command:\n\n$ sudo auditctl -l | grep chown\n\n-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod\n-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod\n\nIf the command does not return an audit rule for \"chown\", \"fchown\", \"fchownat\", and \"lchown\", this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure NixOS to generate audit records for any attempts to use the \"chown\", \"fchown\", \"fchownat\", and \"lchown\" system calls.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n security.audit.rules = [\n  \"-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod\"\n  \"-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod\"\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000135"]},{"vulnId":"V-268100","ruleId":"SV-268100r1131002_rule","severity":"medium","ruleTitle":"Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in NixOS must generate an audit record.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter). The \"chmod\" system call changes the file mode bits of each given file according to mode, which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits.\n\nThe \"fchmod\" system call is used to change permissions of a file.\n\nThe \"fchmodat\" system call is used to change permissions of a file relative to a directory file descriptor.\n\nWhen a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to \"-1\". The AUID representation is an unsigned 32-bit integer, which equals \"4294967295\". The audit system interprets \"-1\", \"4294967295\", and \"unset\" in the same way.\n\nThe system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. Performance can be helped, however, by combining syscalls into one rule whenever possible.\n\nSatisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000462-GPOS-00206","checkContent":"Verify NixOS generates an audit record upon attempts to use the \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nCheck the auditing rules currently loaded into the audit daemon with the following command:\n\n$ sudo auditctl -l | grep chmod\n\n-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod\n\nIf the command does not return an audit rule for \"chmod\", \"fchmod\", and \"fchmodat, this is a finding.\n\nNote: The \"-k\" allows for specifying an arbitrary identifier. The string following \"-k\" does not need to match the example output above.","fixText":"Configure NixOS to generate audit records for any attempts to use the \"chmod\", \"fchmod\", and \"fchmodat\" system calls.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n security.audit.rules = [\n  \"-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\"\n  \"-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod\"\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000135","CCI-000172"]},{"vulnId":"V-268101","ruleId":"SV-268101r1131004_rule","severity":"medium","ruleTitle":"NixOS must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent utilization.","description":"If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.\n\nSatisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00134","checkContent":"Verify NixOS notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command:\n\n$ sudo grep -w space_left_action /etc/audit/auditd.conf\n\nspace_left_action = syslog\n\nIf the \"space_left_action\" parameter is missing, commented out, or set to blanks, this is a finding.\n\nIf the \"space_left_action\" is set to \"syslog\", the system logs the event, but does not generate a notification, this is a finding.\n\nIf the \"space_left_action\" is set to \"exec\", the system executes a designated script. If this script does not inform the SA of the event, this is a finding.\n\nIf the \"space_left_action\" is set to \"email\" check the value of the \"action_mail_acct\" parameter with the following command:\n\n$ sudo grep action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct root@localhost\n\nThe \"action_mail_acct\" parameter, if missing, defaults to \"root\". If the \"action_mail_acct\" parameter is not set to the email address of the SA and/or ISSO, this is a finding. \n\nNote: If the email address of the SA is on a remote system, a mail package must be available.","fixText":"Configure NixOS to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.\n\nIf the space_left_action parameter is set to \"syslog\", make sure the event being logged generates a notification to the SA and ISSO.\n\nIf the space_left_action parameter is set to \"exec\", make sure the command being executed notifies the SA and ISSO.\n\nIf the space_left_action parameter is set to \"email\", set the action_mail_acct parameter to an email address for the SA and ISSO.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n  space_left_action = syslog\n\nFor example, an updated configuration of 'environment.etc.\"audit/auditd.conf\".text' would look like the following ('...' denoting that the 'environment.etc.\"audit/auditd.conf\".text' configuration may have other options configured):\n\n environment.etc.\"audit/auditd.conf\".text = [\n  ''\n   ...\n   space_left_action = syslog\n   ...\n  ''\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000139","CCI-001855"]},{"vulnId":"V-268102","ruleId":"SV-268102r1131006_rule","severity":"medium","ruleTitle":"NixOS must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 90 percent utilization.","description":"If security personnel are not notified immediately when storage volume reaches 90 percent utilization, they are unable to plan for audit record storage capacity expansion.","checkContent":"Verify NixOS notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity with the following command:\n\n$ sudo grep -w admin_space_left_action /etc/audit/auditd.conf\n\nadmin_space_left_action = syslog\n\nIf the \"admin_space_left_action\" parameter is missing, commented out, or set to blanks, this is a finding.\n\nIf the \"admin_space_left_action\" is set to \"syslog\", the system logs the event, but does not generate a notification, this is a finding.\n\nIf the \"admin_space_left_action\" is set to \"exec\", the system executes a designated script. If this script does not inform the SA of the event, this is a finding.\n\nIf the \"admin_space_left_action\" is set to \"email\" check the value of the \"action_mail_acct\" parameter with the following command:\n\n$ sudo grep action_mail_acct /etc/audit/auditd.conf\n\naction_mail_acct root@localhost\n\nThe \"action_mail_acct\" parameter, if missing, defaults to \"root\". If the \"action_mail_acct\" parameter is not set to the email address of the SA and/or ISSO, this is a finding. \n\nNote: If the email address of the SA is on a remote system, a mail package must be available.","fixText":"Configure NixOS to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity.\n\nIf the space_left_action parameter is set to \"syslog\", make sure the event being logged generates a notification to the SA and ISSO.\n\nIf the space_left_action parameter is set to \"exec\", make sure the command being execute notifies the SA and ISSO.\n\nIf the space_left_action parameter is set to \"email\", set the action_mail_acct parameter to an email address for the SA and ISSO.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n  admin_space_left_action = syslog\n\nFor example, an updated configuration of 'environment.etc.\"audit/auditd.conf\".text' would look like the following ('...' denoting that the 'environment.etc.\"audit/auditd.conf\".text' configuration may have other options configured):\n\n environment.etc.\"audit/auditd.conf\".text = [\n  ''\n   ...\n   admin_space_left_action = syslog\n   ...\n  \n ''\n];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000139"]},{"vulnId":"V-268103","ruleId":"SV-268103r1131008_rule","severity":"medium","ruleTitle":"NixOS must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.","description":"If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.","checkContent":"Verify NixOS takes action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following commands:\n\n$ sudo grep -w space_left /etc/audit/auditd.conf\n\nspace_left = 25%\n\nIf the value of the \"space_left\" keyword is not set to \"25%\" or if the line is commented out, this is a finding.","fixText":"Configure the operating system to initiate an action to notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n environment.etc.\"audit/auditd.conf\".text = [\n  ''\n   space_left = 25%\n  ''\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000139"]},{"vulnId":"V-268104","ruleId":"SV-268104r1131010_rule","severity":"medium","ruleTitle":"NixOS must take action when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity.","description":"If security personnel are not notified immediately when storage volume reaches 90 percent utilization, they are unable to plan for audit record storage capacity expansion.","checkContent":"Verify NixOS takes action when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity with the following commands:\n\n$ sudo grep -w admin_space_left /etc/audit/auditd.conf\n\nadmin_space_left = 10%\n\nIf the value of the \"admin_space_left\" keyword is not set to \"10%\" or if the line is commented out, this is a finding.","fixText":"Configure the operating system to initiate an action to notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n environment.etc.\"audit/auditd.conf\".text = [\n  ''\n   admin_space_left = 10%\n  ''\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000139"]},{"vulnId":"V-268105","ruleId":"SV-268105r1131012_rule","severity":"medium","ruleTitle":"The NixOS audit system must take appropriate action when the audit storage volume is full.","description":"It is critical that when NixOS is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.\n\nWhen availability is an overriding concern, other approved actions in response to an audit failure are as follows: \n\n1) If the failure was caused by the lack of audit record storage capacity, NixOS must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, NixOS must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.","checkContent":"Verify NixOS takes the appropriate action when the audit storage volume is full. \n\nCheck that NixOS takes the appropriate action when the audit storage volume is full using the following command:\n\n$ sudo grep disk_full_action /etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the \"disk_full_action\" option is not \"SYSLOG\", \"SINGLE\", or \"HALT\", or the line is commented out, ask the system administrator (SA) to indicate how the system takes appropriate action when an audit storage volume is full. If there is no evidence of appropriate action, this is a finding.","fixText":"Configure NixOS to shut down by default upon audit failure (unless availability is an overriding concern).\n\nIf availability has been determined to be more important, and this decision is documented with the information system security officer (ISSO), configure the operating system to notify SA staff and information system security officer (ISSO) staff in the event of an audit processing failure by setting the \"disk_full_action\" to \"SYSLOG\".\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: (depending on configuration, \"disk_full_action\" can be set to \"SYSLOG\" or \"SINGLE\")\n\n environment.etc.\"audit/auditd.conf\".text = [\n  ''\n   disk_full_action = HALT\n  ''\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000140"]},{"vulnId":"V-268106","ruleId":"SV-268106r1131014_rule","severity":"medium","ruleTitle":"The NixOS audit system must take appropriate action when an audit processing failure occurs.","description":"It is critical that when NixOS is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.\n\nWhen availability is an overriding concern, other approved actions in response to an audit failure are as follows: \n\n1) If the failure was caused by the lack of audit record storage capacity, NixOS must continue generating audit records if possible (automatically restarting the audit service if necessary) and overwriting the oldest audit records in a first-in-first-out manner.\n\n2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, NixOS must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.","checkContent":"Verify NixOS takes the appropriate action when an audit processing failure occurs.\n\nCheck that NixOS takes the appropriate action when an audit processing failure occurs with the following command:\n\n$ sudo grep disk_error_action /etc/audit/auditd.conf\n\ndisk_error_action = HALT\n\nIf the value of the \"disk_error_action\" option is not \"SYSLOG\", \"SINGLE\", or \"HALT\", or the line is commented out, ask the system administrator (SA) to indicate how the system takes appropriate action when an audit process failure occurs. If there is no evidence of appropriate action, this is a finding.","fixText":"Configure NixOS to shut down by default upon audit failure (unless availability is an overriding concern).\n\nIf availability has been determined to be more important, and this decision is documented with the information system security officer (ISSO), configure the operating system to notify SA staff and ISSO staff in the event of an audit processing failure by setting the \"disk_error_action\" to \"SYSLOG\".\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: (depending on configuration, \"disk_error_action\" can be set to \"SYSLOG\" or \"SINGLE\"):\n\n environment.etc.\"audit/auditd.conf\".text = [\n  ''\n   disk_error_action = HALT\n  ''\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000140"]},{"vulnId":"V-268107","ruleId":"SV-268107r1131017_rule","severity":"medium","ruleTitle":"NixOS must have the packages required for offloading audit logs installed and running.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nNixOS supports \"systemd-journald\", which is a common system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. This utility also natively supports TLS to securely encrypt and off-load auditing.\n\nSatisfies: SRG-OS-000051-GPOS-00024, SRG-OS-000269-GPOS-00103","checkContent":"Verify that the systemd-journald service is running with the following command:\n\n$ systemctl status systemd-journald.service\n\n    systemd-journald.service - Journal Service\n     Loaded: loaded (/etc/systemd/system/systemd-journald.service; enabled; preset: ignored)\n    Drop-In: /nix/store/z8klzmxqgpmn8ganwrsqizy3qdxnirr8-system-units/systemd-journald.service.d\n             +-overrides.conf\n     Active: active (running) since Mon 2025-03-10 10:41:08 PDT; 1 day 2h ago\n\nIf the systemd-journald.service is not \"active\" and \"running\", this is a finding.","fixText":"Configure the operating system to off-load audit logs.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n services.journald.audit = true;\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000154","CCI-001665"]},{"vulnId":"V-268108","ruleId":"SV-268108r1131020_rule","severity":"medium","ruleTitle":"The NixOS audit records must be off-loaded onto a different system or storage media from the system being audited.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nNixOS supports \"systemd-journald\", which is a common system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. This utility also natively supports TLS to securely encrypt and off-load auditing.","checkContent":"Verify the audit system off-loads audit records onto a different system or media from the system being audited.\n\nList the configured destinations with the following command:\n\n$ grep -i \"Url\" /etc/systemd/journal-upload.conf\"\n\nIf no URL is configured, this is a finding.","fixText":"Configure the operating system to off-load audit records onto a different system or media from the system being audited by specifying a remote destination in the systemd-journald configuration.\n\nOn the client, modify /etc/nixos/configuration.nix or /etc/nixos/flake.nix to include the following lines:\n\nservices.journald.upload = {\n  enable = true;\n  Upload = {\n     ServerKeyFile = $PATH_TO_CLIENT_PEM_SSL_KEY;\n     URL = $URL_OF_REMOTE_SERVER;\n     ServerCertificateFile = $PATH_TO_SSL_CERT;\n     TrustedCertificateFile = $PATH_TO_SERVER_CERT;\n   };\n  };\n}\n\nOn the server, modify /etc/nixos/configuration.nix or /etc/nixos/flake.nix to include the following lines:\nservices.journald.remote = {\n  enable = true;\n  listen = \"https\";\n  URL = $URL_OF_REMOTE_SERVER;\n  ServerKeyFile = $PATH_TO_SERVER_PEM_SSL_KEY;\n  ServerCertificateFile = $PATH_TO_SSL_CERT;\n  };\n};","ccis":["CCI-000154"]},{"vulnId":"V-268109","ruleId":"SV-268109r1131023_rule","severity":"medium","ruleTitle":"NixOS must authenticate the remote logging server for off-loading audit logs.","description":"Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.\n\nNixOS supports \"systemd-journald\", which is a common system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. This utility also natively supports TLS to securely encrypt and off-load auditing.\n\nSatisfies: SRG-OS-000051-GPOS-00024, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224","checkContent":"Verify the operating system authenticates the remote logging server for off-loading audit logs.\n\nList the configured destinations with the following command:\n\n$ grep -i \"TrustedCertificateFile\" /etc/systemd/journal-upload.conf\"\n\nIf no TrustedCertificateFile is configured or is set to \"all\", this is a finding.","fixText":"Configure the operating system to authenticate the remote logging server for off-loading audit logs.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n  destination d_network {\n   syslog(\n    \"<remote-logging-server>\" port(<port>)\n    transport(tls)\n    tls(\n     cert-file(\"/var/syslog-ng/certs.d/certificate.crt\")\n     key-file(\"/var/syslog-ng/certs.d/certificate.key\")\n     ca-file(\"/var/syslog-ng/certs.d/cert-bundle.crt\")\n     peer-verify(yes)\n    )\n   );\n  };\n\n  log { source(s_local); destination(d_local); destination(d_network); };\n\nFor example, an updated configuration of 'services.rsyslogd.extraConfig' would look like the following in /etc/nixos/configuration.nix ('...' denoting that the 'services.rsyslogd.extraConfig' configuration may have other options configured):\n\n services.rsyslogd.extraConfig = ''\n   ...\n   destination d_network {\n    syslog(\n     \"<remote-logging-server>\" port(<port>)\n     transport(tls)\n     tls(\n      cert-file(\"/var/syslog-ng/certs.d/certificate.crt\")\n      key-file(\"/var/syslog-ng/certs.d/certificate.key\")\n      ca-file(\"/var/syslog-ng/certs.d/cert-bundle.crt\")\n      peer-verify(yes)\n     )\n    );\n   };\n\n   log { source(s_local); destination(d_local); destination(d_network); };\n   ...\n  '';\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000154","CCI-001851"]},{"vulnId":"V-268110","ruleId":"SV-268110r1131025_rule","severity":"medium","ruleTitle":"NixOS audit daemon must generate logs that are group-owned by root.","description":"Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000206-GPOS-00084","checkContent":"Verify the audit daemon is configured to generate logs that are group-owned by root with the following command:\n\n$ sudo grep log_group /etc/audit/auditd.conf\n\nlog_group = root\n\nIf the audit daemon is not configured to generate logs that are group-owned by \"root\", this is a finding.","fixText":"Configure the audit daemon to generate logs that are group-owned by root.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n environment.etc.\"audit/auditd.conf\".text = [\n  ''\n   log_group = root\n  ''\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000162","CCI-001314"]},{"vulnId":"V-268111","ruleId":"SV-268111r1039221_rule","severity":"medium","ruleTitle":"NixOS audit directory and logs must be owned by root to prevent unauthorized read access.","description":"Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000206-GPOS-00084","checkContent":"Verify the audit directory and logs are owned by \"root\". First, determine where the audit logs are stored with the following command:\n\n$ sudo grep log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the location of the audit log file (if not specified, the default location is \"/var/log/audit/audit.log\"), determine if the audit log is owned by \"root\" using the following command:\n\n$ sudo find /var/log/audit -exec stat -c \"%U %n\" {} \\;\n\nroot /var/log/audit\nroot /var/log/audit/audit.log\n\nIf the audit directory and logs are not owned by \"root\", this is a finding.","fixText":"Configure the audit directory and logs to be protected from unauthorized read access, by setting the correct owner as \"root\".\n\nUsing the path of the directory containing the audit logs (if not specified, the default location is \"/var/log/audit/audit.log\"), configure the audit directory and log files to be owned by \"root\" by using the following command:\n\n$ sudo chown -R root /var/log/audit","ccis":["CCI-000162","CCI-001314"]},{"vulnId":"V-268112","ruleId":"SV-268112r1039224_rule","severity":"medium","ruleTitle":"NixOS audit directory and logs must be group-owned by root to prevent unauthorized read access.","description":"Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000206-GPOS-00084","checkContent":"Verify the audit directory and logs are group-owned by \"root\". First, determine where the audit logs are stored with the following command:\n\n$ sudo grep log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the location of the audit log file (if not specified, the default location is \"/var/log/audit/audit.log\"), determine if the audit log is group-owned by \"root\" using the following command:\n\n$ sudo find /var/log/audit -exec stat -c \"%G %n\" {} \\;\n\nroot /var/log/audit\nroot /var/log/audit/audit.log\n\nIf the audit directory and logs are not group-owned by \"root\", this is a finding.","fixText":"Configure the audit directory and logs to be protected from unauthorized read access, by setting the correct group-owner as \"root\".\n\nUsing the path of the directory containing the audit logs (if not specified, the default location is \"/var/log/audit/audit.log\"), configure the audit directory and log files to be group-owned by \"root\" by using the following command:\n\n$ sudo chown -R :root /var/log/audit","ccis":["CCI-000162","CCI-001314"]},{"vulnId":"V-268113","ruleId":"SV-268113r1039227_rule","severity":"medium","ruleTitle":"NixOS audit log directory must have a mode of 0700 or less permissive.","description":"Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit NixOS system activity.","checkContent":"Verify that the audit log directory has a mode of \"0700\" or less permissive.\n\nFirst, determine where the audit logs are stored with the following command:\n\n$ sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the audit logs, check if the audit log directory has a mode of \"0700\" or less by using the following command:\n\n$ sudo find /var/log/audit -type d -exec stat -c \"%a %n\" {} \\;\n700 /var/log/audit\n\nIf the audit log directory (or any subfolders) has a mode more permissive than \"0700\", this is a finding.","fixText":"Configure the audit log directory to have a mode of \"0700\" or less permissive.\n\nUsing the path of the directory containing the audit logs, configure the audit log directory to have a mode of \"0700\" or less permissive by using the following command:\n\n$ sudo chmod 0700 /var/log/audit","ccis":["CCI-000162"]},{"vulnId":"V-268114","ruleId":"SV-268114r1039230_rule","severity":"medium","ruleTitle":"NixOS audit logs must have a mode of 0600 or less permissive.","description":"Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000206-GPOS-00084","checkContent":"Verify that the audit log files have a mode of \"0600\" or less permissive.\n\nFirst, determine where the audit logs are stored with the following command:\n\n$ sudo grep log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nUsing the path of the directory containing the audit logs, check if the audit log files have a mode of \"0600\" or less by using the following command:\n\n$ sudo find /var/log/audit -type f -exec stat -c \"%a %n\" {} \\;\n\n600 /var/log/audit/audit.log\n\nIf the audit log files have a mode more permissive than \"0600\", this is a finding.","fixText":"Verify that the audit log files have a mode of \"0600\" or less permissive.\n\nUsing the path of the directory containing the audit logs, configure the audit log files have a mode of \"0600\" or less by using the following command:\n\n$ sudo chmod 0600 /var/log/audit/audit.log","ccis":["CCI-000162","CCI-001314"]},{"vulnId":"V-268115","ruleId":"SV-268115r1131028_rule","severity":"medium","ruleTitle":"NixOS journald directory and logs must be owned by root to prevent unauthorized read access.","description":"Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000206-GPOS-00084","checkContent":"Verify the journald directories and logs are owned by \"root\" by executing the following command:\n\n$ sudo find /var/log/journal -printf \"%p %u\\n\"\n\n/var/log/journal root\n/var/log/journal/8960867736094c2089638a86c43fd755 root\n\nIf any occurrences of owner are not \"root\", this is a finding.","fixText":"The systemd-journald logs are by design stored with root:systemd-journald owner and group respectively.\n\nIf any files are found with different ownership, run the following command to correct them:\n\n$ sudo chown -R root:systemd-journald /var/log/journald","ccis":["CCI-000162","CCI-001314"]},{"vulnId":"V-268116","ruleId":"SV-268116r1131031_rule","severity":"medium","ruleTitle":"NixOS journald directory and logs must be group-owned by systemd-journald to prevent unauthorized read access.","description":"Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000206-GPOS-00084","checkContent":"Verify the journald directories and logs are group-owned by \"systemd-journald\" by executing the following command:\n\n$ sudo find /var/log/journal -not -group systemd-journal\n\nIf any directories or files are returned, this is a finding.","fixText":"The systemd-journald logs are by design stored with root:systemd-journald owner and group respectively.\n\nIf any files are found with different ownership, run the following command to correct them:\n\n$ sudo chown -R root:systemd-journald /var/log/journald","ccis":["CCI-000162","CCI-001314"]},{"vulnId":"V-268117","ruleId":"SV-268117r1131034_rule","severity":"medium","ruleTitle":"NixOS systemd-journald directory must have a mode of 2755 or less permissive.","description":"Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit NixOS system activity.","checkContent":"Verify NixOS protects log information from unauthorized read access by implementing a mode of 2755 or less on the creation of log directories with the following command: \n\n$ sudo find /var/log/journal -type d -perm -2755 -not -perm 2755 -printf \"%p %m\\n\"\n\nIf any directories have a permission of greater than 2755, this is a finding.","fixText":"The systemd-journald directories are by design set to 2755 mode.\n\nIf any directories are found with incorrect perms, correct them with the following command:\n\n$ sudo find /var/log/journal -type d -exec chmod 2755 {} \\;","ccis":["CCI-000162"]},{"vulnId":"V-268118","ruleId":"SV-268118r1131037_rule","severity":"medium","ruleTitle":"NixOS systemd-journald logs must have a mode of 0640 or less permissive.","description":"Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives.\n\nThe structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.\n\nSatisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000205-GPOS-00083","checkContent":"Verify NixOS protects log information from unauthorized read access by implementing a mode of 0640 or less on the creation of log files with the following command: \n\n$ sudo find /var/log/journal -type f -perm -640 -not -perm 640 -printf \"%p %m\\n\"\n\nIf any log files have a permission of greater than 0640, this is a finding.","fixText":"The systemd-journald files are by design set to 0640 mode.\n\nIf any files are found with incorrect perms, correct them with the following command:\n\n$ sudo find /var/log/journal -type f -exec chmod 0640 {} \\;","ccis":["CCI-000162","CCI-001312"]},{"vulnId":"V-268119","ruleId":"SV-268119r1131040_rule","severity":"medium","ruleTitle":"NixOS audit system must protect logon UIDs from unauthorized change.","description":"If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.\n\nAudit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit system activity.\n\nIn immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes.\n\nSatisfies: SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029","checkContent":"Verify the audit system prevents unauthorized changes to logon UIDs with the following command:\n\n$ sudo auditctl -s | grep -i immutable\n\nloginuid_immutable 1 locked\n\nIf the command does not return \"loginuid_immutable 1 locked\", this is a finding.","fixText":"Configure NixOS to prevent unauthorized changes to logon UIDs.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n security.audit.rules = [\n  \"--loginuid-immutable\"\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000163","CCI-000164"]},{"vulnId":"V-268120","ruleId":"SV-268120r1131043_rule","severity":"medium","ruleTitle":"NixOS audit configuration files must have a mode of 444 or less permissive.","description":"Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.","checkContent":"Verify that the NixOS audit configuration and service files have a mode of 444 or less permissive with the following commands:\n\n$ sudo find -L /etc/audit -type f -exec stat -L -c \"%a %n\" {} \\;\n$ sudo find -L /etc/systemd/system -iname \"audit*\" -type f -exec stat -L -c \"%a %n\" {} \\;\n$ stat -c '%a %n' $(realpath /etc/systemd/system/audit*.service)\n\n444 /etc/audit/auditd.conf\n444 /etc/systemd/system/audit.service\n444 /etc/systemd/system/auditd.service\n444 /etc/systemd/system/basic.target.wants/audit.service\n444 /etc/systemd/system/sysinit.target.wants/audit.service\n444 /nix/store/dr3i90b3n1fb06fr1gw12jfg9wb8dkrc-unit-auditd.service/auditd.service\n444 /nix/store/dc6s6z7ykbmq70i5z8cff0agwsmp9jhm-unit-audit.service/audit.service\n\nIf the audit configuration files have a mode more permissive than 444, this is a finding.","fixText":"Configure NixOS audit configuration and service files to have a mode of 444 or less permissive with the following command:\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000171"]},{"vulnId":"V-268121","ruleId":"SV-268121r1131046_rule","severity":"medium","ruleTitle":"NixOS system configuration file directories must have a mode of \"0755\" or less permissive.","description":"Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.","checkContent":"Verify that the NixOS audit configuration directories have a mode of \"755\" or less permissive with the following commands:\n\n$ sudo find -L /etc/audit -type d -exec stat -L -c \"%a %n\" {} \\;\n\n755 /etc/audit\n\nIf the audit configuration files have a mode more permissive than \"755\", this is a finding.","fixText":"Update the NixOS config, typically stored either in /etc/nixos/configuration.nix or /etc/nixos/flake.nix, to use a mode of 755 or less for directories under /etc/audit.\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000171"]},{"vulnId":"V-268122","ruleId":"SV-268122r1131049_rule","severity":"medium","ruleTitle":"NixOS system configuration files and directories must be owned by root.","description":"Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.","checkContent":"Verify that the NixOS audit configuration files and directories are owned by root with the following command:\n\n$ sudo find /etc/audit -exec stat -L -c \"%U %n\" {} \\;\n$ sudo find /etc/systemd/system -follow -iname \"audit*service\" -exec stat -c \"%U %n\" {} \\;\n\nroot /etc/audit\nroot /etc/audit/auditd.conf\nroot /etc/systemd/system/audit.service\nroot /etc/systemd/system/auditd.service\nroot /etc/systemd/system/basic.target.wants/audit.service\nroot /etc/systemd/system/sysinit.target.wants/auditd.service\n\nIf the audit configuration files and directories are not owned by root, this is a finding.","fixText":"Update the NixOS config, typically stored either in /etc/nixos/configuration.nix or /etc/nixos/flake.nix, to only use the root user for files under /etc/audit.\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000171"]},{"vulnId":"V-268123","ruleId":"SV-268123r1131052_rule","severity":"medium","ruleTitle":"NixOS system configuration files and directories must be group-owned by root.","description":"Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.","checkContent":"Verify that the NixOS audit configuration files and directories are group-owned by root with the following commands:\n\n$ sudo find /etc/audit -exec stat -L -c \"%G %n\" {} \\;\n$ sudo find /etc/systemd/system -follow -iname \"audit*service\" -exec stat -c \"%G %n\" {} \\;\n\nroot /etc/audit\nroot /etc/audit/auditd.conf\nroot /etc/systemd/system/audit.service\nroot /etc/systemd/system/auditd.service\nroot /etc/systemd/system/basic.target.wants/audit.service\nroot /etc/systemd/system/sysinit.target.wants/auditd.service\n\nIf the system configuration files and directories are not group-owned by root or other privileged group (such as shadow), this is a finding.","fixText":"Update the NixOS config, typically stored either in /etc/nixos/configuration.nix or /etc/nixos/flake.nix, to only use the root group for files under /etc/audit.\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000171"]},{"vulnId":"V-268124","ruleId":"SV-268124r1131055_rule","severity":"medium","ruleTitle":"NixOS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.","description":"Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted.\n\nA trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement.\n\nSatisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000403-GPOS-00182, SRG-OS-000775-GPOS-00230","checkContent":"Verify NixOS only allows the use of DOD PKI-established certificate authorities by running the following:\n\n$ openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem\nCertificate:\nData:\nVersion: 3 (0x2)\nSerial Number: 1 (0x1)\nSignature Algorithm: sha256WithRSAEncryption\nIssuer: C = US, O = U.S. Government, OU = DOD, OU = PKI, CN = DOD Root CA 3\nValidity\nNot Before: Mar 20 18:46:41 2012 GMT\nNot After : Dec 30 18:46:41 2029 GMT\nSubject: C = US, O = U.S. Government, OU = DOD, OU = PKI, CN = DOD Root CA 3\nSubject Public Key Info:\nPublic Key Algorithm: rsaEncryption\n\nIf the root CA file is not a DOD-issued certificate with a valid date and installed in the /etc/sssd/pki/sssd_auth_ca_db.pem location, this is a finding.","fixText":"Configure NixOS to authenticate using DOD's root CA.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n services.sssd.enable = true;\n environment.etc.\"sssd/pki/sssd_auth_ca_db.pem\".source = let\n  certzip = pkgs.fetchzip {\n   url = \"https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_v5-6_dod.zip\";\n   sha256 = \"sha256-iwwJRXCnONk/LFddQlwy8KX9e9kVXW/QWDnX5qZFZjc=\";\n  };\n in \"${certzip}/DOD_PKE_CA_chain.pem\";\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000185","CCI-002470","CCI-004909"]},{"vulnId":"V-268125","ruleId":"SV-268125r1039263_rule","severity":"medium","ruleTitle":"NixOS must enforce authorized access to the corresponding private key for PKI-based authentication.","description":"If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.\n\nThe cornerstone of the PKI is the private key used to encrypt or digitally sign information.\n\nIf the private key is stolen, this will lead to the compromise of the authentication and nonrepudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user.\n\nBoth the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.","checkContent":"Verify the SSH private key files have a passcode.\n\nFor each private key stored on the system, use the following command:\n\n$ sudo ssh-keygen -y -f /path/to/file\n\nIf the contents of the key are displayed, this is a finding.","fixText":"Create new private/public key pairs that use a passcode using the following command:\n\n$ sudo ssh-keygen -n [passphrase]","ccis":["CCI-000186"]},{"vulnId":"V-268126","ruleId":"SV-268126r1131057_rule","severity":"medium","ruleTitle":"NixOS must enforce password complexity by requiring that at least one uppercase character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.","checkContent":"Verify NixOS enforces password complexity by requiring at least one uppercase character with the following command:\n\n$ grep ucredit /etc/security/pwquality.conf\n\n ucredit=-1\n\nIf the value of \"ucredit\" is a positive number or is commented out, this is a finding.","fixText":"Configure NixOS to enforce password complexity. \n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nenvironment.etc.\"/security/pwquality.conf\".text = ''\nucredit=-1\n'';\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-004066"]},{"vulnId":"V-268127","ruleId":"SV-268127r1131059_rule","severity":"medium","ruleTitle":"NixOS must enforce password complexity by requiring that at least one lowercase character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.","checkContent":"Verify NixOS enforces password complexity by requiring at least one lowercase character with the following command:\n\n$ grep lcredit /etc/security/pwquality.conf\n\n lcredit=-1\n\nIf the value of \"lcredit\" is a positive number or is commented out, this is a finding.","fixText":"Configure NixOS to enforce password complexity. \n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nenvironment.etc.\"/security/pwquality.conf\".text = ''\nlcredit=-1\n'';\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-004066"]},{"vulnId":"V-268128","ruleId":"SV-268128r1131061_rule","severity":"medium","ruleTitle":"NixOS must enforce password complexity by requiring that at least one numeric character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.","checkContent":"Verify NixOS enforces password complexity by requiring at least one numeric character with the following command:\n\n$ grep dcredit /etc/security/pwquality.conf\n\n dcredit=-1\n\nIf the value of \"dcredit\" is a positive number or is commented out, this is a finding.","fixText":"Configure NixOS to enforce password complexity. \n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nenvironment.etc.\"/security/pwquality.conf\".text = ''\ndcredit=-1\n'';\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-004066"]},{"vulnId":"V-268129","ruleId":"SV-268129r1131063_rule","severity":"medium","ruleTitle":"NixOS must require the change of at least 50 percent of the total number of characters when passwords are changed.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.","checkContent":"Verify NixOS enforces password complexity by requiring that at least 50 percent of the characters are changed with the following command:\n\n$ grep difok /etc/security/pwquality.conf\n\n difok=8\n\nIf the value of \"difok\" is set to less than \"8\", or is commented out, this is a finding.","fixText":"Configure NixOS to enforce password complexity. \n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nenvironment.etc.\"/security/pwquality.conf\".text = ''\ndifok=8\n'';\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-004066"]},{"vulnId":"V-268130","ruleId":"SV-268130r1131065_rule","severity":"high","ruleTitle":"NixOS must store only encrypted representations of passwords.","description":"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.","checkContent":"Verify NixOS stores only encrypted representations of passwords with the following command: \n\n$ grep ENCRYPT_METHOD /etc/login.defs\n\nENCRYPT_METHOD SHA512\n\nIf \"ENCRYPT_METHOD\" does not equal SHA512 or greater, is commented out, or is missing, this is a finding.","fixText":"Configure NixOS to store only encrypted representations of passwords. \n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nsecurity.loginDefs.settings.ENCRYPT_METHOD = \"SHA512\";\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-004062"]},{"vulnId":"V-268131","ruleId":"SV-268131r1131067_rule","severity":"high","ruleTitle":"NixOS must not have the telnet package installed.","description":"Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.","checkContent":"Ensure the telnet package is not installed and available with the following command:\n\n$ whereis telnet\n\ntelnet:\n\nIf there is a path, and the output looks like \"telnet: /nix/store/sqiphymcpky1yysgdc1aj4lr9jg9n53a-inetutils-2.2/bin/telnet\", this is a finding.","fixText":"Edit the NixOS Configuration file /etc/nixos/configuration.nix or /etc/nixos/flake.nix and remove any references to pkgs.libtelnet, pkgs.busybox, or pkgs.inetutils from the environment.systemPackages list.\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000197"]},{"vulnId":"V-268132","ruleId":"SV-268132r1131069_rule","severity":"medium","ruleTitle":"NixOS must enforce 24 hours/one day as the minimum password lifetime.","description":"Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.","checkContent":"Verify NixOS enforces 24 hours/one day as the minimum password lifetime with the following command: \n\n$ grep PASS_MIN_DAYS /etc/login.defs \n\nPASS_MIN_DAYS 1\n\nIf PASS_MIN_DAYS_1 is not present, is commented out, or is a value different from 1, this is a finding.","fixText":"Configure NixOS operating system to enforce 24 hours/one day as the minimum password lifetime. \n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nsecurity.loginDefs.settings.PASS_MIN_DAYS = \"1\";\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-004066"]},{"vulnId":"V-268133","ruleId":"SV-268133r1131071_rule","severity":"medium","ruleTitle":"NixOS must enforce a 60-day maximum password lifetime restriction.","description":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.","checkContent":"Verify NixOS enforces a 60-day maximum password lifetime for new user accounts by running the following command:\n\n$ grep PASS_MAX_DAYS /etc/login.defs\n\nPASS_MAX_DAYS 60\n\nIf the \"PASS_MAX_DAYS\" parameter value is less than 60 or commented out, this is a finding.","fixText":"Configure NixOS operating system to enforce a 60-day maximum password lifetime.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nsecurity.loginDefs.settings.PASS_MAX_DAYS = \"60\";\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-004066"]},{"vulnId":"V-268134","ruleId":"SV-268134r1131073_rule","severity":"medium","ruleTitle":"NixOS must enforce a minimum 15-character password length.","description":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.","checkContent":"Verify NixOS enforces a minimum 15-character password length with the following command:\n\n$ grep minlen /etc/security/pwquality.conf\n\n minlen=15\n\nIf the value of \"minlen\" is set to less than \"15\", or is commented out, this is a finding.","fixText":"Configure NixOS to enforce password complexity. \n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nenvironment.etc.\"/security/pwquality.conf\".text = ''\nminlen=15\n'';\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-004066"]},{"vulnId":"V-268135","ruleId":"SV-268135r1039293_rule","severity":"medium","ruleTitle":"NixOS must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users).","description":"To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.\n\nOrganizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: \n\n1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and\n\n2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.\n\nSatisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062","checkContent":"Verify the NixOS operating system contains no duplicate User IDs (UIDs) for interactive users with the following command: \n \n$ awk -F \":\" 'list[$3]++{print $1, $3}' /etc/passwd \n \nIf output is produced and the accounts listed are interactive user accounts, this is a finding.","fixText":"Configure the NixOS to uniquely identify and authenticate nonorganizational users by editing the file \"/etc/passwd\" and provide each interactive user account that has a duplicate UID with a unique UID.","ccis":["CCI-000764","CCI-000804"]},{"vulnId":"V-268136","ruleId":"SV-268136r1131076_rule","severity":"medium","ruleTitle":"NixOS must use multifactor authentication for network access to privileged accounts.","description":"Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased.\n\nMultifactor authentication requires using two or more factors to achieve authentication.\n\nFactors include: \n1) something a user knows (e.g., password/PIN);\n2) something a user has (e.g., cryptographic identification device, token); and\n3) something a user is (e.g., biometric).\n\nA privileged account is defined as an information system account with authorizations of a privileged user.\n\nNetwork access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet).\n\nThe DOD CAC with DOD-approved PKI is an example of multifactor authentication.\n\nSatisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055","checkContent":"Verify NixOS has the packages required for multifactor authentication installed with the following command:\n\n$ which p11sak\n\n/run/current-system/sw/bin/p11sak\n\nIf the \"p11sak\" program is not found in PATH, this is a finding.","fixText":"Configure NixOS to have a package that enforces multifactor authentication installed.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n environment.systemPackages = [\n  pkgs.opencryptoki\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000765","CCI-000766"]},{"vulnId":"V-268137","ruleId":"SV-268137r1131078_rule","severity":"medium","ruleTitle":"NixOS must not allow direct login to the root account via SSH.","description":"To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated.\n\nA group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Examples of the group authenticator are the UNIX OS \"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\" account.\n\nFor example, the UNIX and Windows operating systems offer a \"switch user\" capability allowing users to authenticate with their individual credentials and, when needed, \"switch\" to the administrator role. This method provides for unique individual authentication prior to using a group authenticator.\n\nUsers (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses other than those explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the operating system without identification or authentication.\n\nRequiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.","checkContent":"Verify the NixOS configuration disallows directly logging into the root account via SSH with the following command:\n\n$ grep PermitRootLogin /etc/ssh/sshd_config\n\nPermitRootLogin no\n\nIf the value is anything other than \"no\", this is a finding.","fixText":"Configure NixOS to ensure the root user login via SSH is disabled.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nservices.openssh.permitRootLogin = \"no\";\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-004045"]},{"vulnId":"V-268138","ruleId":"SV-268138r1131081_rule","severity":"medium","ruleTitle":"NixOS must not allow direct login to the root account.","description":"To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated.\n\nA group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Examples of the group authenticator are the UNIX OS \"root\" user account, the Windows \"Administrator\" account, the \"sa\" account, or a \"helpdesk\" account.\n\nFor example, the UNIX and Windows operating systems offer a \"switch user\" capability allowing users to authenticate with their individual credentials and, when needed, \"switch\" to the administrator role. This method provides for unique individual authentication prior to using a group authenticator.\n\nUsers (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses other than those explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the operating system without identification or authentication.\n\nRequiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.","checkContent":"Verify the NixOS operating system prevents directly logging in to the root account with the following command:\n\n$ sudo passwd -S root\n\nroot L 01/02/1970 -1 -1 -1 -1\n\nIf the second field in the output is not \"L\" or \"NP\", then the root account is not locked and has a password configured, and this is a finding.","fixText":"Configure NixOS to ensure the root user is locked.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nusers.mutableUsers = false;\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-004045"]},{"vulnId":"V-268139","ruleId":"SV-268139r1131083_rule","severity":"medium","ruleTitle":"NixOS must enable USBguard.","description":"Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.\n\nPeripherals include, but are not limited to, such devices as flash drives, external storage, and printers.\n\nSatisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000690-GPOS-00140","checkContent":"Verify NixOS had enabled the use of the USBGuard with the following command:\n\n$ systemctl status usbguard\n\n usbguard.service - USBGuard daemon\nLoaded: loaded (/etc/systemd/system/usbguard.service; enabled; present: enabled)\nActive: active (running) since Sat 2022-06-04 02:51:43 UTC; 13min ago\n\nIf the usbguard.service is not \"active\" and \"running\", this is a finding.","fixText":"Configure NixOS to enable USBGuard and generate a USBGuard ruleset.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n services.usbguard.enable = true;\n\nRebuild the system configuration by running the following command:\n\n$ sudo nixos-rebuild switch\n\nAs root, generate a usbguard configuration. Using the \"usbguard\" command, use \"usbguard list-devices\" to list connected USB devices, \"usbguard block-device\" to block a device, and \"usbguard allow-device\" to allow a device. Note that the default behavior is to block devices.\n\nWhen all connected USB devices have been permitted, generate a ruleset by running the following command as root:\n\n# usbguard generate-policy\n\nEdit the NixOS config to add the policy:\n\n services.usbguard.rules = ''\n  allow id 1d6b:0001 serial \"0000:00:01.2\" name \"UHCI Host Controller\" hash \"FRDEjz7OhdJbNjmJ8zityiNX/LuO+ovKC07I0bOFjao=\" parent-hash \"9+Zsfvo9IR/AEQ/Fn4mzdoPGk0rqpjku6uErfS09K4c=\" with-interface 09:00:00 with-connect-type \"\"\n\n  allow id 0627:0001 serial \"28754-0000:00:01.2-1\" name \"QEMU USB Tablet\" hash \"5TyVK8wyL5GmiIbZV2Sf/ehIRMCP83miy4kOzG6O+2M=\" parent-hash \"FRDEjz7OhdJbNjmJ8zityiNX/LuO+ovKC07I0bOFjao=\" with-interface 03:00:00 with-connect-type \"unknown\"\n '';\n\nNote: This ruleset is only an example; generate a policy using the process described above.\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000778","CCI-001958","CCI-003959"]},{"vulnId":"V-268140","ruleId":"SV-268140r1117267_rule","severity":"medium","ruleTitle":"A sticky bit must be set on all NixOS public directories to prevent unauthorized and unintended information transferred via shared system resources.","description":"Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection.\n\nThis requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies.\n\nThere may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.","checkContent":"Verify NixOS is configured with the sticky bit on world-writable directories with the following command:\n\n$ sudo find / -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null\n\nIf any of the returned directories are world-writable and do not have the sticky bit set, this is a finding.","fixText":"Configure all public directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources. \n \nSet the sticky bit on all public directories using the following command, replacing \"[Public Directory]\" with any directory path missing the sticky bit: \n \n$ sudo chmod +t [Public Directory]","ccis":["CCI-001090"]},{"vulnId":"V-268141","ruleId":"SV-268141r1131085_rule","severity":"medium","ruleTitle":"NixOS must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.","description":"DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. \n\nManaging excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.","checkContent":"Verify NixOS is configured to use IPv4 TCP syncookies with the following command:\n\n$ sudo sysctl net.ipv4.tcp_syncookies\n\nnet.ipv4.tcp_syncookies = 1\n\nIf the network parameter \"ipv4.tcp_syncookies\" is not equal to \"1\" or nothing is returned, this is a finding.","fixText":"Configure the audit service to use IPv4 TCP syncookies.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nboot.kernel.sysctl = { \n\"net.ipv4.tcp_syncookies\"=1;\n};\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-001095"]},{"vulnId":"V-268142","ruleId":"SV-268142r1131087_rule","severity":"medium","ruleTitle":"NixOS must terminate all SSH connections after 10 minutes of becoming unresponsive.","description":"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. \n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.\n\nSatisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175","checkContent":"Verify that all network connections associated with SSH traffic are automatically terminated after 10 minutes of becoming unresponsive with the following command:\n\n$ grep -i clientaliveinterval /etc/ssh/sshd_config\n\nClientAliveInterval 600\n\nIf \"ClientAliveInterval\" does not have a value of \"600\" or less, is commented out, or is missing, this is a finding.","fixText":"Configure NixOS to automatically terminate all network connections associated with SSH traffic after being unresponsive for 10 minutes. \n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nservices.openssh.extraConfig = ''\n ClientAliveInterval 600\n'';\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-001133","CCI-002361","CCI-002891"]},{"vulnId":"V-268143","ruleId":"SV-268143r1131089_rule","severity":"medium","ruleTitle":"NixOS must terminate all SSH connections after becoming unresponsive.","description":"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. \n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.","checkContent":"Verify that all network connections associated with SSH traffic are automatically terminated after becoming unresponsive with the following command:\n\n$ grep -i clientalivecount /etc/ssh/sshd_config\n\nClientAliveCountMax 1\n\nIf \"ClientAliveCountMax\" is not set to \"1\", is commented out, or is missing, this is a finding.","fixText":"Configure NixOS to automatically terminate all network connections associated with SSH traffic after being unresponsive. \n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nservices.openssh.extraConfig = ''\n ClientAliveCountMax 1\n'';\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-001133"]},{"vulnId":"V-268144","ruleId":"SV-268144r1039320_rule","severity":"high","ruleTitle":"NixOS must protect the confidentiality and integrity of all information at rest.","description":"Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system.\n\nThis requirement addresses protection of user-generated data, as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.\n\nSatisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184, SRG-OS-000780-GPOS-00240","checkContent":"Verify NixOS prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. \n\nVerify all system partitions are encrypted with the following command:\n\n$ sudo blkid\n\n/dev/sda1: LABEL=\"nixos\" UUID=\"67b7d7fe-de60-6fd0-befb-e6748cf97743\" TYPE=\"crypto_LUKS\"\n\nEvery persistent disk partition present must be of type \"crypto_LUKS\". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not type \"crypto_LUKS\", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that these partitions are encrypted, this is a finding.","fixText":"Configure NixOS to prevent unauthorized modification of all information at rest by using disk encryption. \n\nEncrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout.\n\nRefer to the NixOS manual Section 8.1 \"LUKS-Encrypted File Systems\" for further details.\n\nNixOS Wiki: https://nixos.wiki/wiki/Full_Disk_Encryption","ccis":["CCI-001199","CCI-002475","CCI-002476","CCI-004910"]},{"vulnId":"V-268145","ruleId":"SV-268145r1131091_rule","severity":"medium","ruleTitle":"NixOS must enforce password complexity by requiring that at least one special character be used.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.\n\nPassword complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nSpecial characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.","checkContent":"Verify NixOS enforces the use of at least one special character in passwords with the following command:\n\n$ grep minlen /etc/security/pwquality.conf\n\n ocredit=-1\n\nIf the value of \"ocredit\" is a positive number or is commented out, this is a finding.","fixText":"Configure NixOS to enforce password complexity.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nenvironment.etc.\"/security/pwquality.conf\".text = ''\nocredit=-1\n'';\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-004066"]},{"vulnId":"V-268146","ruleId":"SV-268146r1131093_rule","severity":"high","ruleTitle":"NixOS must protect wireless access to and from the system using encryption.","description":"Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Since wireless communications can be intercepted, it is necessary to use encryption to protect the confidentiality of information in transit.\n\nWireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication.\n\nThis requirement applies to those operating systems that control wireless devices.\n\nSatisfies: SRG-OS-000299-GPOS-00117, SRG-OS-000481-GPOS-00481","checkContent":"Verify NixOS disables wireless adapters by running the following command: \n\n$ grep -R networking.wireless /etc/nixos/\n\n /etc/nixos/configuratino.nix:networking.wireless.enable = false;\n\nIf \" networking.wireless.enable\", does not equal false, is missing, or is commented out, this is a finding.","fixText":"Configure the audit service to disable wireless interfaces.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n networking.wireless.enable = false;\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-001444","CCI-002418"]},{"vulnId":"V-268147","ruleId":"SV-268147r1131095_rule","severity":"medium","ruleTitle":"NixOS must protect wireless access to the system using authentication of users and/or devices.","description":"Allowing devices and users to connect to the system without first authenticating them allows untrusted access and can lead to a compromise or attack.\n\nWireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication.\n\nThis requirement applies to operating systems that control wireless devices.","checkContent":"Verify NixOS disables Bluetooth adapters by running the following command: \n\n$ grep -R hardware.bluetooth /etc/nixos/\n\n/etc/nixos/configuration.nix:hardware.bluetooth.enable = false;\n\nIf \"hardware.bluetooth.enable\", does not equal false, is missing, or is commented out, this is a finding.","fixText":"Configure the audit service to disable Bluetooth adapters.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n hardware.bluetooth.enable = false;\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-001443"]},{"vulnId":"V-268148","ruleId":"SV-268148r1131097_rule","severity":"medium","ruleTitle":"NixOS must prevent all software from executing at higher privilege levels than users executing the software.","description":"In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by the organizations.\n\nSome programs and processes are required to operate at a higher privilege level and therefore should be excluded from the organization-defined software list after review.","checkContent":"Verify NixOS audits and provides alerts of audit failures by running the following command: \n\n$grep A -15 security.auditd /etc/nixos/configuration.nix\n\n /etc/nixos/configuration.nix: \n\n security.auditd.enable = true;\n security.audit.enable = true;\n security.audit.rules = [\n  ''\n  <audit_rules>\n  ''\n ]; security.audit.rules = [\n  \"-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv\"\n  \"-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv\"\n  \"-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv\"\n  \"-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv\"\n ];\n\nIf \"security.auditd\", \"security.audit\" and the additional modifications do not equal true, are missing, or are commented out, this is a finding.","fixText":"Configure the audit service to produce audit records.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n security.auditd.enable = true;\n security.audit.enable = true;\n\nAdd the following audit rules:\n\n security.audit.rules = [\n  \"-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv\"\n  \"-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv\"\n  \"-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv\"\n  \"-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv\"\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-002233"]},{"vulnId":"V-268149","ruleId":"SV-268149r1131099_rule","severity":"medium","ruleTitle":"NixOS must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).","description":"Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.\n\nSynchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.\n\nOrganizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).\n\nSatisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000359-GPOS-00146, SRG-OS-000785-GPOS-00250","checkContent":"Verify NixOS is configured with an approved time server with the following command:\n\n$ timedatectl show-timesync | grep NTPServers\n\nSystemNTPServers=tick.usnogps.navy.mil\nFallbackNTPServers=tock.usnogps.navy.mil\n\nIf the output of the command does not list authorized time servers, this is a finding.","fixText":"Configure NixOS to use approved timeservers.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n networking.timeServers = [\n  \"tick.usnogps.navy.mil\"\n  \"tock.usnogps.navy.mil\"\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-004923","CCI-001890","CCI-004922"]},{"vulnId":"V-268150","ruleId":"SV-268150r1131101_rule","severity":"medium","ruleTitle":"NixOS must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.","description":"Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.\n\nSynchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider setting time periods for different types of systems (e.g., financial, legal, or mission-critical systems).\n\nOrganizations should also consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). This requirement is related to the comparison done every 24 hours in SRG-OS-000355 because a comparison must be done to determine the time difference.","checkContent":"Verify NixOS synchronizes internal information system clocks to the authoritative time source when the time difference is greater than one second with the following command:\n\n$ grep -iR pollinterval /etc/nixos/\n\nservices.timesyncd.extraConfig = \"PollIntervalMaxSec=60\";\n\nIf \"PollIntervalMaxSec\" is greater than \"60\", is commented out, or is missing, this is a finding.","fixText":"Configure NixOS to regularly synchronize the system clock.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nservices.timesyncd.extraConfig = ''\nPollIntervalMaxSec=60\n'';\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-004926"]},{"vulnId":"V-268151","ruleId":"SV-268151r1131103_rule","severity":"medium","ruleTitle":"NixOS must have time synchronization enabled.","description":"Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events.\n\nSynchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider setting time periods for different types of systems (e.g., financial, legal, or mission-critical systems).\n\nOrganizations should also consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). This requirement is related to the comparison done every 24 hours in SRG-OS-000355 because a comparison must be done to determine the time difference.","checkContent":"Verify NixOS synchronizes internal information system clocks to the authoritative time source when the time difference is greater than one second with the following command:\n\n$ grep -iR timesyncd.enable /etc/nixos/\n\nservices.timesyncd.enable = true;\n\nIf \"services.timesyncd.enable\" is not set to \"true\", is commented out, or is missing, this is a finding.","fixText":"Configure NixOS to regularly synchronize the system clock.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n services.timesyncd.enable = true;\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-004926"]},{"vulnId":"V-268152","ruleId":"SV-268152r1131105_rule","severity":"medium","ruleTitle":"NixOS must prohibit user installation of system software without explicit privileged status.","description":"Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user.\n\nOperating system functionality will vary, and while users are not permitted to install unapproved software, there may be instances where the organization allows the user to install approved software packages, such as from an approved software repository.\n\nThe operating system or software configuration management utility must enforce control of software installation by users based upon what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect) by the organization.","checkContent":"Verify NixOS prevents unauthorized users from using nix with the following command:\n\n$ grep -R allowed-users /etc/nixos/\n\n/etc/nixos/configuration.nix:nix.settings.allowed-users = [ \"root\" \"@wheel\" ];\n\nIf any other groups or users are included in \"nix.settings.allowed-users\" other than \"root\" and \"wheel\", or the configuration setting does not exist, this is a finding.","fixText":"Configure NixOS to prevent unauthorized users from using nix.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n nix.settings.allowed-users = [ \"root\" \"@wheel\" ];\n\nNote: Extra usergroups may be permitted by adding them with the format \"@group\" (e.g.: \"@users\").\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-003980"]},{"vulnId":"V-268153","ruleId":"SV-268153r1131108_rule","severity":"medium","ruleTitle":"NixOS must notify designated personnel if baseline configurations are changed in an unauthorized manner.","description":"Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.\n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.\n\nSatisfies: SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201","checkContent":"Verify NixOS notifies if baseline configurations are changed with Advanced Intrusion Detection Environment with the following commands:\n\n$ systemctl is-active aide.service\n\nactive\n\nIf aide is not active and is not configured to alert on file system changes, this is a finding.","fixText":"Configure NixOS to notify when baseline configuration changes.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nnixpkgs.overlays = [\n  (final: prev: {\n    aide = prev.aide.overrideAttrs (old: {\n      configureFlags = (old.configureFlags or [ ]) ++ [ \"--sysconfdir=/etc\" ];\n     });\n  })\n];\n\nenvironment.systemPackages = [\n  pkgs.aide\n ];\nenvironment.etc = {\n    # Creates /etc/aide.conf\n    \"aide.conf\" = {\n      text = ''\n      <CONFIG_TEXT>\n      '';\n      mode = \"0444\";\n    };\n};\nservices.cron = {\n  enable = true;\n  systemCronJobs = [\n   \"00 0 * * 0\\troot\\taide -c /etc/aide.conf --check | /bin/mail -s \"aide integrity check run for ${config.networking.hostName}\" root@notareal.email\"\n  ];\n};\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-001744","CCI-002696","CCI-002699","CCI-002702"]},{"vulnId":"V-268154","ruleId":"SV-268154r1131111_rule","severity":"high","ruleTitle":"NixOS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.","description":"Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.\n\nAccordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.\n\nVerifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DOD certificates for this purpose; however, the certificate used to verify the software must be from an approved certificate authority (CA).","checkContent":"Verify NixOS prevents installations that have not been digitally signed with the following command:\n \n$ grep -R require-sigs /etc/nix/nix.conf\n\nrequire-sigs = true\n\nIf \"require-sigs\" is not set to \"true\" or is missing, this is a finding.","fixText":"Configure NixOS to require signatures.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nnix.settings.require-sigs = true;\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-003992"]},{"vulnId":"V-268155","ruleId":"SV-268155r1131113_rule","severity":"medium","ruleTitle":"NixOS must require users to reauthenticate for privilege escalation.","description":"Without reauthentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.","checkContent":"Verify NixOS enforces reauthentication with sudo with the following command:\n\n$ sudo grep timestamp_timeout /etc/sudoers\n\n Defaults timestamp_timeout=0\n\nIf \"timestamp_timeout\" is greater than 0, is commented out, or is missing, this is a finding.","fixText":"Configure NixOS to enforce reauthentication with sudo.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n security.sudo.extraConfig = ''\nDefaults timestamp_timeout=0\n'';\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000366"]},{"vulnId":"V-268156","ruleId":"SV-268156r1131116_rule","severity":"medium","ruleTitle":"NixOS must require users to reauthenticate when changing roles.","description":"Without reauthentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen operating systems provide the capability to change security roles, it is critical the user reauthenticate.","checkContent":"Verify NixOS requires users to reauthenticate when changing roles with the following command:\n\n$ grep -iR \"%wheel\" /etc/sudoers\n\n%wheel     ALL=(ALL:ALL)     SETENV:  ALL\n\nIf the returned line contains \"NOPASSWD\", this is a finding.","fixText":"Configure NixOS to require reauthentication for sudo.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n security.sudo.wheelNeedsPassword = true;\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000366"]},{"vulnId":"V-268157","ruleId":"SV-268157r1131119_rule","severity":"high","ruleTitle":"NixOS must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.","description":"Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms, such as a hash function or digital signature, to protect integrity. \n\nNonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. \n\nThe operating system can meet this requirement through leveraging a cryptographic module. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing \"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of an Ethernet switch).","checkContent":"Verify NixOS uses the following FIPS 140-3 approved MAC codes in openssh with the following command:\n\n$ grep Mac /etc/ssh/sshd_config\n\nMacs hmac-sha2-512  hmac-sha2-256\n\nIf \"Macs\" contains any ciphers other than \"hmac-sha2-512\" or \"hmac-sha2-256\", this is a finding.","fixText":"Configure /etc/nixos/configuration.nix to use the following FIPS 140-3 approved MAC codes in openssh.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n services.openssh.macs = [\n  \"hmac-sha2-512\"\n  \"hmac-sha2-256\"\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-002890"]},{"vulnId":"V-268158","ruleId":"SV-268158r1131121_rule","severity":"medium","ruleTitle":"NixOS must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.","description":"Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered.\n\nThis requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.\n\nProtecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.","checkContent":"Verify NixOS firewall enforces rate limits using the hashlimit module.\n\n$ sudo iptables -L | grep limit\n\nnixos-fw-refuse tcp -- anywhere   anywhere   tcp dpt:ssh limit: above 1000000b/s mode srcip\nnixos-fw-refuse tcp -- anywhere   anywhere   tcp dpt:http limit: above 1000/min burst 5 mode srcip\nnixos-fw-refuse tcp -- anywhere   anywhere   tcp dpt:https limit: above 1000/min burst 5  mode srcip\n\nIf the command does not produce any rate limiting rules, this is a finding.","fixText":"Configure the NixOS firewall to enforce rate limits using the hashlimit module.\n\nFor example, to limit SSH to 1 MB/s and to limit HTTP to 1000 connections / minute per IP, add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n networking.firewall.enable = true;\n networking.firewall.extraCommands = ''\n  ip46tables --append INPUT --protocol tcp --dport 22 --match hashlimit --hashlimit-name stig_byte_limit --hashlimit-mode srcip --hashlimit-above 1000000b/second --jump nixos-fw-refuse\n  ip46tables --append INPUT --protocol tcp --dport 80 --match hashlimit --hashlimit-name stig_conn_limit --hashlimit-mode srcip --hashlimit-above 1000/minute --jump nixos-fw-refuse\n  ip46tables --append INPUT --protocol tcp --dport 443 --match hashlimit --hashlimit-name stig_conn_limit --hashlimit-mode srcip --hashlimit-above 1000/minute --jump nixos-fw-refuse\n '';\n\nNote: NixOS provides the helper script \"ip46tables\" to add rules using both \"iptables\" and \"ip6tables\".\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-002385"]},{"vulnId":"V-268159","ruleId":"SV-268159r1131124_rule","severity":"high","ruleTitle":"NixOS must protect the confidentiality and integrity of transmitted information.","description":"Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered.\n\nThis requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.\n\nProtecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.\n\nSatisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190","checkContent":"Verify NixOS enables sshd for remote access with the following command:\n\n$ systemctl status sshd\n\n sshd.service - SSH daemon\nLoaded: loaded (/etc/systemd/system/sshd.service; enabled; present: enabled)\nActive: active (running) since Sat 2022-06-04 02:51:43 UTC; 13min ago\n\nIf the sshd.service is not \"active\" and \"running\", this is a finding.","fixText":"Configure NixOS to enable sshd for remote access.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nservices.sshd.enable = true;\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-002418","CCI-001941","CCI-002421","CCI-002420","CCI-002422"]},{"vulnId":"V-268160","ruleId":"SV-268160r1131126_rule","severity":"medium","ruleTitle":"NixOS must implement nonexecutable data to protect its memory from unauthorized code execution.","description":"Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.\n\nExamples of attacks are buffer overflow attacks.\n\nSatisfies: SRG-OS-000433-GPOS-00192, SRG-OS-000132-GPOS-00067","checkContent":"Verify NixOS prevents internal kernel addresses from being leaked with the following command:\n\n$ sudo sysctl kernel.kptr_restrict\n\n kernel.kptr_restrict = 1\n\nIf \"kernel.kptr_restrict\" does not have a value of \"1\" or is missing, this is a finding.","fixText":"Configure NixOS to prevent internal kernel addresses from being leaked.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n boot.kernel.sysctl = {\n\"kernel.kptr_restrict\" = 1;\n};\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-002824","CCI-001082"]},{"vulnId":"V-268161","ruleId":"SV-268161r1131128_rule","severity":"medium","ruleTitle":"NixOS must implement address space layout randomization to protect its memory from unauthorized code execution.","description":"Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.\n\nExamples of attacks are buffer overflow attacks.","checkContent":"Verify NixOS enables address space layout randomization with the following command:\n\n$ sudo sysctl kernel.randomize_va_space\n\nkernel.randomize_va_space = 2\n\nIf \"kernel.randomize_va_space\" does not have a value of \"2\" or is missing, this is a finding.","fixText":"Configure /etc/nixos/configuration.nix to enable ASLR.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n boot.kernel.sysctl = {\n\"kernel.randomize_va_space\" = 2;\n};\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-002824"]},{"vulnId":"V-268163","ruleId":"SV-268163r1131131_rule","severity":"medium","ruleTitle":"NixOS must generate audit records when successful/unsuccessful attempts to modify security objects occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000463-GPOS-00207, SRG-OS-000042-GPOS-00020, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219","checkContent":"Verify the NixOS generates audit records when successful/unsuccessful attempts to modify security objects occur with the following command:\n\n$ sudo auditctl -l | grep xattr\n\n-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod\n-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod\n\nIf the command does not return an audit rule for \"setxattr\", \"fsetxattr\", \"lsetxattr\", \"removexattr\", \"fremovexattr\", and \"lremovexattr\", this is a finding.","fixText":"Configure NixOS to log attempts to modify security objects.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n security.audit.rules = [\n  \"-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod\"\n  \"-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod\"\n  \"-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod\"\n  \"-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod\"\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000172","CCI-000135"]},{"vulnId":"V-268164","ruleId":"SV-268164r1131133_rule","severity":"medium","ruleTitle":"NixOS must generate audit records when successful/unsuccessful attempts to delete privileges occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Verify NixOS generates audit records when attempts to delete privileges occur with the following command:\n\n$ sudo auditctl -l | grep usermod\n\n-a always,exit -S all -F path=/run/current-system/sw/bin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-usermod\n\nIf the command does not return an audit rule for \"usermod\", this is a finding.","fixText":"Configure NixOS to record attempts to delete privileges.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n security.audit.rules = [\n  \"-a always,exit -F path=/run/current-system/sw/bin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod\"\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000172"]},{"vulnId":"V-268165","ruleId":"SV-268165r1131135_rule","severity":"medium","ruleTitle":"NixOS must generate audit records when successful/unsuccessful attempts to delete security objects occur.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).","checkContent":"Verify that NixOS generates audit records when successful/unsuccessful attempts to delete security objects occur with the following command:\n\n $ sudo auditctl -l | grep /bin/ch\n\n-a always,exit -S all -F path=/run/current-system/sw/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chage\n-a always,exit -S all -F path=/run/current-system/sw/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_mod\n\n\nIf the command does not return an audit rule for \"chage\" and \"chcon\", this is a finding.","fixText":"Configure NixOS to audit attempts to delete security objects.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n security.audit.rules = [\n  \"-a always,exit -F path=/run/current-system/sw/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage\"\n  \"-a always,exit -F path=/run/current-system/sw/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod\"\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000172"]},{"vulnId":"V-268166","ruleId":"SV-268166r1131137_rule","severity":"medium","ruleTitle":"NixOS must generate audit records when concurrent logons to the same account occur from different sources.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000473-GPOS-00218, SRG-OS-000042-GPOS-00020, SRG-OS-000475-GPOS-00220","checkContent":"Verify NixOS is configured to generate audit records with the following command:\n\n$ sudo auditctl -l | grep -w lastlog\n\n-w /var/log/lastlog -p wa -k logins\n\nIf the command does not return a watch for the lastlog file, this is a finding.","fixText":"Configure NixOS to generate audit logs on account creations and modifications.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n security.audit.rules = [\n   \"-w /var/log/lastlog -p wa -k logins\"\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000172","CCI-000135"]},{"vulnId":"V-268167","ruleId":"SV-268167r1131139_rule","severity":"medium","ruleTitle":"NixOS must generate audit records for all account creations, modifications, disabling, and termination events.","description":"Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.\n\nAudit records can be generated from various components within the information system (e.g., module or policy filter).\n\nSatisfies: SRG-OS-000476-GPOS-00221, SRG-OS-000042-GPOS-00020, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, SRG-OS-000477-GPOS-00222, SRG-OS-000304-GPOS-00121","checkContent":"Verify NixOS is configured to generate audit records on account events with the following command:\n\n$ sudo auditctl -l | grep /etc\n\n-w /etc/sudoers -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/group -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n\nIf the output from the command does not include the example output, this is a finding.","fixText":"Configure NixOS to generate audit logs on account creations and modifications.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n security.audit.rules = [\n  \"-w /etc/sudoers -p wa -k identity\"\n  \"-w /etc/passwd -p wa -k identity\"\n  \"-w /etc/shadow -p wa -k identity\"\n  \"-w /etc/gshadow -p wa -k identity\"\n  \"-w /etc/group -p wa -k identity\"\n  \"-w /etc/security/opasswd -p wa -k identity\"\n ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000172","CCI-000135","CCI-000015"]},{"vulnId":"V-268168","ruleId":"SV-268168r1131141_rule","severity":"high","ruleTitle":"NixOS must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.","description":"Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nSatisfies: SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176","checkContent":"Verify NixOS is configured to operate in FIPS mode with the following command:\n\n$ grep fips /proc/cmdline\n\nBOOT_IMAGE=(hd0,msdos1)/nix/store/glc0midc78caq9sc7pzciymx4c3in7kn-linux-6.1.64/bzImage init=/nix/store/grl4baymr9q60mbcz3sidm4agckn3bx5-nixos-system-nixos-23.1.1.20231129.057f9ae/init audit=1 audit_backlog_limit=8192 fips=1 loglevel=4\n\nIf the \"fips\" entry does not equal \"1\" or is missing, this is a finding.","fixText":"Configure NixOS to run in FIPS mode.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n boot.kernelParams = [ \"fips=1\" ];\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch\n\nA reboot is required for the changes to take effect.","ccis":["CCI-002450"]},{"vulnId":"V-268169","ruleId":"SV-268169r1131144_rule","severity":"medium","ruleTitle":"NixOS must prevent the use of dictionary words for passwords.","description":"If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.","checkContent":"Verify NixOS prevents the use of dictionary words for passwords with the following command:\n\n$ grep dictcheck /etc/security/pwquality.conf\n\n dictcheck=1\n\nIf the value of \"ocredit\" is a positive number or is commented out, this is a finding.","fixText":"Configure NixOS to check password change attempts against a dictionary.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nenvironment.etc.\"/security/pwquality.conf\".text = ''\ndictcheck=1\n'';\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000366"]},{"vulnId":"V-268170","ruleId":"SV-268170r1131146_rule","severity":"medium","ruleTitle":"NixOS must enable the use of pwquality.","description":"If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.","checkContent":"Verify NixOS prevents the use of dictionary words for passwords with the following command:\n\n$ grep -i pam_pwquality /etc/pam.d/passwd /etc/pam.d/chpasswd /etc/pam.d/sudo\n\n/etc/pam.d/passwd:password requisite /nix/store/db96zr26w71dzx0bzf47d88kw19fr0l7-libpwquality-1.4.5.-lib/lib/security/pam_pwquality.so\n/etc/pam.d/chpasswd:password requisite /nix/store/db96zr26w71dzx0bzf47d88kw19fr0l7-libpwquality-1.4.5.-lib/lib/security/pam_pwquality.so\n/etc/pam.d/sudo:password requisite /nix/store/db96zr26w71dzx0bzf47d88kw19fr0l7-libpwquality-1.4.5.-lib/lib/security/pam_pwquality.so\n\nIf the pam_pwquality.so module is not present in the passwd, chpasswd, and sudo pam files, this is a finding.","fixText":"Configure NixOS to check password change attempts against a dictionary.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nsecurity.pam.services.passwd.text = pkgs.lib.mkDefault (pkgs.lib.mkBefore \"password requisite ${pkgs.libpwquality.lib}/lib/security/pam_pwquality.so\");\nsecurity.pam.services.chpasswd.text = pkgs.lib.mkDefault (pkgs.lib.mkBefore \"password requisite ${pkgs.libpwquality.lib}/lib/security/pam_pwquality.so\");\nsecurity.pam.services.sudo.text = pkgs.lib.mkDefault (pkgs.lib.mkBefore \"password requisite ${pkgs.libpwquality.lib}/lib/security/pam_pwquality.so\");\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000366"]},{"vulnId":"V-268171","ruleId":"SV-268171r1134782_rule","severity":"medium","ruleTitle":"NixOS must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.","description":"Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.","checkContent":"Verify NixOS enforces a four-second delay between logon attempts with the following command:\n \n$ grep -I delay /etc/login.defs\n\nFAIL_DELAY 4\n\nIf \"FAIL_DELAY\" is not set to \"4\" or greater, is commented out, or is missing, this is a finding.","fixText":"Configure NixOS to enforce a four-second delay between logon attempts.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nsecurity.loginDefs.settings.\"FAIL_DELAY\" = \"4\";\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000366"]},{"vulnId":"V-268172","ruleId":"SV-268172r1131152_rule","severity":"high","ruleTitle":"NixOS must not allow an unattended or automatic logon to the system via the console.","description":"Failure to restrict system access via the console to authenticated users negatively impacts operating system security.","checkContent":"Verify NixOS does not allow an unattended or automatic logon to the system via the console with the following command:\n\n$ grep -iR autologon.user /etc/nixos\n\nIf \"services.xserver.displayManager.autologon.user\" is defined and is not \"null\", this is a finding.","fixText":"Configure NixOS to not allow an unattended or automatic logon to the system via the console.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nservices.xserver.displayManager.autologon.user = null;\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch\n\nA reboot is required for the changes to take effect.","ccis":["CCI-000366"]},{"vulnId":"V-268173","ruleId":"SV-268173r1131154_rule","severity":"medium","ruleTitle":"NixOS must be configured to use AppArmor.","description":"Users' home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any sharing of information with a system administrator (SA) through shared resources.\n\nSatisfies: SRG-OS-000480-GPOS-00230, SRG-OS-000368-GPOS-00154","checkContent":"Verify NixOS is configured to use AppArmor with the following command:\n\n$ sudo systemctl status apparmor.service\n\napparmor.service - Load AppArmor policies\n  Loaded: loaded (/etc/systemd/system/apparmor.service; enabled; present: enabled)\n  Active: active (running) since Sat 2022-06-04 02:51:43 UTC; 13min ago\n\n If the \"apparmor.service\" is not enabled and active, this is a finding.","fixText":"Configure NixOS to use AppArmor.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n security.apparmor.enable = true;\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch\n\nA reboot is required for the changes to take effect.","ccis":["CCI-000366","CCI-001764"]},{"vulnId":"V-268174","ruleId":"SV-268174r1131156_rule","severity":"medium","ruleTitle":"NixOS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.","description":"Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.\n\nOperating systems need to track periods of inactivity and disable application identifiers after 35 days of inactivity.","checkContent":"Verify NixOS disables account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity with the following command:\n\n$ grep -i inactive /etc/default/useradd\n\n    INACTIVE=35\n\nIf INACTIVE is not set to 35 or less, or is missing or commented out, this is a finding.","fixText":"Configure NixOS to disable inactive users.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nEnsure the lib functions are available:\n { config, lib, ... }:\n\n environment.etc.\"/default/useradd\".text = lib.mkForce\n   ''\n    INACTIVE=35\n   '';\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-003627"]},{"vulnId":"V-268175","ruleId":"SV-268175r1131158_rule","severity":"medium","ruleTitle":"NixOS must employ approved cryptographic hashing algorithms for all stored passwords.","description":"Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised.\n\nOperating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. \n\nFIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.","checkContent":"Verify NixOS uses employs approved cryptographic hashing algorithms for all stored passwords with the following command:\n\n(Change <unique-username> to the desired user to verify.)\n\n$ sudo cat /etc/shadow | grep \"<unique-username>\" | cut -d'$' -f2\n\nIf the command does not return 6 for SHA512, this is a finding.","fixText":"Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512.\n\n$ sudo usermod -L $USERNAME","ccis":["CCI-000803"]},{"vulnId":"V-268176","ruleId":"SV-268176r1131160_rule","severity":"high","ruleTitle":"NixOS must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.","description":"If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access sensitive application information, such as system configuration details, diagnostic information, user information, and potentially sensitive application data.\n\nSome maintenance and test tools are either standalone devices with their own operating systems or are applications bundled with an operating system.\n\nNonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric.","checkContent":"Verify NixOS employs strong authentication in the establishment of nonlocal sessions with SSH by the following command:\n\n$ sudo /run/current-system/sw/bin/sshd -G | grep pam\n\nusepam yes\n\nIf usepam is not yes, this is a finding.","fixText":"Configure NixOS to use strong authentication when establishing nonlocal maintenance and diagnostic sessions.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nopenssh.settings.UsePAM = ''yes'';\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000877"]},{"vulnId":"V-268177","ruleId":"SV-268177r1131162_rule","severity":"medium","ruleTitle":"NixOS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.","description":"Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.\n\nMultifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD Common Access Card (CAC).\n\nA privileged account is defined as an information system account with authorizations of a privileged user.\n\nRemote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nThis requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).\n\nThis requires further clarification from NIST.\n\nSatisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000068-GPOS-00036, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162, SRG-OS-000705-GPOS-00150","checkContent":"Verify NixOS provides authentication via the security and pam modules with the following command:\n\n$ cat /etc/nixos/configuration.nix | grep -A 1 security.pam.p11\n\nsecurity.pam.p11.enable = true;\n\nIf security.pam.p11.enable is not. \"true\", is not present or is commented out, this is a finding.","fixText":"Configure NixOS to use strong authentication when establishing nonlocal maintenance and diagnostic sessions. \n \nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nsecurity.pam.p11.enable = true;\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-004046","CCI-000187","CCI-001953","CCI-001954","CCI-004047"]},{"vulnId":"V-268178","ruleId":"SV-268178r1131164_rule","severity":"medium","ruleTitle":"NixOS must prohibit the use of cached authenticators after one day.","description":"If cached authentication information is out-of-date, the validity of the authentication information may be questionable.","checkContent":"Verify NixOS, for PKI-based authentication, only caches authenticators for one day with the following command:\n\n$ sudo grep expiration /etc/sssd/sssd.conf\n\noffline_credentials_expiration = 1\n\nIf the offline_credentials_expiration is not set to \"1\" or is commented out, this is a finding.","fixText":"Configure NixOS to prohibit the use of cached credentials older than one day.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nNote: The entire sssd.conf must be entered in this option.\n\n services.sssd.config = ''\n  ...\n  [pam]\n  offline_credentials_expiration = 1\n  ...\n '';\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-002007"]},{"vulnId":"V-268179","ruleId":"SV-268179r1131166_rule","severity":"medium","ruleTitle":"For PKI-based authentication, NixOS must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.","description":"Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).","checkContent":"Verify NixOS, for PKI-based authentication, uses local revocation data when unable to access the network to obtain it remotely with the following command:\n\n$ grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf\n\ncert_policy = ca,signature,ocsp_on, crl_auto;\n\nIf the cert_policy does not contain the options in the example output, this is a finding.","fixText":"Configure NixOS, for PKI-based authentication, to use local revocation data when unable to access the network to obtain it remotely. \n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\n security.pam.p11.enable = true;\n environment.etc.\"pam_pkcs11/pam_pkcs11.conf\".text = ''\n    cert_policy = ca,signature,ocsp_on, crl_auto;\n   '';\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-004068"]},{"vulnId":"V-268180","ruleId":"SV-268180r1117152_rule","severity":"medium","ruleTitle":"NixOS must run a supported release of the operating system.","description":"Security flaws with operating systems are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.","checkContent":"Verify NixOS is running a supported version with the following command:\n\n$ nixos-version\n\n23.11.20231129.057f9ae  (Tapir)\n\nIf the NixOS is not running a supported version, this is a finding.","fixText":"Update to a supported version of the operating system.","ccis":["CCI-002605"]},{"vulnId":"V-268181","ruleId":"SV-268181r1131169_rule","severity":"medium","ruleTitle":"NixOS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.","description":"Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.","checkContent":"Verify the NixOS operating system defines default file permissions so users may only modify their own files.\n\n$ grep \"UMASK\" /etc/login.defs\n\nUMASK 077\n\nIf the UMASK setting is not present, is commented out, or is less restrictive than 077, this is a finding.","fixText":"Configure the NixOS operating system to change default file permissions so users may only modify their own files.\n\nAdd the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:\n\nsecurity.loginDefs.settings.UMASK = \"077\";\n\nRebuild and switch to the new NixOS configuration:\n$ sudo nixos-rebuild switch","ccis":["CCI-000366"]}]}