Rule ID
SV-268085r1130966_rule
Version
V1R2
CCIs
CCI-000054
Operating system management includes the ability to control the number of users and user sessions that use an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to denial-of-service (DoS) attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.
Verify NixOS limits the number of concurrent sessions to 10 for all accounts and/or account types. Check the pam configuration files and confirm a conf file with maxlogins configured: $ grep "limits.conf" /etc/pam.d/login > session required /nix/store/sl3fa5zh61xxl03m64if2wqzbvrb6zly-linux-pam-1.6.1/lib/security/pam_limits.so conf=/nix/store/aq8ni1qh3pdygl9cn3qfb8v583ask67m-limits.conf # limits (order 12200) $ cat /nix/store/aq8ni1qh3pdygl9cn3qfb8v583ask67m-limits.conf * hard maxlogins 10 @pipewire - rtprio 95 @pipewire - nice -19 @pipewire - memlock 4194304 If the "maxlogins" item is missing or commented out, or the value is set greater than "10" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.
Configure NixOS to limit the number of concurrent sessions to 10 for all accounts and/or account types.
Update the NixOS config, typically stored either in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:
security.pam.loginLimits = [
{
domain = "*";
item = "maxlogins";
type = "hard";
value = "10";
}
];
Note: Security.pam.loginLimits can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.
Rebuild and switch to the new NixOS configuration:
$ sudo nixos-rebuild switch