STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Anduril NixOS Security Technical Implementation Guide

V-268091

CAT II (Medium)

NixOS must generate audit records for all usage of privileged commands.

Rule ID

SV-268091r1130983_rule

STIG

Anduril NixOS Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000135, CCI-000169, CCI-000172, CCI-003938, CCI-002884, CCI-004188

Discussion

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, SRG-OS-000755-GPOS-00220

Check Content

Verify NixOS generates audit records for all execution of privileged functions with the following command:

$ sudo auditctl -l | grep execve

-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv 
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv 

If the command does not return the example output, this is a finding.

Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix Text

Configure NixOS to generate audit records for all execution of privileged functions.

Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:

 security.audit.rules = [
  "-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv"
  "-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv"
  "-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv "
  "-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv "
 ];

Rebuild and switch to the new NixOS configuration:
$ sudo nixos-rebuild switch