STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Anduril NixOS Security Technical Implementation Guide

Version

V1R2

Benchmark ID

Anduril_NixOS_STIG

Total Checks

103

Tags

other

CAT I: 11CAT II: 91CAT III: 1

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (103)

V-268078MEDIUMNixOS must enable the built-in firewall.V-268079MEDIUMNixOS emergency or temporary user accounts must be provisioned with an expiration time of 72 hours or less.V-268080MEDIUMNixOS must enable the audit daemon.V-268081MEDIUMNixOS must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.V-268082MEDIUMNixOS must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.V-268083MEDIUMNixOS must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via an SSH logon.V-268084MEDIUMNixOS must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.V-268085LOWNixOS must be configured to limit the number of concurrent sessions to 10 for all accounts and/or account types.V-268086MEDIUMNixOS must initiate a session lock after a 10-minute period of inactivity for graphical user logon.V-268087MEDIUMNixOS must provide the capability for users to directly initiate a session lock for all connection types.V-268088MEDIUMNixOS must monitor remote access methods.V-268089HIGHNixOS must implement DOD-approved encryption to protect the confidentiality of remote access sessions.V-268090MEDIUMThe NixOS audit package must be installed.V-268091MEDIUMNixOS must generate audit records for all usage of privileged commands.V-268092MEDIUMNixOS must enable auditing of processes that start prior to the audit daemon.V-268093MEDIUMNixOS must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.V-268094MEDIUMSuccessful/unsuccessful uses of the mount syscall in NixOS must generate an audit record.V-268095MEDIUMSuccessful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in NixOS must generate an audit record.V-268096MEDIUMSuccessful/unsuccessful uses of the init_module, finit_module, and delete_module system calls in NixOS must generate an audit record.V-268097MEDIUMNixOS must generate an audit record for successful/unsuccessful modifications to the cron configuration.V-268098MEDIUMNixOS must generate an audit record for successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.V-268099MEDIUMSuccessful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in NixOS must generate an audit record.V-268100MEDIUMSuccessful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in NixOS must generate an audit record.V-268101MEDIUMNixOS must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent utilization.V-268102MEDIUMNixOS must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 90 percent utilization.V-268103MEDIUMNixOS must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.V-268104MEDIUMNixOS must take action when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity.V-268105MEDIUMThe NixOS audit system must take appropriate action when the audit storage volume is full.V-268106MEDIUMThe NixOS audit system must take appropriate action when an audit processing failure occurs.V-268107MEDIUMNixOS must have the packages required for offloading audit logs installed and running.V-268108MEDIUMThe NixOS audit records must be off-loaded onto a different system or storage media from the system being audited.V-268109MEDIUMNixOS must authenticate the remote logging server for off-loading audit logs.V-268110MEDIUMNixOS audit daemon must generate logs that are group-owned by root.V-268111MEDIUMNixOS audit directory and logs must be owned by root to prevent unauthorized read access.V-268112MEDIUMNixOS audit directory and logs must be group-owned by root to prevent unauthorized read access.V-268113MEDIUMNixOS audit log directory must have a mode of 0700 or less permissive.V-268114MEDIUMNixOS audit logs must have a mode of 0600 or less permissive.V-268115MEDIUMNixOS journald directory and logs must be owned by root to prevent unauthorized read access.V-268116MEDIUMNixOS journald directory and logs must be group-owned by systemd-journald to prevent unauthorized read access.V-268117MEDIUMNixOS systemd-journald directory must have a mode of 2755 or less permissive.V-268118MEDIUMNixOS systemd-journald logs must have a mode of 0640 or less permissive.V-268119MEDIUMNixOS audit system must protect logon UIDs from unauthorized change.V-268120MEDIUMNixOS audit configuration files must have a mode of 444 or less permissive.V-268121MEDIUMNixOS system configuration file directories must have a mode of "0755" or less permissive.V-268122MEDIUMNixOS system configuration files and directories must be owned by root.V-268123MEDIUMNixOS system configuration files and directories must be group-owned by root.V-268124MEDIUMNixOS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.V-268125MEDIUMNixOS must enforce authorized access to the corresponding private key for PKI-based authentication.V-268126MEDIUMNixOS must enforce password complexity by requiring that at least one uppercase character be used.V-268127MEDIUMNixOS must enforce password complexity by requiring that at least one lowercase character be used.V-268128MEDIUMNixOS must enforce password complexity by requiring that at least one numeric character be used.V-268129MEDIUMNixOS must require the change of at least 50 percent of the total number of characters when passwords are changed.V-268130HIGHNixOS must store only encrypted representations of passwords.V-268131HIGHNixOS must not have the telnet package installed.V-268132MEDIUMNixOS must enforce 24 hours/one day as the minimum password lifetime.V-268133MEDIUMNixOS must enforce a 60-day maximum password lifetime restriction.V-268134MEDIUMNixOS must enforce a minimum 15-character password length.V-268135MEDIUMNixOS must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users).V-268136MEDIUMNixOS must use multifactor authentication for network access to privileged accounts.V-268137MEDIUMNixOS must not allow direct login to the root account via SSH.V-268138MEDIUMNixOS must not allow direct login to the root account.V-268139MEDIUMNixOS must enable USBguard.V-268140MEDIUMA sticky bit must be set on all NixOS public directories to prevent unauthorized and unintended information transferred via shared system resources.V-268141MEDIUMNixOS must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.V-268142MEDIUMNixOS must terminate all SSH connections after 10 minutes of becoming unresponsive.V-268143MEDIUMNixOS must terminate all SSH connections after becoming unresponsive.V-268144HIGHNixOS must protect the confidentiality and integrity of all information at rest.V-268145MEDIUMNixOS must enforce password complexity by requiring that at least one special character be used.V-268146HIGHNixOS must protect wireless access to and from the system using encryption.V-268147MEDIUMNixOS must protect wireless access to the system using authentication of users and/or devices.V-268148MEDIUMNixOS must prevent all software from executing at higher privilege levels than users executing the software.V-268149MEDIUMNixOS must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).V-268150MEDIUMNixOS must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.V-268151MEDIUMNixOS must have time synchronization enabled.V-268152MEDIUMNixOS must prohibit user installation of system software without explicit privileged status.V-268153MEDIUMNixOS must notify designated personnel if baseline configurations are changed in an unauthorized manner.V-268154HIGHNixOS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.V-268155MEDIUMNixOS must require users to reauthenticate for privilege escalation.V-268156MEDIUMNixOS must require users to reauthenticate when changing roles.V-268157HIGHNixOS must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.V-268158MEDIUMNixOS must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.V-268159HIGHNixOS must protect the confidentiality and integrity of transmitted information.V-268160MEDIUMNixOS must implement nonexecutable data to protect its memory from unauthorized code execution.V-268161MEDIUMNixOS must implement address space layout randomization to protect its memory from unauthorized code execution.V-268163MEDIUMNixOS must generate audit records when successful/unsuccessful attempts to modify security objects occur.V-268164MEDIUMNixOS must generate audit records when successful/unsuccessful attempts to delete privileges occur.V-268165MEDIUMNixOS must generate audit records when successful/unsuccessful attempts to delete security objects occur.V-268166MEDIUMNixOS must generate audit records when concurrent logons to the same account occur from different sources.V-268167MEDIUMNixOS must generate audit records for all account creations, modifications, disabling, and termination events.V-268168HIGHNixOS must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.V-268169MEDIUMNixOS must prevent the use of dictionary words for passwords.V-268170MEDIUMNixOS must enable the use of pwquality.V-268171MEDIUMNixOS must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.V-268172HIGHNixOS must not allow an unattended or automatic logon to the system via the console.V-268173MEDIUMNixOS must be configured to use AppArmor.V-268174MEDIUMNixOS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.V-268175MEDIUMNixOS must employ approved cryptographic hashing algorithms for all stored passwords.V-268176HIGHNixOS must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.V-268177MEDIUMNixOS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.V-268178MEDIUMNixOS must prohibit the use of cached authenticators after one day.V-268179MEDIUMFor PKI-based authentication, NixOS must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.V-268180MEDIUMNixOS must run a supported release of the operating system.V-268181MEDIUMNixOS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.