Skip to content
Log In

Anduril NixOS Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • NixOS audit log directory must have a mode of 0700 or less permissive.

    Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit recor...
    Rule Medium Severity
    Show

  • SRG-OS-000057-GPOS-00027

    Group
    Show

  • NixOS audit logs must have a mode of 0600 or less permissive.

    Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platfor...
    Rule Medium Severity
    Show

  • SRG-OS-000057-GPOS-00027

    Group
    Show

  • NixOS syslog directory and logs must be owned by root to prevent unauthorized read access.

    Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platfor...
    Rule Medium Severity
    Show

  • SRG-OS-000057-GPOS-00027

    Group
    Show

  • NixOS syslog directory and logs must be group-owned by root to prevent unauthorized read access.

    Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platfor...
    Rule Medium Severity
    Show

  • SRG-OS-000057-GPOS-00027

    Group
    Show

  • SRG-OS-000057-GPOS-00027

    Group
    Show

  • NixOS syslog logs must have a mode of 0640 or less permissive.

    Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platfor...
    Rule Medium Severity
    Show

  • SRG-OS-000058-GPOS-00028

    Group
    Show

  • SRG-OS-000063-GPOS-00032

    Group
    Show

  • SRG-OS-000063-GPOS-00032

    Group
    Show

  • SRG-OS-000063-GPOS-00032

    Group
    Show

  • SRG-OS-000063-GPOS-00032

    Group
    Show

  • SRG-OS-000066-GPOS-00034

    Group
    Show

  • NixOS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

    Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entit...
    Rule Medium Severity
    Show

  • SRG-OS-000067-GPOS-00035

    Group
    Show

  • SRG-OS-000069-GPOS-00037

    Group
    Show

  • SRG-OS-000070-GPOS-00038

    Group
    Show

  • NixOS must enforce password complexity by requiring that at least one lowercase character be used.

    Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...
    Rule Medium Severity
    Show

  • SRG-OS-000071-GPOS-00039

    Group
    Show

  • NixOS must enforce password complexity by requiring that at least one numeric character be used.

    Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...
    Rule Medium Severity
    Show

  • SRG-OS-000072-GPOS-00040

    Group
    Show

  • NixOS must require the change of at least 50 percent of the total number of characters when passwords are changed.

    Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...
    Rule Medium Severity
    Show

  • SRG-OS-000073-GPOS-00041

    Group
    Show

  • NixOS must store only encrypted representations of passwords.

    Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily c...
    Rule High Severity
    Show

  • SRG-OS-000074-GPOS-00042

    Group
    Show

  • NixOS must not have the telnet package installed.

    Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily c...
    Rule High Severity
    Show

  • SRG-OS-000075-GPOS-00043

    Group
    Show

  • SRG-OS-000076-GPOS-00044

    Group
    Show

  • NixOS must enforce a 60-day maximum password lifetime restriction.

    Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force user...
    Rule Medium Severity
    Show

  • SRG-OS-000078-GPOS-00046

    Group
    Show

  • SRG-OS-000104-GPOS-00051

    Group
    Show

  • NixOS must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users).

    To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational user...
    Rule Medium Severity
    Show

  • SRG-OS-000105-GPOS-00052

    Group
    Show

  • SRG-OS-000109-GPOS-00056

    Group
    Show

  • NixOS must not allow direct login to the root account via SSH.

    To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by mult...
    Rule Medium Severity
    Show

  • SRG-OS-000109-GPOS-00056

    Group
    Show

  • NixOS must not allow direct login to the root account.

    To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by mult...
    Rule Medium Severity
    Show

  • SRG-OS-000114-GPOS-00059

    Group
    Show

  • SRG-OS-000138-GPOS-00069

    Group
    Show

  • SRG-OS-000142-GPOS-00071

    Group
    Show

  • NixOS must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.

    DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing ex...
    Rule Medium Severity
    Show

  • SRG-OS-000163-GPOS-00072

    Group
    Show

  • SRG-OS-000163-GPOS-00072

    Group
    Show

  • NixOS must terminate all SSH connections after becoming unresponsive.

    Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port th...
    Rule Medium Severity
    Show

  • SRG-OS-000185-GPOS-00079

    Group
    Show

  • NixOS must protect the confidentiality and integrity of all information at rest.

    Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. This re...
    Rule High Severity
    Show

  • SRG-OS-000266-GPOS-00101

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules