Anduril NixOS Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-OS-000298-GPOS-00116
Group -
SRG-OS-000002-GPOS-00002
Group -
NixOS emergency or temporary user accounts must be provisioned with an expiration time of 72 hours or less.
If emergency or temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated term...Rule Medium Severity -
SRG-OS-000004-GPOS-00004
Group -
NixOS must enable the audit daemon.
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an acco...Rule Medium Severity -
SRG-OS-000021-GPOS-00005
Group -
NixOS must enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period.
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...Rule Medium Severity -
SRG-OS-000023-GPOS-00006
Group -
SRG-OS-000023-GPOS-00006
Group -
SRG-OS-000023-GPOS-00006
Group -
NixOS must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user login.
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal ...Rule Medium Severity -
SRG-OS-000027-GPOS-00008
Group -
NixOS must be configured to limit the number of concurrent sessions to ten for all accounts and/or account types.
Operating system management includes the ability to control the number of users and user sessions that use an operating system. Limiting the number of allowed users and sessions per user is helpful...Rule Low Severity -
SRG-OS-000029-GPOS-00010
Group -
SRG-OS-000030-GPOS-00011
Group -
SRG-OS-000032-GPOS-00013
Group -
NixOS must monitor remote access methods.
Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access man...Rule Medium Severity -
SRG-OS-000033-GPOS-00014
Group -
SRG-OS-000037-GPOS-00015
Group -
SRG-OS-000042-GPOS-00020
Group -
SRG-OS-000042-GPOS-00020
Group -
SRG-OS-000042-GPOS-00020
Group -
NixOS must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. If auditi...Rule Medium Severity -
SRG-OS-000042-GPOS-00020
Group -
Successful/unsuccessful uses of the mount syscall in NixOS must generate an audit record.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-OS-000042-GPOS-00020
Group -
Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in NixOS must generate an audit record.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-OS-000042-GPOS-00020
Group -
SRG-OS-000042-GPOS-00020
Group -
NixOS must generate an audit record for successful/unsuccessful modifications to the cron configuration.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-OS-000042-GPOS-00020
Group -
SRG-OS-000042-GPOS-00020
Group -
Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in NixOS must generate an audit record.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-OS-000042-GPOS-00020
Group -
SRG-OS-000046-GPOS-00022
Group -
SRG-OS-000046-GPOS-00022
Group -
SRG-OS-000046-GPOS-00022
Group -
NixOS must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.Rule Medium Severity -
SRG-OS-000046-GPOS-00022
Group -
SRG-OS-000047-GPOS-00023
Group -
SRG-OS-000047-GPOS-00023
Group -
SRG-OS-000051-GPOS-00024
Group -
SRG-OS-000051-GPOS-00024
Group -
SRG-OS-000051-GPOS-00024
Group -
NixOS must authenticate the remote logging server for off-loading audit logs.
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Ni...Rule Medium Severity -
SRG-OS-000057-GPOS-00027
Group -
NixOS audit daemon must generate logs that are group-owned by root.
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the NixOS system or platfor...Rule Medium Severity -
SRG-OS-000057-GPOS-00027
Group -
SRG-OS-000057-GPOS-00027
Group -
SRG-OS-000057-GPOS-00027
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.