NixOS must generate audit records for all usage of privileged commands.

An XCCDF Rule

Description

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, SRG-OS-000755-GPOS-00220

ID: SV-268091r1039161_rule
Version: ANIX-00-000210
Severity: Medium
References: CCI-000135 CCI-000169 CCI-000172 CCI-002884 CCI-003938 CCI-004188
Updated: about 2 months ago

Remediation Templates

Configure NixOS to generate audit records for all execution of privileged functions.

Add or update the "security.audit.rules" configuration in /etc/nixos/configuration.nix to include the following rules:

 security.audit.rules = [
  "-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv"  "-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv"
  "-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv "
  "-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv "
 ];

Rebuild the NixOS configuration with the following command:

$ sudo nixos-rebuild switch

NixOS must generate audit records for all usage of privileged commands.

Description

Remediation Templates

A Manual Procedure