NixOS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

An XCCDF Rule

Description

Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.

ID: SV-268181r1039431_rule
Version: ANIX-00-002180
Severity: Medium
References: CCI-000366
Updated: about 2 months ago

Remediation Templates

Configure the NixOS operating system to change default file permissions so users may only modify their own files.

Add the following Nix code to the NixOS Configuration usually located in /etc/nixos/configuration.nix:

  { config, pkgs, lib, ... }:
  environment.etc = {
    ""login.defs"".source = lib.mkForce (pkgs.writeText ""login.defs""
    ''
      DEFAULT_HOME yes

      SYS_UID_MIN  400
      SYS_UID_MAX  999
      UID_MIN      1000
      UID_MAX      29999

      SYS_GID_MIN  400
      SYS_GID_MAX  999
      GID_MIN      1000
      GID_MAX      29999

      TTYGROUP     tty
      TTYPERM      0620

      # Ensure privacy for newly created home directories.
      UMASK        077

      # Uncomment this and install chfn SUID to allow nonroot
      # users to change their account GECOS information.
      # This should be made configurable.
      #CHFN_RESTRICT frwh

    '';
  };

Rebuild the NixOS configuration with the following command:

$ sudo nixos-rebuild switch

NixOS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

Description

Remediation Templates

A Manual Procedure