II - Mission Support Classified
Rules and Groups employed by this XCCDF Profile
-
SRG-OS-000298-GPOS-00116
Group -
NixOS must enable the built-in firewall.
Without the ability to immediately disconnect or disable remote access, an attack or other compromise taking place would not be immediately stopped. Operating system remote access functionality mu...Rule Medium Severity -
SRG-OS-000002-GPOS-00002
Group -
NixOS emergency or temporary user accounts must be provisioned with an expiration time of 72 hours or less.
If emergency or temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated term...Rule Medium Severity -
SRG-OS-000004-GPOS-00004
Group -
NixOS must enable the audit daemon.
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an acco...Rule Medium Severity -
SRG-OS-000021-GPOS-00005
Group -
NixOS must enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period.
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking...Rule Medium Severity -
SRG-OS-000023-GPOS-00006
Group -
NixOS must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user login.
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal ...Rule Medium Severity -
SRG-OS-000023-GPOS-00006
Group -
NixOS must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via an SSH login.
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal ...Rule Medium Severity -
SRG-OS-000023-GPOS-00006
Group -
NixOS must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user login.
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal ...Rule Medium Severity -
SRG-OS-000027-GPOS-00008
Group -
NixOS must be configured to limit the number of concurrent sessions to ten for all accounts and/or account types.
Operating system management includes the ability to control the number of users and user sessions that use an operating system. Limiting the number of allowed users and sessions per user is helpful...Rule Low Severity -
SRG-OS-000029-GPOS-00010
Group -
NixOS must initiate a session lock after a 10-minute period of inactivity for graphical user login.
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporar...Rule Medium Severity -
SRG-OS-000030-GPOS-00011
Group -
NixOS must provide the capability for users to directly initiate a session lock for all connection types.
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary...Rule Medium Severity -
SRG-OS-000032-GPOS-00013
Group -
NixOS must monitor remote access methods.
Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access man...Rule Medium Severity -
SRG-OS-000033-GPOS-00014
Group -
NixOS must implement DOD-approved encryption to protect the confidentiality of remote access sessions.
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DOD nonpublic information ...Rule High Severity -
SRG-OS-000037-GPOS-00015
Group -
The NixOS audit package must be installed.
Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be nec...Rule Medium Severity -
SRG-OS-000042-GPOS-00020
Group -
NixOS must generate audit records for all usage of privileged commands.
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privi...Rule Medium Severity -
SRG-OS-000042-GPOS-00020
Group -
NixOS must enable auditing of processes that start prior to the audit daemon.
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. If auditi...Rule Medium Severity -
SRG-OS-000042-GPOS-00020
Group -
NixOS must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. If auditi...Rule Medium Severity -
SRG-OS-000042-GPOS-00020
Group -
Successful/unsuccessful uses of the mount syscall in NixOS must generate an audit record.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-OS-000042-GPOS-00020
Group -
Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in NixOS must generate an audit record.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-OS-000042-GPOS-00020
Group -
Successful/unsuccessful uses of the init_module, finit_module, and delete_module system calls in NixOS must generate an audit record.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-OS-000042-GPOS-00020
Group -
NixOS must generate an audit record for successful/unsuccessful modifications to the cron configuration.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-OS-000042-GPOS-00020
Group -
NixOS must generate an audit record for successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-OS-000042-GPOS-00020
Group -
Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in NixOS must generate an audit record.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-OS-000042-GPOS-00020
Group -
Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in NixOS must generate an audit record.
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an in...Rule Medium Severity -
SRG-OS-000046-GPOS-00022
Group -
NixOS must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent utilization.
If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. Satisfies: SRG-OS-000046...Rule Medium Severity -
SRG-OS-000046-GPOS-00022
Group -
NixOS must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 90 percent utilization.
If security personnel are not notified immediately when storage volume reaches 90 percent utilization, they are unable to plan for audit record storage capacity expansion.Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.