Skip to content
Log In

II - Mission Support Classified

Rules and Groups employed by this XCCDF Profile

  • SRG-OS-000071-GPOS-00039

    Group
    Show

  • NixOS must enforce password complexity by requiring that at least one numeric character be used.

    Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...
    Rule Medium Severity
    Show

  • SRG-OS-000072-GPOS-00040

    Group
    Show

  • NixOS must require the change of at least 50 percent of the total number of characters when passwords are changed.

    Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...
    Rule Medium Severity
    Show

  • SRG-OS-000073-GPOS-00041

    Group
    Show

  • NixOS must store only encrypted representations of passwords.

    Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily c...
    Rule High Severity
    Show

  • SRG-OS-000074-GPOS-00042

    Group
    Show

  • NixOS must not have the telnet package installed.

    Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily c...
    Rule High Severity
    Show

  • SRG-OS-000075-GPOS-00043

    Group
    Show

  • NixOS must enforce 24 hours/one day as the minimum password lifetime.

    Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually...
    Rule Medium Severity
    Show

  • SRG-OS-000076-GPOS-00044

    Group
    Show

  • NixOS must enforce a 60-day maximum password lifetime restriction.

    Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force user...
    Rule Medium Severity
    Show

  • SRG-OS-000078-GPOS-00046

    Group
    Show

  • NixOS must enforce a minimum 15-character password length.

    The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectivene...
    Rule Medium Severity
    Show

  • SRG-OS-000104-GPOS-00051

    Group
    Show

  • NixOS must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users).

    To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational user...
    Rule Medium Severity
    Show

  • SRG-OS-000105-GPOS-00052

    Group
    Show

  • NixOS must use multifactor authentication for network access to privileged accounts.

    Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authenticat...
    Rule Medium Severity
    Show

  • SRG-OS-000109-GPOS-00056

    Group
    Show

  • NixOS must not allow direct login to the root account via SSH.

    To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by mult...
    Rule Medium Severity
    Show

  • SRG-OS-000109-GPOS-00056

    Group
    Show

  • NixOS must not allow direct login to the root account.

    To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by mult...
    Rule Medium Severity
    Show

  • SRG-OS-000114-GPOS-00059

    Group
    Show

  • NixOS must enable USBguard.

    Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include, but are not limited to, such devices as flash drives, ...
    Rule Medium Severity
    Show

  • SRG-OS-000138-GPOS-00069

    Group
    Show

  • A sticky bit must be set on all NixOS public directories to prevent unauthorized and unintended information transferred via shared system resources.

    Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of ...
    Rule Medium Severity
    Show

  • SRG-OS-000142-GPOS-00071

    Group
    Show

  • NixOS must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.

    DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing ex...
    Rule Medium Severity
    Show

  • SRG-OS-000163-GPOS-00072

    Group
    Show

  • NixOS must terminate all SSH connections after 10 minutes of becoming unresponsive.

    Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port th...
    Rule Medium Severity
    Show

  • SRG-OS-000163-GPOS-00072

    Group
    Show

  • NixOS must terminate all SSH connections after becoming unresponsive.

    Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port th...
    Rule Medium Severity
    Show

  • SRG-OS-000185-GPOS-00079

    Group
    Show

  • NixOS must protect the confidentiality and integrity of all information at rest.

    Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. This re...
    Rule High Severity
    Show

  • SRG-OS-000266-GPOS-00101

    Group
    Show

  • NixOS must enforce password complexity by requiring that at least one special character be used.

    Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting ...
    Rule Medium Severity
    Show

  • SRG-OS-000299-GPOS-00117

    Group
    Show

  • NixOS must protect wireless access to and from the system using encryption.

    Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Since wireless communications can be in...
    Rule High Severity
    Show

  • SRG-OS-000300-GPOS-00118

    Group
    Show

  • NixOS must protect wireless access to the system using authentication of users and/or devices.

    Allowing devices and users to connect to the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Wireless technologies include, for example, mi...
    Rule Medium Severity
    Show

  • SRG-OS-000326-GPOS-00126

    Group
    Show

  • NixOS must prevent all software from executing at higher privilege levels than users executing the software.

    In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level...
    Rule Medium Severity
    Show

  • SRG-OS-000355-GPOS-00143

    Group
    Show

  • NixOS must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).

    Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when condu...
    Rule Medium Severity
    Show

  • SRG-OS-000356-GPOS-00144

    Group
    Show

  • NixOS must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.

    Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when condu...
    Rule Medium Severity
    Show

  • SRG-OS-000356-GPOS-00144

    Group
    Show

  • NixOS must have time synchronization enabled.

    Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when condu...
    Rule Medium Severity
    Show

  • SRG-OS-000362-GPOS-00149

    Group
    Show

  • NixOS must prohibit user installation of system software without explicit privileged status.

    Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be installed on the system. Explicit privileges (escal...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules