Title

NixOS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. (Cat II impact)

Discussion

Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.

Check Content

Verify the NixOS operating system defines default file permissions so users may only modify their own files. $ grep "UMASK" /etc/login.defs UMASK 077 If the UMASK setting is not present, is commented out, or is less restrictive than 077, this is a finding.

Fix Text

Configure the NixOS operating system to change default file permissions so users may only modify their own files. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.loginDefs.settings.UMASK = "077"; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

Additional Identifiers

Rule ID: SV-268181r1131169_rule

Vulnerability ID: V-268181

Group Title: SRG-OS-000480-GPOS-00228

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.