An error occurred:

Check: ANIX-00-000090

Anduril NixOS STIG: ANIX-00-000090 (in version v1 r2)

Title

NixOS must be configured to limit the number of concurrent sessions to 10 for all accounts and/or account types. (Cat III impact)

Discussion

Operating system management includes the ability to control the number of users and user sessions that use an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to denial-of-service (DoS) attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.

Check Content

Verify NixOS limits the number of concurrent sessions to 10 for all accounts and/or account types. Check the pam configuration files and confirm a conf file with maxlogins configured: $ grep "limits.conf" /etc/pam.d/login > session required /nix/store/sl3fa5zh61xxl03m64if2wqzbvrb6zly-linux-pam-1.6.1/lib/security/pam_limits.so conf=/nix/store/aq8ni1qh3pdygl9cn3qfb8v583ask67m-limits.conf # limits (order 12200) $ cat /nix/store/aq8ni1qh3pdygl9cn3qfb8v583ask67m-limits.conf * hard maxlogins 10 @pipewire - rtprio 95 @pipewire - nice -19 @pipewire - memlock 4194304 If the "maxlogins" item is missing or commented out, or the value is set greater than "10" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix Text

Configure NixOS to limit the number of concurrent sessions to 10 for all accounts and/or account types. Update the NixOS config, typically stored either in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.pam.loginLimits = [ { domain = "*"; item = "maxlogins"; type = "hard"; value = "10"; } ]; Note: Security.pam.loginLimits can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

Additional Identifiers

Rule ID: SV-268085r1130966_rule

Vulnerability ID: V-268085

Group Title: SRG-OS-000027-GPOS-00008

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000054

Limit the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-10

Concurrent Session Control