An error occurred:

Check: ANIX-00-001460

Anduril NixOS STIG: ANIX-00-001460 (in version v1 r2)

Title

NixOS must notify designated personnel if baseline configurations are changed in an unauthorized manner. (Cat II impact)

Discussion

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. Satisfies: SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201

Check Content

Verify NixOS notifies if baseline configurations are changed with Advanced Intrusion Detection Environment with the following commands: $ systemctl is-active aide.service active If aide is not active and is not configured to alert on file system changes, this is a finding.

Fix Text

Configure NixOS to notify when baseline configuration changes. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: nixpkgs.overlays = [ (final: prev: { aide = prev.aide.overrideAttrs (old: { configureFlags = (old.configureFlags or [ ]) ++ [ "--sysconfdir=/etc" ]; }); }) ]; environment.systemPackages = [ pkgs.aide ]; environment.etc = { # Creates /etc/aide.conf "aide.conf" = { text = '' <CONFIG_TEXT> ''; mode = "0444"; }; }; services.cron = { enable = true; systemCronJobs = [ "00 0 * * 0\troot\taide -c /etc/aide.conf --check | /bin/mail -s "aide integrity check run for ${config.networking.hostName}" root@notareal.email" ]; }; Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

Additional Identifiers

Rule ID: SV-268153r1131108_rule

Vulnerability ID: V-268153

Group Title: SRG-OS-000363-GPOS-00150

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001744

Implement organization-defined security responses automatically if baseline configurations are changed in an unauthorized manner.
CCI-002696

Verify correct operation of organization-defined security functions.
CCI-002699

Perform verification of the correct operation of organization-defined security functions: when the system is in an organization-defined transitional state; upon command by a user with appropriate privileges; and/or on an organization-defined frequency.
CCI-002702

Shut the system down, restart the system, and/or initiate organization-defined alternative action(s) when anomalies in the operation of the organization-defined security functions are discovered.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-3(5)

Automated Security Response
SI-6

Security and Privacy Function Verification