An error occurred:

Check: ANIX-00-000090

Anduril NixOS STIG: ANIX-00-000090 (in version v1 r1)

Title

NixOS must be configured to limit the number of concurrent sessions to ten for all accounts and/or account types. (Cat III impact)

Discussion

Operating system management includes the ability to control the number of users and user sessions that use an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to denial-of-service (DoS) attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.

Check Content

Verify NixOS limits the number of concurrent sessions to ten for all accounts and/or account types. Check /etc/nixos/configuration.nix and any files imported from it to ensure the attribute "security.pam.loginLimits" is defined to include the following value with the following command: $ grep -R -A 5 pam.loginLimits /etc/nixos /etc/nixos/configuration.nix:security.pam.loginLimits = [ /etc/nixos/configuration.nix:{ /etc/nixos/configuration.nix:domain = "*"; /etc/nixos/configuration.nix:item = "maxlogins"; /etc/nixos/configuration.nix:type = "hard"; /etc/nixos/configuration.nix:value = "10"; If the "maxlogins" item is missing, commented out, or the value is set greater than "10" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix Text

Configure the NixOS to limit the number of concurrent sessions to ten for all accounts and/or account types. Add the following to the NixOS configuration: /etc/nixos/configuration.nix security.pam.loginLimits = [ { domain = "*"; item = "maxlogins"; type = "hard"; value = "10"; } ]; Note: Security.pam.loginLimits can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

Additional Identifiers

Rule ID: SV-268085r1039143_rule

Vulnerability ID: V-268085

Group Title: SRG-OS-000027-GPOS-00008

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000054

Limit the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-10

Concurrent Session Control