Check: ANIX-00-000210
Anduril NixOS STIG:
ANIX-00-000210
(in version v1 r1)
Title
NixOS must generate audit records for all usage of privileged commands. (Cat II impact)
Discussion
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, SRG-OS-000755-GPOS-00220
Check Content
Verify NixOS generates audit records for all execution of privileged functions with the following command: $ sudo auditctl -l | grep execve -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv If the command does not return the example output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.
Fix Text
Configure NixOS to generate audit records for all execution of privileged functions. Add or update the "security.audit.rules" configuration in /etc/nixos/configuration.nix to include the following rules: security.audit.rules = [ "-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv " "-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv " ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Additional Identifiers
Rule ID: SV-268091r1039161_rule
Vulnerability ID: V-268091
Group Title: SRG-OS-000042-GPOS-00020
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000135 |
Generate audit records containing the organization-defined additional information that is to be included in the audit records. |
| CCI-000169 |
Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2 a on organization-defined information system components. |
| CCI-000172 |
Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3. |
| CCI-002884 |
Log organization-defined audit events for nonlocal maintenance and diagnostic sessions. |
| CCI-003938 |
Automatically generate audit records of the enforcement actions. |
| CCI-004188 |
Monitor the use of maintenance tools that execute with increased privilege. |