Navigate

Check: ANIX-00-000030

Anduril NixOS STIG: ANIX-00-000030 (in version v1 r1)

Title

NixOS must enable the audit daemon. (Cat II impact)

Discussion

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes. Note: For the "security.audit.enable" configuration, both "true" and "lock" are valid values. The "true" value allows for loading of audit rules (synonymous with "-e 1" in audit rules), while the "lock" value loads audit rules and enforces that the rules cannot be changed without the system rebooting (synonymous with "-e 2"). Setting this value to "lock" is recommended to be performed as the final step in configuring the audit daemon. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000254-GPOS-00095, SRG-OS-000344-GPOS-00135, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000122-GPOS-00063, SRG-OS-000358-GPOS-00145

Check Content

Verify NixOS has the audit service configured with the following command: $ grep security.audit /etc/nixos/configuration.nix security.auditd.enable = true; security.audit.enable = true; If auditd, and audit are not set to true or lock, this is a finding.

Fix Text

Configure the system to enable the audit service by adding or updating the following configurations in /etc/nixos/configuration.nix: security.auditd.enable = true; security.audit.enable = true; Rebuild the system with the following command: $ sudo nixos-rebuild switch

Additional Identifiers

Rule ID: SV-268080r1039128_rule

Vulnerability ID: V-268080

Group Title: SRG-OS-000004-GPOS-00004

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000018	Automatically audit account creation actions.
CCI-001464	Initiates session audits automatically at system start-up.
CCI-001858	Provide an alert in an organization-defined real-time-period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur.
CCI-001875	Provide an audit reduction capability that supports on-demand audit review and analysis.
CCI-001876	Provide an audit reduction capability that supports on-demand reporting requirements.
CCI-001877	Provide an audit reduction capability that supports after-the-fact investigations of incidents.
CCI-001878	Provide a report generation capability that supports on-demand audit review and analysis.
CCI-001879	Provide a report generation capability that supports on-demand reporting requirements.
CCI-001880	Provide a report generation capability that supports after-the-fact investigations of security incidents.
CCI-001881	Provide an audit reduction capability that does not alter original content or time ordering of audit records.
CCI-001882	Provide a report generation capability that does not alter original content or time ordering of audit records.
CCI-001889	Record time stamps for audit records that meet organization-defined granularity of time measurement.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-2(4)	Automated Audit Actions
AU-5(2)	Real-time Alerts
AU-7	Audit Reduction and Report Generation
AU-8	Time Stamps
AU-14(1)	System Start-up