Check: ANIX-00-000160
Anduril NixOS STIG:
ANIX-00-000160
(in version v1 r1)
Title
The NixOS audit package must be installed. (Cat II impact)
Discussion
Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000054-GPOS-00025, SRG-OS-000055-GPOS-00026, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000255-GPOS-00096, SRG-OS-000303-GPOS-00120, SRG-OS-000327-GPOS-00127
Check Content
Verify that NixOS has the audit service is installed with the following command: $ nix-store --query --requisites /run/current-system | cut -d- -f2- | sort | uniq | grep audit audit-3.1.2 audit-3.1.2-bin audit-3.1.2-man audit-start audit-stop unit-auditd.service unit-audit.service If the "audit" package is not installed, this is a finding.
Fix Text
Configure NixOS to have the audit service package. Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix: environment.systemPackages = [ audit ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch
Additional Identifiers
Rule ID: SV-268090r1039158_rule
Vulnerability ID: V-268090
Group Title: SRG-OS-000037-GPOS-00015
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000130 |
Ensure that audit records contain information that establishes what type of event occurred. |
| CCI-000131 |
Ensure that audit records containing information that establishes when the event occurred. |
| CCI-000132 |
Ensure that audit records containing information that establishes where the event occurred. |
| CCI-000133 |
Ensure that audit records containing information that establishes the source of the event. |
| CCI-000134 |
Ensure that audit records containing information that establishes the outcome of the event. |
| CCI-000135 |
Generate audit records containing the organization-defined additional information that is to be included in the audit records. |
| CCI-000158 |
Provide the capability to process, sort, and search audit records for events of interest based on organization-defined audit fields within audit records. |
| CCI-000159 |
Use internal system clocks to generate time stamps for audit records. |
| CCI-000163 |
Protect audit information from unauthorized modification. |
| CCI-000164 |
Protect audit information from unauthorized deletion. |
| CCI-001403 |
Automatically audit account modification actions. |
| CCI-001404 |
Automatically audit account disabling actions. |
| CCI-001405 |
Automatically audit account removal actions. |
| CCI-001487 |
Ensure that audit records containing information that establishes the identity of any individuals, subjects, or objects/entities associated with the event. |
| CCI-002130 |
Automatically audit account enabling actions. |
| CCI-002234 |
Log the execution of privileged functions. |
Controls
| Number | Title |
|---|---|
| AC-2(4) |
Automated Audit Actions |
| AC-6(9) |
Auditing Use of Privileged Functions |
| AU-3 |
Content of Audit Records |
| AU-3(1) |
Additional Audit Information |
| AU-7(1) |
Automatic Processing |
| AU-8 |
Time Stamps |
| AU-9 |
Protection of Audit Information |