NixOS must generate audit records for all usage of privileged commands.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-268091 | ANIX-00-000210 | SV-268091r1039161_rule | Medium |
| Description |
| Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, SRG-OS-000755-GPOS-00220 |
| STIG | Date |
| Anduril NixOS Security Technical Implementation Guide | 2024-10-25 |
Details
| Check Text (C-72015r1039159_chk) |
| Verify NixOS generates audit records for all execution of privileged functions with the following command: $ sudo auditctl -l | grep execve -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv If the command does not return the example output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above. |
| Fix Text (F-71918r1039160_fix) |
| Configure NixOS to generate audit records for all execution of privileged functions. Add or update the "security.audit.rules" configuration in /etc/nixos/configuration.nix to include the following rules: security.audit.rules = [ "-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv " "-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv " ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch |