| V-268089 | | NixOS must implement DOD-approved encryption to protect the confidentiality of remote access sessions. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote... |
| V-268130 | | NixOS must store only encrypted representations of passwords. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can ... |
| V-268131 | | NixOS must not have the telnet package installed. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can ... |
| V-268144 | | NixOS must protect the confidentiality and integrity of all information at rest. | Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used fo... |
| V-268146 | | NixOS must protect wireless access to and from the system using encryption. | Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or ... |
| V-268154 | | NixOS must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software... |
| V-268157 | | NixOS must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions. | Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maint... |
| V-268159 | | NixOS must protect the confidentiality and integrity of transmitted information. | Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercep... |
| V-268168 | | NixOS must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptog... |
| V-268172 | | NixOS must not allow an unattended or automatic login to the system via the console. | Failure to restrict system access via the console to authenticated users negatively impacts operating system security.... |
| V-268176 | | NixOS must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions. | If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing s... |
| V-268078 | | NixOS must enable the built-in firewall. | Without the ability to immediately disconnect or disable remote access, an attack or other compromise taking place would not be immediately stopped.
... |
| V-268079 | | NixOS emergency or temporary user accounts must be provisioned with an expiration time of 72 hours or less. | If emergency or temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorize... |
| V-268080 | | NixOS must enable the audit daemon. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-268081 | | NixOS must enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-268082 | | NixOS must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user login. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-268083 | | NixOS must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via an SSH login. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-268084 | | NixOS must be configured to display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a graphical user login. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-268086 | | NixOS must initiate a session lock after a 10-minute period of inactivity for graphical user login. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst... |
| V-268087 | | NixOS must provide the capability for users to directly initiate a session lock for all connection types. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-268088 | | NixOS must monitor remote access methods. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities... |
| V-268090 | | The NixOS audit package must be installed. | Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage o... |
| V-268091 | | NixOS must generate audit records for all usage of privileged commands. | Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organizat... |
| V-268092 | | NixOS must enable auditing of processes that start prior to the audit daemon. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-268093 | | NixOS must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon. | Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or... |
| V-268094 | | Successful/unsuccessful uses of the mount syscall in NixOS must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-268095 | | Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in NixOS must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-268096 | | Successful/unsuccessful uses of the init_module, finit_module, and delete_module system calls in NixOS must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-268097 | | NixOS must generate an audit record for successful/unsuccessful modifications to the cron configuration. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-268098 | | NixOS must generate an audit record for successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-268099 | | Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in NixOS must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-268100 | | Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in NixOS must generate an audit record. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-268101 | | NixOS must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent utilization. | If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storag... |
| V-268102 | | NixOS must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 90 percent utilization. | If security personnel are not notified immediately when storage volume reaches 90 percent utilization, they are unable to plan for audit record storag... |
| V-268103 | | NixOS must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. | If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storag... |
| V-268104 | | NixOS must take action when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity. | If security personnel are not notified immediately when storage volume reaches 90 percent utilization, they are unable to plan for audit record storag... |
| V-268105 | | The NixOS audit system must take appropriate action when the audit storage volume is full. | It is critical that when NixOS is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing fail... |
| V-268106 | | The NixOS audit system must take appropriate action when an audit processing failure occurs. | It is critical that when NixOS is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing fail... |
| V-268107 | | NixOS must have the packages required for offloading audit logs installed and running. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-268108 | | The NixOS audit records must be off-loaded onto a different system or storage media from the system being audited. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-268109 | | NixOS must authenticate the remote logging server for off-loading audit logs. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-268110 | | NixOS audit daemon must generate logs that are group-owned by root. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-268111 | | NixOS audit directory and logs must be owned by root to prevent unauthorized read access. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-268112 | | NixOS audit directory and logs must be group-owned by root to prevent unauthorized read access. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-268113 | | NixOS audit log directory must have a mode of 0700 or less permissive. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-268114 | | NixOS audit logs must have a mode of 0600 or less permissive. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-268115 | | NixOS syslog directory and logs must be owned by root to prevent unauthorized read access. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-268116 | | NixOS syslog directory and logs must be group-owned by root to prevent unauthorized read access. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-268117 | | NixOS syslog log directory must have a mode of 0750 or less permissive. | Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
Audit informat... |
| V-268118 | | NixOS syslog logs must have a mode of 0640 or less permissive. | Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational st... |
| V-268119 | | NixOS audit system must protect login UIDs from unauthorized change. | If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is i... |
| V-268120 | | NixOS system configuration files must have a mode of "0644" or less permissive. | Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent t... |
| V-268121 | | NixOS system configuration file directories must have a mode of "0755" or less permissive. | Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent t... |
| V-268122 | | NixOS system configuration files and directories must be owned by root. | Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent t... |
| V-268123 | | NixOS system configuration files and directories must be group-owned by root. | Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent t... |
| V-268124 | | NixOS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly tru... |
| V-268125 | | NixOS must enforce authorized access to the corresponding private key for PKI-based authentication. | If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.
Th... |
| V-268126 | | NixOS must enforce password complexity by requiring that at least one uppercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-268127 | | NixOS must enforce password complexity by requiring that at least one lowercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-268128 | | NixOS must enforce password complexity by requiring that at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-268129 | | NixOS must require the change of at least 50 percent of the total number of characters when passwords are changed. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-268132 | | NixOS must enforce 24 hours/one day as the minimum password lifetime. | Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If u... |
| V-268133 | | NixOS must enforce a 60-day maximum password lifetime restriction. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not... |
| V-268134 | | NixOS must enforce a minimum 15-character password length. | The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexit... |
| V-268135 | | NixOS must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users). | To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-268136 | | NixOS must use multifactor authentication for network access to privileged accounts. | Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased.
Multifactor authentication requires u... |
| V-268137 | | NixOS must not allow direct login to the root account via SSH. | To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated.
A group ... |
| V-268138 | | NixOS must not allow direct login to the root account. | To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated.
A group ... |
| V-268139 | | NixOS must enable USBguard. | Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
Peripherals include, but are... |
| V-268140 | | A sticky bit must be set on all NixOS public directories to prevent unauthorized and unintended information transferred via shared system resources. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-268141 | | NixOS must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-268142 | | NixOS must terminate all SSH connections after 10 minutes of becoming unresponsive. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-268143 | | NixOS must terminate all SSH connections after becoming unresponsive. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-268145 | | NixOS must enforce password complexity by requiring that at least one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure o... |
| V-268147 | | NixOS must protect wireless access to the system using authentication of users and/or devices. | Allowing devices and users to connect to the system without first authenticating them allows untrusted access and can lead to a compromise or attack.
... |
| V-268148 | | NixOS must prevent all software from executing at higher privilege levels than users executing the software. | In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileg... |
| V-268149 | | NixOS must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-268150 | | NixOS must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-268151 | | NixOS must have time synchronization enabled. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-268152 | | NixOS must prohibit user installation of system software without explicit privileged status. | Allowing regular users to install software, without explicit privileges, creates the risk that untested or potentially malicious software will be inst... |
| V-268153 | | NixOS must notify designated personnel if baseline configurations are changed in an unauthorized manner. | Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating s... |
| V-268155 | | NixOS must require users to reauthenticate for privilege escalation. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the ca... |
| V-268156 | | NixOS must require users to reauthenticate when changing roles. | Without reauthentication, users may access resources or perform tasks for which they do not have authorization.
When operating systems provide the ca... |
| V-268158 | | NixOS must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces. | Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercep... |
| V-268160 | | NixOS must implement nonexecutable data to protect its memory from unauthorized code execution. | Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Secur... |
| V-268161 | | NixOS must implement address space layout randomization to protect its memory from unauthorized code execution. | Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Secur... |
| V-268162 | | NixOS must remove all software components after updated versions have been installed. | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by advers... |
| V-268163 | | NixOS must generate audit records when successful/unsuccessful attempts to modify security objects occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-268164 | | NixOS must generate audit records when successful/unsuccessful attempts to delete privileges occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-268165 | | NixOS must generate audit records when successful/unsuccessful attempts to delete security objects occur. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-268166 | | NixOS must generate audit records when concurrent logins to the same account occur from different sources. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-268167 | | NixOS must generate audit records for all account creations, modifications, disabling, and termination events. | Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlat... |
| V-268169 | | NixOS must prevent the use of dictionary words for passwords. | If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by incre... |
| V-268170 | | NixOS must enable the use of pwquality. | If the operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by incre... |
| V-268171 | | NixOS must enforce a delay of at least four seconds between login prompts following a failed login attempt. | Limiting the number of login attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.... |
| V-268173 | | NixOS must be configured to use AppArmor. | Users' home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any sharing of information with a... |
| V-268174 | | NixOS must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. | Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected ac... |
| V-268175 | | NixOS must employ approved cryptographic hashing algorithms for all stored passwords. | Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide con... |
| V-268177 | | NixOS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access. | Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is co... |
| V-268178 | | NixOS must prohibit the use of cached authenticators after one day. | If cached authentication information is out-of-date, the validity of the authentication information may be questionable.... |
| V-268179 | | For PKI-based authentication, NixOS must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. | Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked... |
| V-268180 | | NixOS must run a supported release of the operating system. | Security flaws with operating systems are discovered daily. Vendors are constantly updating and patching their products to address newly discovered se... |
| V-268181 | | NixOS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files. | Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.... |
| V-268085 | | NixOS must be configured to limit the number of concurrent sessions to ten for all accounts and/or account types. | Operating system management includes the ability to control the number of users and user sessions that use an operating system. Limiting the number of... |
