NixOS must have the packages required for offloading audit logs installed and running.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-268107 | ANIX-00-000460 | SV-268107r1131017_rule | CCI-000154 | medium |
| Description | ||||
| Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. NixOS supports "systemd-journald", which is a common system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. This utility also natively supports TLS to securely encrypt and off-load auditing. Satisfies: SRG-OS-000051-GPOS-00024, SRG-OS-000269-GPOS-00103 | ||||
| STIG | Date | |||
| Anduril NixOS Security Technical Implementation Guide | 2025-08-19 | |||
Details
Check Text (C-268107r1131017_chk)
Verify that the systemd-journald service is running with the following command:
$ systemctl status systemd-journald.service
systemd-journald.service - Journal Service
Loaded: loaded (/etc/systemd/system/systemd-journald.service; enabled; preset: ignored)
Drop-In: /nix/store/z8klzmxqgpmn8ganwrsqizy3qdxnirr8-system-units/systemd-journald.service.d
+-overrides.conf
Active: active (running) since Mon 2025-03-10 10:41:08 PDT; 1 day 2h ago
If the systemd-journald.service is not "active" and "running", this is a finding.
Fix Text (F-71934r1131016_fix)
Configure the operating system to off-load audit logs.
Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:
services.journald.audit = true;
Rebuild and switch to the new NixOS configuration:
$ sudo nixos-rebuild switch