NixOS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-268181 | ANIX-00-002180 | SV-268181r1131169_rule | CCI-000366 | medium |
| Description | ||||
| Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access. | ||||
| STIG | Date | |||
| Anduril NixOS Security Technical Implementation Guide | 2025-08-19 | |||
Details
Check Text (C-268181r1131169_chk)
Verify the NixOS operating system defines default file permissions so users may only modify their own files.
$ grep "UMASK" /etc/login.defs
UMASK 077
If the UMASK setting is not present, is commented out, or is less restrictive than 077, this is a finding.
Fix Text (F-72008r1131168_fix)
Configure the NixOS operating system to change default file permissions so users may only modify their own files.
Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:
security.loginDefs.settings.UMASK = "077";
Rebuild and switch to the new NixOS configuration:
$ sudo nixos-rebuild switch