NixOS must generate audit records for all usage of privileged commands.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-268091	SRG-OS-000042-GPOS-00020	ANIX-00-000210	SV-268091r1039161_rule	2024-10-25	1

Description
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, SRG-OS-000755-GPOS-00220

Description

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215, SRG-OS-000755-GPOS-00220

ℹ️ Check
Verify NixOS generates audit records for all execution of privileged functions with the following command: $ sudo auditctl -l \| grep execve -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv If the command does not return the example output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

ℹ️ Check

Verify NixOS generates audit records for all execution of privileged functions with the following command: $ sudo auditctl -l | grep execve -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv If the command does not return the example output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

✔️ Fix
Configure NixOS to generate audit records for all execution of privileged functions. Add or update the "security.audit.rules" configuration in /etc/nixos/configuration.nix to include the following rules: security.audit.rules = [ "-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv " "-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv " ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

✔️ Fix

Configure NixOS to generate audit records for all execution of privileged functions. Add or update the "security.audit.rules" configuration in /etc/nixos/configuration.nix to include the following rules: security.audit.rules = [ "-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv " "-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv " ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch