NixOS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-268181	SRG-OS-000480-GPOS-00228	ANIX-00-002180	SV-268181r1039431_rule	2024-10-25	1

Description
Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.

ℹ️ Check
Verify the NixOS operating system to change default file permissions so users may only modify their own files. Ensure the following settings are present in the /etc/nixos/configuration.nix file: { config, pkgs, lib, ... }: environment.etc = { ""login.defs"".source = lib.mkForce (pkgs.writeText ""login.defs"" '' DEFAULT_HOME yes SYS_UID_MIN 400 SYS_UID_MAX 999 UID_MIN 1000 UID_MAX 29999 SYS_GID_MIN 400 SYS_GID_MAX 999 GID_MIN 1000 GID_MAX 29999 TTYGROUP tty TTYPERM 0620 # Ensure privacy for newly created home directories. UMASK 077 # Uncomment this and install chfn SUID to allow nonroot # users to change their account GECOS information. # This should be made configurable. #CHFN_RESTRICT frwh ''; }; If the above configurations are not present in the configuration.nix file, this is a finding.

ℹ️ Check

Verify the NixOS operating system to change default file permissions so users may only modify their own files. Ensure the following settings are present in the /etc/nixos/configuration.nix file: { config, pkgs, lib, ... }: environment.etc = { ""login.defs"".source = lib.mkForce (pkgs.writeText ""login.defs"" '' DEFAULT_HOME yes SYS_UID_MIN 400 SYS_UID_MAX 999 UID_MIN 1000 UID_MAX 29999 SYS_GID_MIN 400 SYS_GID_MAX 999 GID_MIN 1000 GID_MAX 29999 TTYGROUP tty TTYPERM 0620 # Ensure privacy for newly created home directories. UMASK 077 # Uncomment this and install chfn SUID to allow nonroot # users to change their account GECOS information. # This should be made configurable. #CHFN_RESTRICT frwh ''; }; If the above configurations are not present in the configuration.nix file, this is a finding.

✔️ Fix
Configure the NixOS operating system to change default file permissions so users may only modify their own files. Add the following Nix code to the NixOS Configuration usually located in /etc/nixos/configuration.nix: { config, pkgs, lib, ... }: environment.etc = { ""login.defs"".source = lib.mkForce (pkgs.writeText ""login.defs"" '' DEFAULT_HOME yes SYS_UID_MIN 400 SYS_UID_MAX 999 UID_MIN 1000 UID_MAX 29999 SYS_GID_MIN 400 SYS_GID_MAX 999 GID_MIN 1000 GID_MAX 29999 TTYGROUP tty TTYPERM 0620 # Ensure privacy for newly created home directories. UMASK 077 # Uncomment this and install chfn SUID to allow nonroot # users to change their account GECOS information. # This should be made configurable. #CHFN_RESTRICT frwh ''; }; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

✔️ Fix

Configure the NixOS operating system to change default file permissions so users may only modify their own files. Add the following Nix code to the NixOS Configuration usually located in /etc/nixos/configuration.nix: { config, pkgs, lib, ... }: environment.etc = { ""login.defs"".source = lib.mkForce (pkgs.writeText ""login.defs"" '' DEFAULT_HOME yes SYS_UID_MIN 400 SYS_UID_MAX 999 UID_MIN 1000 UID_MAX 29999 SYS_GID_MIN 400 SYS_GID_MAX 999 GID_MIN 1000 GID_MAX 29999 TTYGROUP tty TTYPERM 0620 # Ensure privacy for newly created home directories. UMASK 077 # Uncomment this and install chfn SUID to allow nonroot # users to change their account GECOS information. # This should be made configurable. #CHFN_RESTRICT frwh ''; }; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch