extend hardening configuration

[felbinger]

See https://public.cyber.mil/announcement/disa-releases-the-anduril-nixos-security-technical-implementation-guide/ and
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Anduril_NixOS_V1R1_STIG.zip.
File can be read using:

nix run nixpkgs#openscap xccdf eval U_Anduril_NixOS_V1R1_STIG/U_Anduril_NixOS_V1R1_Manual_STIG/U_Anduril_NixOS_STIG_V1R1_Manual-xccdf.xml

• NixOS must enable the built-in firewall.
• NixOS emergency or temporary user accounts must be provisioned with an expiration time of 72 hours or less.
• NixOS must enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period. (SSH: after 10 login attemps fail2ban will block source ip address for 24h)
• NixOS must be configured to limit the number of concurrent sessions to ten for all accounts and/or account types.
• NixOS must monitor remote access methods.
• NixOS must implement encryption to protect the confidentiality of remote access sessions (e. g. no telnet).
• NixOS must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent utilization.
• NixOS must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 90 percent utilization.
• NixOS must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
• NixOS must take action when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity.
• The NixOS audit system must take appropriate action when the audit storage volume is full.
• The NixOS audit system must take appropriate action when an audit processing failure occurs.
• NixOS must have the packages required for offloading audit logs installed and running.
• The NixOS audit records must be off-loaded onto a different system or storage media from the system being audited.
• NixOS must authenticate the remote logging server for off-loading audit logs.
• NixOS audit daemon must generate logs that are group-owned by root.
• NixOS audit directory and logs must be owned by root to prevent unauthorized read access.
• NixOS audit log directory must have a mode of 0700 or less permissive.
• NixOS audit logs must have a mode of 0600 or less permissive.
• NixOS syslog directory and logs must be owned by root to prevent unauthorized read access.
• NixOS syslog directory and logs must be group-owned by root to prevent unauthorized read access.
• NixOS syslog log directory must have a mode of 0750 or less permissive.
• NixOS syslog logs must have a mode of 0640 or less permissive.
• NixOS audit system must protect login UIDs from unauthorized change.
• NixOS system configuration files must have a mode of "0644" or less permissive.
• NixOS system configuration file directories must have a mode of "0755" or less permissive.
• NixOS system configuration files and directories must be owned by root.
• NixOS system configuration files and directories must be group-owned by root.
• NixOS, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
• NixOS must enforce authorized access to the corresponding private key for PKI-based authentication.
• NixOS must enforce password complexity by requiring that at least one uppercase character be used.
• NixOS must enforce password complexity by requiring that at least one lowercase character be used.
• NixOS must enforce password complexity by requiring that at least one numeric character be used.
• NixOS must require the change of at least 50 percent of the total number of characters when passwords are changed.
• NixOS must store only encrypted representations of passwords.
• NixOS must not have the telnet package installed.
• NixOS must enforce 24 hours/one day as the minimum password lifetime.
• NixOS must enforce a 60-day maximum password lifetime restriction.
• NixOS must enforce a minimum 15-character password length.
• NixOS must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users).
• NixOS must use multifactor authentication for network access to privileged accounts.
• NixOS must not allow direct login to the root account via SSH.
• NixOS must not allow direct login to the root account.
• NixOS must enable USBguard.
• A sticky bit must be set on all NixOS public directories to prevent unauthorized and unintended information transferred via shared system resources.
• NixOS must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.
• NixOS must terminate all SSH connections after 10 minutes of becoming unresponsive.
• NixOS must terminate all SSH connections after becoming unresponsive.
• NixOS must protect the confidentiality and integrity of all information at rest.
• NixOS must enforce password complexity by requiring that at least one special character be used.
• NixOS must protect wireless access to the system using authentication of users and/or devices.
• NixOS must, for networked systems, compare internal information system clocks at least every 24 hours.
• NixOS must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
• NixOS must notify designated personnel if baseline configurations are changed in an unauthorized manner.
• NixOS must require users to reauthenticate for privilege escalation (e. g. no passwordless sudo).
• NixOS must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.
• NixOS must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces.
• NixOS must protect the confidentiality and integrity of transmitted information.
• NixOS must implement address space layout randomization to protect its memory from unauthorized code execution.
• NixOS must remove all software components after updated versions have been installed (nix-collect-garbage -d).
• NixOS must prevent the use of dictionary words for passwords.
• NixOS must enable the use of pwquality.
• NixOS must not allow an unattended or automatic login to the system via the console.
• NixOS must prohibit the use of cached authenticators after one day.
• For PKI-based authentication, NixOS must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
• NixOS must run a supported release of the operating system.
• NixOS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

audit records for

• all usage of privileged commands.
• NixOS must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.
• successful/unsuccessful uses of the mount syscall.
• successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.
• successful/unsuccessful uses of the init_module, finit_module, and delete_module system calls.
• successful/unsuccessful modifications to the cron configuration.
• successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.
• successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in NixOS must generate an audit record.
• successful/unsuccessful attempts to modify security objects occur.
• successful/unsuccessful attempts to delete privileges occur.
• concurrent logins to the same account occur from different sources.