← Back to Anduril NixOS Security Technical Implementation Guide

V-268181

CAT II (Medium)

NixOS must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

Rule ID

SV-268181r1131169_rule

STIG

Anduril NixOS Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-000366

Discussion

Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.

Check Content

Verify the NixOS operating system defines default file permissions so users may only modify their own files.

$ grep "UMASK" /etc/login.defs

UMASK 077

If the UMASK setting is not present, is commented out, or is less restrictive than 077, this is a finding.

Fix Text

Configure the NixOS operating system to change default file permissions so users may only modify their own files.

Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:

security.loginDefs.settings.UMASK = "077";

Rebuild and switch to the new NixOS configuration:
$ sudo nixos-rebuild switch