NixOS must be configured to limit the number of concurrent sessions to 10 for all accounts and/or account types.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
low	V-268085	SRG-OS-000027-GPOS-00008	ANIX-00-000090	SV-268085r1130966_rule	2025-08-19	1

Description
Operating system management includes the ability to control the number of users and user sessions that use an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to denial-of-service (DoS) attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.

Description

Operating system management includes the ability to control the number of users and user sessions that use an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to denial-of-service (DoS) attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.

ℹ️ Check
Verify NixOS limits the number of concurrent sessions to 10 for all accounts and/or account types. Check the pam configuration files and confirm a conf file with maxlogins configured: $ grep "limits.conf" /etc/pam.d/login > session required /nix/store/sl3fa5zh61xxl03m64if2wqzbvrb6zly-linux-pam-1.6.1/lib/security/pam_limits.so conf=/nix/store/aq8ni1qh3pdygl9cn3qfb8v583ask67m-limits.conf # limits (order 12200) $ cat /nix/store/aq8ni1qh3pdygl9cn3qfb8v583ask67m-limits.conf * hard maxlogins 10 @pipewire - rtprio 95 @pipewire - nice -19 @pipewire - memlock 4194304 If the "maxlogins" item is missing or commented out, or the value is set greater than "10" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

ℹ️ Check

Verify NixOS limits the number of concurrent sessions to 10 for all accounts and/or account types. Check the pam configuration files and confirm a conf file with maxlogins configured: $ grep "limits.conf" /etc/pam.d/login > session required /nix/store/sl3fa5zh61xxl03m64if2wqzbvrb6zly-linux-pam-1.6.1/lib/security/pam_limits.so conf=/nix/store/aq8ni1qh3pdygl9cn3qfb8v583ask67m-limits.conf # limits (order 12200) $ cat /nix/store/aq8ni1qh3pdygl9cn3qfb8v583ask67m-limits.conf * hard maxlogins 10 @pipewire - rtprio 95 @pipewire - nice -19 @pipewire - memlock 4194304 If the "maxlogins" item is missing or commented out, or the value is set greater than "10" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

✔️ Fix
Configure NixOS to limit the number of concurrent sessions to 10 for all accounts and/or account types. Update the NixOS config, typically stored either in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.pam.loginLimits = [ { domain = ""; item = "maxlogins"; type = "hard"; value = "10"; } ]; Note: Security.pam.loginLimits can be set as a global domain (with the wildcard) but may be set differently for multiple domains. Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch

✔️ Fix

Configure NixOS to limit the number of concurrent sessions to 10 for all accounts and/or account types. Update the NixOS config, typically stored either in /etc/nixos/configuration.nix or /etc/nixos/flake.nix: security.pam.loginLimits = [ { domain = "*"; item = "maxlogins"; type = "hard"; value = "10"; } ]; Note: Security.pam.loginLimits can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. Rebuild and switch to the new NixOS configuration: $ sudo nixos-rebuild switch