1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
|
documentation_complete: true
title: 'Encrypt Partitions'
description: |-
{{{ full_name }}} natively supports partition encryption through the
Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to
encrypt a partition is during installation time.
<br /><br />
For manual installations, select the <tt>Encrypt</tt> checkbox during
partition creation to encrypt the partition. When this
option is selected the system will prompt for a passphrase to use in
decrypting the partition. The passphrase will subsequently need to be entered manually
every time the system boots.
{{% if product not in ["sle12", "sle15", "slmicro5", "slmicro6", "ubuntu2204", "ubuntu2404"] %}}
<br /><br />
For automated/unattended installations, it is possible to use Kickstart by adding
the <tt>--encrypted</tt> and <tt>--passphrase=</tt> options to the definition of each partition to be
encrypted. For example, the following line would encrypt the root partition:
<pre>part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=<i>PASSPHRASE</i></pre>
Any <i>PASSPHRASE</i> is stored in the Kickstart in plaintext, and the Kickstart
must then be protected accordingly.
Omitting the <tt>--passphrase=</tt> option from the partition definition will cause the
installer to pause and interactively ask for the passphrase during installation.
<br /><br />
By default, the <tt>Anaconda</tt> installer uses <tt>aes-xts-plain64</tt> cipher
with a minimum <tt>512</tt> bit key size which should be compatible with FIPS enabled.
{{% endif %}}
<br /><br />
Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on
the {{{ full_name }}} Documentation web site:<br />
{{% if product == "ol7" %}}
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/7/security/security-SecureInstallationandConfiguration.html#ol7-instcsdp-sec") }}}
{{% elif product == "ol8" %}}
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/install/install-InstallingOracleLinuxManually.html#system-options") }}}
{{% elif product == "ol9" %}}
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/9/install/install-InstallingOracleLinuxManually.html#system-options") }}}
{{% elif product == "sle12" %}}
{{{ weblink(link="https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-security-cryptofs.html") }}}
{{% elif product == "sle15" %}}
{{{ weblink(link="https://documentation.suse.com/sles/15-SP2/html/SLES-all/cha-security-cryptofs.html") }}}
{{% elif product == "slmicro5" %}}
{{{ weblink(link="https://documentation.suse.com/sles/15-SP3/html/SLES-all/cha-security-cryptofs.html") }}}
{{% elif product == "slmicro6" %}}
{{{ weblink(link="https://documentation.suse.com/sle-micro/6.0/html/Micro-deployment-raw-images/index.html#deployment-jeos-firstboot") }}}
{{% elif 'ubuntu' in product %}}
{{{ weblink(link="https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019") }}}
{{% elif product == "fedora" %}}
{{{ weblink(link="https://docs.fedoraproject.org/en-US/quick-docs/encrypting-drives-using-LUKS/") }}}
{{% else %}}
{{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening") }}}
{{% endif %}}.
rationale: |-
The risk of a system's physical compromise, particularly mobile systems such as
laptops, places its data at risk of compromise. Encrypting this data mitigates
the risk of its loss if the system is lost.
severity: high
identifiers:
cce@rhel8: CCE-80789-1
cce@rhel9: CCE-90849-1
cce@rhel10: CCE-89165-5
cce@sle12: CCE-83046-3
cce@sle15: CCE-85719-3
cce@slmicro5: CCE-93760-7
cce@slmicro6: CCE-94686-3
references:
cis-csc: 13,14
cobit5: APO01.06,BAI02.01,BAI06.01,DSS04.07,DSS05.03,DSS05.04,DSS05.07,DSS06.02,DSS06.06
cui: 3.13.16
hipaa: 164.308(a)(1)(ii)(D),164.308(b)(1),164.310(d),164.312(a)(1),164.312(a)(2)(iii),164.312(a)(2)(iv),164.312(b),164.312(c),164.314(b)(2)(i),164.312(d)
isa-62443-2013: 'SR 3.4,SR 4.1,SR 5.2'
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1
nist: CM-6(a),SC-28,SC-28(1),SC-13,AU-9(3)
nist-csf: PR.DS-1,PR.DS-5
nist@sle12: SC-28,SC-28.1
nist@sle15: SC-28,SC-28.1
srg: SRG-OS-000405-GPOS-00184,SRG-OS-000185-GPOS-00079,SRG-OS-000404-GPOS-00183
stigid@ol8: OL08-00-010030
stigid@sle12: SLES-12-010450
stigid@sle15: SLES-15-010330
ocil_clause: 'partitions do not have a type of crypto_LUKS'
ocil: |-
Check the system partitions to determine if they are encrypted with the following command:
<pre>blkid</pre>
<br /><br />
Output will be similar to:
<pre>/dev/sda1: UUID=" ab12c3de-4f56-789a-8f33-3850cc8ce3a2
" TYPE="crypto_LUKS"
/dev/sda2: UUID=" bc98d7ef-6g54-321h-1d24-9870de2ge1a2
" TYPE="crypto_LUKS"</pre>
<br /><br />
The boot partition and pseudo-file systems, such as /proc, /sys, and tmpfs,
are not required to use disk encryption and are not a finding.
fixtext: |-
Configure {{{ full_name }}} to prevent unauthorized modification of all information at rest by using disk encryption.
Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed.
To encrypt an entire partition, dedicate a partition for encryption in the partition layout.
{{% if "slmicro" in product %}}
The standard partitioning proposal as suggested by YaST (installation and configuration tool for Linux) does not include an encrypted
partition by default. Add it manually in the partitioning dialog.
The following set of commands will switch {{{ full_name }}} to work in FIPS mode:
<pre>$ sudo transactional-update pkg install -t pattern microos-fips</pre>
<pre>$ sudo reboot</pre>
Add of modify the following line in the "/etc/default/grub" file to include "fips=1":
<pre>GRUB_CMDLINE_LINUX_DEFAULT="splash=silent swapaccount=1 apparmor=0 mitigations=auto quiet crashkernel=195M,high crashkernel=72M,low fips=1"</pre>
<pre>$ sudo transactional-update grub.cfg</pre>
<pre>$ sudo reboot</pre>
{{% endif %}}
srg_requirement: |-
{{{ full_name }}} local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.
checktext: |-
Verify {{{ full_name }}} prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption.
If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable.
{{% if "slmicro" in product %}}
Verify that the system partitions are all encrypted with the following commands:
<pre>$ sudo blkid</pre>
<br /><br />
Output will be similar to:
/dev/sda1: "UUID=26d4a101-7f48-4394-b730-56dc00e65f64" TYPE="crypto_LUKS"
/dev/sda2: "UUID=f5b8a790-14cb-4b82-882d-707d52f27765" TYPE="crypto_LUKS"
/dev/sda3: "UUID=f2d86128-f975-478d-a5b0-25806c900eac" TYPE="crypto_LUKS"
Every persistent disk partition present must be of type "crypto_LUKS".
If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) or temporary file systems (that are tmpfs)
are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted.
If there is no evidence that these partitions are encrypted, this is a finding.
<pre>$ sudo more /etc/cryptab</pre>
<br /><br />
Output will be similar to:
cr_root UUID=26d4a101-7f48-4394-b730-56dc00e65f64
cr_home UUID=f5b8a790-14cb-4b82-882d-707d52f27765
cr_swap UUID=f2d86128-f975-478d-a5b0-25806c900eac
Every persistent disk partition present on the system must have an entry in the /etc/crypttab file.
If any partitions other than pseudo file systems (such as /proc or /sys) are not listed or "/etc/crypttab" does not exist, this is a finding.
Verify the system works in FIPS mode with the following command:
<pre>sudo sysctl - a | grep fips</pre>
<br /><br />
crypto.fips_enabled = 1
{{% elif 'ubuntu' in product %}}
Determine the partition layout for the system with the following command:
<pre>$ sudo fdisk -l</pre>
Verify that the system partitions are all encrypted with the following command:
<pre>$ more /etc/crypttab</pre>
Every persistent disk partition present must have an entry in the file.
If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding.
{{% else -%}}
Verify all system partitions are encrypted with the following command:
$ blkid
/dev/map per/rhel-root: UUID="67b7d7fe-de60-6fd0-befb-e6748cf97743" TYPE="crypto_LUKS"
Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) or temporary file systems (that are tmpfs) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that these partitions are encrypted, this is a finding.
{{% endif -%}}
{{% if 'ol' in families %}}
warnings:
- general: |-
Due to different needs, possibilities, and passphrase requirement automated remediation is
not available for this configuration check.
{{% endif %}}
|
