Title

Amazon Linux 2023 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. (Cat I impact)

Discussion

Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. This requirement addresses protection of user-generated data, as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information. Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184

Check Content

Verify Amazon Linux 2023 is configured so that all partitions are encrypted with the following command: $ sudo blkid /dev/xvda1: UUID="ed0acbe9-bd05-495e-a9ac-cb615b29327d" TYPE="crypto_LUKS" Every persistent disk partition present must be of "Type" "crypto_LUKS". If any partitions other than the boot partition, bios partition or pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", this is a finding.

Fix Text

Configure Amazon Linux 2023 to protect the confidentiality and integrity of all information at rest. Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout.

Additional Identifiers

Rule ID: SV-273994r1119970_rule

Vulnerability ID: V-273994

Group Title: SRG-OS-000185-GPOS-00079

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.