Navigate

Check: ANIX-00-001010

Anduril NixOS STIG: ANIX-00-001010 (in version v1 r1)

Title

NixOS must protect the confidentiality and integrity of all information at rest. (Cat I impact)

Discussion

Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. This requirement addresses protection of user-generated data, as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information. Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184, SRG-OS-000780-GPOS-00240

Check Content

Verify NixOS prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. Verify all system partitions are encrypted with the following command: $ sudo blkid /dev/sda1: LABEL="nixos" UUID="67b7d7fe-de60-6fd0-befb-e6748cf97743" TYPE="crypto_LUKS" Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that these partitions are encrypted, this is a finding.

Fix Text

Configure NixOS to prevent unauthorized modification of all information at rest by using disk encryption. Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. Refer to the NixOS manual Section 8.1 "LUKS-Encrypted File Systems" for further details. NixOS Wiki: https://nixos.wiki/wiki/Full_Disk_Encryption

Additional Identifiers

Rule ID: SV-268144r1039320_rule

Vulnerability ID: V-268144

Group Title: SRG-OS-000185-GPOS-00079

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-001199	Protects the confidentiality and/or integrity of organization-defined information at rest.
CCI-002475	Implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined system components.
CCI-002476	Implement cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined system components.
CCI-004910	Provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
SC-28	Protection of Information at Rest
SC-28(1)	Cryptographic Protection