Check: RIIM-OS-231010
Riverbed NetIM OS STIG:
RIIM-OS-231010
(in version v1 r1)
Title
Ubuntu OS must implement cryptographic mechanisms to prevent unauthorized disclosure and modification of all information that requires protection at rest. (Cat II impact)
Discussion
Operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184, SRG-OS-000780-GPOS-00240
Check Content
Verify Ubuntu OS prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. Note: If there is a documented and approved reason for not having data-at-rest encryption, this requirement is not applicable. Determine the partition layout for the system by using the following command: $ sudo fdisk -l ... Device Start End Sectors Size Type /dev/sda1 2048 2203647 2201600 1G EFI System /dev/sda2 2203648 6397951 4194304 2G Linux filesystem /dev/sda3 6397952 536868863 530470912 252.9G Linux filesystem ... Verify the system partitions are all encrypted by using the following command: # more /etc/crypttab Every persistent disk partition present must have an entry in the file. If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding.
Fix Text
To encrypt an entire partition, dedicate a partition for encryption in the partition layout. Note: Encrypting a partition in an already-installed system is more difficult because it will need to be resized, and existing partitions changed.
Additional Identifiers
Rule ID: SV-275578r1147784_rule
Vulnerability ID: V-275578
Group Title: SRG-OS-000185-GPOS-00079
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001199 |
Protects the confidentiality and/or integrity of organization-defined information at rest. |
| CCI-002475 |
Implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined system components. |
| CCI-002476 |
Implement cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined system components. |
| CCI-004910 |
Provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store. |