Skip to content

Commit

Permalink
Update of the rule encrypt_partitions to support SLEM
Browse files Browse the repository at this point in the history
  • Loading branch information
rumch-se committed Aug 27, 2024
1 parent 6a1c4f6 commit 13df827
Show file tree
Hide file tree
Showing 3 changed files with 57 additions and 7 deletions.
5 changes: 3 additions & 2 deletions controls/stig_slmicro5.yml
Original file line number Diff line number Diff line change
Expand Up @@ -197,8 +197,9 @@ controls:
All SLEM 5 persistent disk partitions must implement cryptographic mechanisms
to prevent unauthorized disclosure or modification of all information that requires
at-rest protection.
rules: []
status: pending
rules:
- encrypt_partitions
status: automated

- id: SLEM-05-231045
levels:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ description: |-
option is selected the system will prompt for a passphrase to use in
decrypting the partition. The passphrase will subsequently need to be entered manually
every time the system boots.
{{% if product not in ["sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
{{% if product not in ["sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204"] %}}
<br /><br />
For automated/unattended installations, it is possible to use Kickstart by adding
the <tt>--encrypted</tt> and <tt>--passphrase=</tt> options to the definition of each partition to be
Expand All @@ -36,8 +36,12 @@ description: |-
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/install/install-InstallingOracleLinuxManually.html#system-options") }}}
{{% elif product == "ol9" %}}
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/9/install/install-InstallingOracleLinuxManually.html#system-options") }}}
{{% elif product in ["sle12", "sle15"] %}}
{{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}}
{{% elif product == "sle12" %}}
{{{ weblink(link="https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-security-cryptofs.html") }}}
{{% elif product == "sle15" %}}
{{{ weblink(link="https://documentation.suse.com/sles/15-SP2/html/SLES-all/cha-security-cryptofs.html") }}}
{{% elif product == "slmicro5" %}}
{{{ weblink(link="https://documentation.suse.com/sles/15-SP3/html/SLES-all/cha-security-cryptofs.html") }}}
{{% elif 'ubuntu' in product %}}
{{{ weblink(link="https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019") }}}
{{% elif product == "fedora" %}}
Expand All @@ -59,6 +63,7 @@ identifiers:
cce@rhel10: CCE-89165-5
cce@sle12: CCE-83046-3
cce@sle15: CCE-85719-3
cce@slmicro5: CCE-93760-7

references:
cis-csc: 13,14
Expand Down Expand Up @@ -104,6 +109,22 @@ fixtext: |-
Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed.
To encrypt an entire partition, dedicate a partition for encryption in the partition layout.
{{% if "slmicro" in product %}}
The standard partitioning proposal as suggested by YaST (installation and configuration tool for Linux) does not include an encrypted
partition by default. Add it manually in the partitioning dialog.
The following set of commands will switch {{{ full_name }}} to work in FIPS mode:
<pre>$ sudo transactional-update pkg install -t pattern microos-fips</pre>
<pre>$ sudo reboot</pre>
Add of modify the following line in the "/etc/default/grub" file to include "fips=1":
<pre>GRUB_CMDLINE_LINUX_DEFAULT="splash=silent swapaccount=1 apparmor=0 mitigations=auto quiet crashkernel=195M,high crashkernel=72M,low fips=1"</pre>
<pre>$ sudo transactional-update grub.cfg</pre>
<pre>$ sudo reboot</pre>
{{% endif %}}
srg_requirement: |-
{{{ full_name }}} local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.
Expand All @@ -112,7 +133,36 @@ checktext: |-
If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable.
{{% if 'ubuntu' in product -%}}
{{% if "slmicro" in product %}}
Verify that the system partitions are all encrypted with the following commands:
<pre>$ sudo blkid</pre>
<br /><br />
Output will be similar to:
/dev/sda1: "UUID=26d4a101-7f48-4394-b730-56dc00e65f64" TYPE="crypto_LUKS"
/dev/sda2: "UUID=f5b8a790-14cb-4b82-882d-707d52f27765" TYPE="crypto_LUKS"
/dev/sda3: "UUID=f2d86128-f975-478d-a5b0-25806c900eac" TYPE="crypto_LUKS"
Every persistent disk partition present must be of type "crypto_LUKS".
If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) or temporary file systems (that are tmpfs)
are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted.
If there is no evidence that these partitions are encrypted, this is a finding.
<pre>$ sudo more /etc/cryptab</pre>
<br /><br />
Output will be similar to:
cr_root UUID=26d4a101-7f48-4394-b730-56dc00e65f64
cr_home UUID=f5b8a790-14cb-4b82-882d-707d52f27765
cr_swap UUID=f2d86128-f975-478d-a5b0-25806c900eac
Every persistent disk partition present on the system must have an entry in the /etc/crypttab file.
If any partitions other than pseudo file systems (such as /proc or /sys) are not listed or "/etc/crypttab" does not exist, this is a finding.
Verify the system works in FIPS mode with the following command:
<pre>sudo sysctl - a | grep fips</pre>
<br /><br />
crypto.fips_enabled = 1
{{% elif 'ubuntu' in product %}}
Determine the partition layout for the system with the following command:
<pre>$ sudo fdisk -l</pre>
Expand Down
1 change: 0 additions & 1 deletion shared/references/cce-slmicro5-avail.txt
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ CCE-93722-7
CCE-93726-8
CCE-93743-3
CCE-93757-3
CCE-93760-7
CCE-93762-3
CCE-93763-1
CCE-93764-9
Expand Down

0 comments on commit 13df827

Please sign in to comment.