STIGQter STIGQter: STIG Summary: SLES 12 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.

DISA Rule

SV-217146r603262_rule

Vulnerability Number

V-217146

Group Title

SRG-OS-000185-GPOS-00079

Rule Version

SLES-12-010450

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the SUSE operating system to prevent unauthorized modification of all information at rest by using disk encryption.

Encrypting a partition in an already-installed system is more difficult because of the need to resize and change existing partitions. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. The standard partitioning proposal as suggested by YaST (installation and configuration tool for Linux) does not include an encrypted partition by default. Add it manually in the partitioning dialog.

Refer to the document "SUSE 12 Security Guide", Section 11.1, for a detailed disk encryption guide:

https://www.suse.com/documentation/sles-12/book_security/data/sec_security_cryptofs_y2.html#sec_security_cryptofs_y2_part_run

Check Contents

Verify the SUSE operating system prevents unauthorized disclosure or modification of all information requiring at rest protection by using disk encryption.

Determine the partition layout for the system with the following command:

# sudo fdisk -l

Device Boot Start End Sectors Size Id Type
/dev/sda1 2048 4208639 4206592 2G 82 Linux swap / Solaris
/dev/sda2 * 4208640 53479423 49270784 23.5G 83 Linux
/dev/sda3 53479424 125829119 72349696 34.5G 83 Linux

Verify the system partitions are all encrypted with the following command:

# sudo more /etc/crypttab

luks UUID=114167a-2a94-6cda-f1e7-15ad146c258b
swap /dev/sda1 /dev/urandom swap
truecrypt /dev/sda2 /etc/container_password tcrypt
truecrypt /dev/sda3 /etc/container_password tcrypt

Every persistent disk partition present on the system must have an entry in the file.

If any partitions other than pseudo file systems (such as /proc or /sys) are not listed or "/etc/crypttab" does not exist, this is a finding.

Vulnerability Number

V-217146

Documentable

False

Rule Version

SLES-12-010450

Severity Override Guidance

Verify the SUSE operating system prevents unauthorized disclosure or modification of all information requiring at rest protection by using disk encryption.

Determine the partition layout for the system with the following command:

# sudo fdisk -l

Device Boot Start End Sectors Size Id Type
/dev/sda1 2048 4208639 4206592 2G 82 Linux swap / Solaris
/dev/sda2 * 4208640 53479423 49270784 23.5G 83 Linux
/dev/sda3 53479424 125829119 72349696 34.5G 83 Linux

Verify the system partitions are all encrypted with the following command:

# sudo more /etc/crypttab

luks UUID=114167a-2a94-6cda-f1e7-15ad146c258b
swap /dev/sda1 /dev/urandom swap
truecrypt /dev/sda2 /etc/container_password tcrypt
truecrypt /dev/sda3 /etc/container_password tcrypt

Every persistent disk partition present on the system must have an entry in the file.

If any partitions other than pseudo file systems (such as /proc or /sys) are not listed or "/etc/crypttab" does not exist, this is a finding.

Check Content Reference

M

Target Key

4033

Comments