STIGQter STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures.

DISA Rule

SV-219567r603263_rule

Vulnerability Number

V-219567

Group Title

SRG-OS-000480

Rule Version

OL6-00-000277

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

The operating system natively supports partition encryption through the Linux Unified Key Setup (LUKS) on-disk-format technology. The easiest way to encrypt a partition is during installation time.

For manual installations, select the "Encrypt" checkbox during partition creation to encrypt the partition. When this option is selected, the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.

For automated/unattended installations, it is possible to use Kickstart by adding the "--encrypted" and "--passphrase=" options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition:

part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE]

Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the "--passphrase=" option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.

Detailed information on encrypting partitions using LUKS can be found in the Oracle Linux documentation at:

http://docs.oracle.com/cd/E37670_01/E36387/html/index.html.

Additional information is available from:

http://linux.oracle.com/documentation/OL6/Red_Hat_Enterprise_Linux-6-Security_Guide-en-US.pdf"

Check Contents

Determine if encryption must be used to protect data on the system.
If encryption must be used and is not employed, this is a finding.

Vulnerability Number

V-219567

Documentable

False

Rule Version

OL6-00-000277

Severity Override Guidance

Determine if encryption must be used to protect data on the system.
If encryption must be used and is not employed, this is a finding.

Check Content Reference

M

Target Key

2928

Comments