STIGQter: STIG Summary: Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 10 Mar 2021:

Ubuntu operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.

DISA Rule

SV-238335r654180_rule

Vulnerability Number

V-238335

Group Title

SRG-OS-000185-GPOS-00079

Rule Version

UBTU-20-010414

Severity

CAT II

CCI(s)

• CCI-001199 - The information system protects the confidentiality and/or integrity of organization-defined information at rest.

Weight

10

Fix Recommendation

To encrypt an entire partition, dedicate a partition for encryption in the partition layout.

Note: Encrypting a partition in an already-installed system is more difficult because it will need to be resized and existing partitions changed.

Check Contents

If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable.

Verify the Ubuntu operating system prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption.

Determine the partition layout for the system with the following command:

#sudo fdisk -l
(..)
Disk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 83298450-B4E3-4B19-A9E4-7DF147A5FEFB

Device Start End Sectors Size Type
/dev/vda1 2048 4095 2048 1M BIOS boot
/dev/vda2 4096 2101247 2097152 1G Linux filesystem
/dev/vda3 2101248 31455231 29353984 14G Linux filesystem
(...)

Verify the system partitions are all encrypted with the following command:

# more /etc/crypttab

Every persistent disk partition present must have an entry in the file.

If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding.

Vulnerability Number

V-238335

Documentable

False

Rule Version

UBTU-20-010414

Severity Override Guidance

If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable.

Verify the Ubuntu operating system prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption.

Determine the partition layout for the system with the following command:

#sudo fdisk -l
(..)
Disk /dev/vda: 15 GiB, 16106127360 bytes, 31457280 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 83298450-B4E3-4B19-A9E4-7DF147A5FEFB

Device Start End Sectors Size Type
/dev/vda1 2048 4095 2048 1M BIOS boot
/dev/vda2 4096 2101247 2097152 1G Linux filesystem
/dev/vda3 2101248 31455231 29353984 14G Linux filesystem
(...)

Verify the system partitions are all encrypted with the following command:

# more /etc/crypttab

Every persistent disk partition present must have an entry in the file.

If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding.

Check Content Reference

M

Target Key

5318

Comments