1.2.1 Ensure dm-verity is enabled

Information

device-mapper-verity (dm-verity) kernel feature provides transparent integrity checking of block devices using a cryptographic digest provided by the kernel crypto API.

Rationale:

The Container-Optimized OS root filesystem is always mounted as read-only. Additionally, its checksum is computed at build time and verified by the kernel on each boot. This mechanism prevents against attackers from 'owning' the machine through permanent local changes.

Solution

An OS image update that has the dm-verity enabled kernel is required.

See Also

https://workbench.cisecurity.org/files/3659