OL6-00-000276 - The operating system must protect the confidentiality and integrity of data at rest.

Information

The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

The operating system natively supports partition encryption through the Linux Unified Key Setup (LUKS) on-disk-format technology. The easiest way to encrypt a partition is during installation time.

For manual installations, select the 'Encrypt' checkbox during partition creation to encrypt the partition. When this option is selected, the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.

For automated/unattended installations, it is possible to use Kickstart by adding the '--encrypted' and '--passphrase=' options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition:

part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=[PASSPHRASE]

Any [PASSPHRASE] is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the '--passphrase=' option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.

Detailed information on encrypting partitions using LUKS can be found in the Oracle Linux documentation at:

http://docs.oracle.com/cd/E37670_01/E36387/html/index.html

Additional information is available from:

http://linux.oracle.com/documentation/OL6/Red_Hat_Enterprise_Linux-6-Security_Guide-en-US.pdf

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_6_V2R7_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-28, CAT|III, CCI|CCI-001199, Rule-ID|SV-209013r793734_rule, STIG-ID|OL6-00-000276, STIG-Legacy|SV-65065, STIG-Legacy|V-50859, Vuln-ID|V-209013

Plugin: Unix

Control ID: cbdd4742738ae1710acc5ce07c7b5ef961d7f5647db900d03bd8e70ce48f95bc