STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.

DISA Rule

SV-230224r627750_rule

Vulnerability Number

V-230224

Group Title

SRG-OS-000185-GPOS-00079

Rule Version

RHEL-08-010030

Severity

CAT II

CCI(s)

• CCI-001199 - The information system protects the confidentiality and/or integrity of organization-defined information at rest.

Weight

10

Fix Recommendation

Configure RHEL 8 to prevent unauthorized modification of all information at rest by using disk encryption.

Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout.

Check Contents

Verify RHEL 8 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption.

If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable.

Verify all system partitions are encrypted with the following command:

$ sudo blkid

/dev/mapper/rhel-root: UUID="67b7d7fe-de60-6fd0-befb-e6748cf97743" TYPE="crypto_LUKS"

Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that all local disk partitions are encrypted, this is a finding.

Vulnerability Number

V-230224

Documentable

False

Rule Version

RHEL-08-010030

Severity Override Guidance

Verify RHEL 8 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption.

If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable.

Verify all system partitions are encrypted with the following command:

$ sudo blkid

/dev/mapper/rhel-root: UUID="67b7d7fe-de60-6fd0-befb-e6748cf97743" TYPE="crypto_LUKS"

Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that all local disk partitions are encrypted, this is a finding.

Check Content Reference

M

Target Key

2921

Comments