diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml
index 29bd8d72ebe..ac2390797e0 100644
--- a/controls/stig_slmicro5.yml
+++ b/controls/stig_slmicro5.yml
@@ -197,8 +197,9 @@ controls:
All SLEM 5 persistent disk partitions must implement cryptographic mechanisms
to prevent unauthorized disclosure or modification of all information that requires
at-rest protection.
- rules: []
- status: pending
+ rules:
+ - encrypt_partitions
+ status: automated
- id: SLEM-05-231045
levels:
diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
index fa03c9518d7..2cb9640c732 100644
--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
@@ -13,7 +13,7 @@ description: |-
option is selected the system will prompt for a passphrase to use in
decrypting the partition. The passphrase will subsequently need to be entered manually
every time the system boots.
- {{% if product not in ["sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
+ {{% if product not in ["sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204"] %}}
For automated/unattended installations, it is possible to use Kickstart by adding
the --encrypted and --passphrase= options to the definition of each partition to be
@@ -36,8 +36,12 @@ description: |-
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/install/install-InstallingOracleLinuxManually.html#system-options") }}}
{{% elif product == "ol9" %}}
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/9/install/install-InstallingOracleLinuxManually.html#system-options") }}}
- {{% elif product in ["sle12", "sle15"] %}}
- {{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}}
+ {{% elif product == "sle12" %}}
+ {{{ weblink(link="https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-security-cryptofs.html") }}}
+ {{% elif product == "sle15" %}}
+ {{{ weblink(link="https://documentation.suse.com/sles/15-SP2/html/SLES-all/cha-security-cryptofs.html") }}}
+ {{% elif product == "slmicro5" %}}
+ {{{ weblink(link="https://documentation.suse.com/sles/15-SP3/html/SLES-all/cha-security-cryptofs.html") }}}
{{% elif 'ubuntu' in product %}}
{{{ weblink(link="https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019") }}}
{{% elif product == "fedora" %}}
@@ -59,6 +63,7 @@ identifiers:
cce@rhel10: CCE-89165-5
cce@sle12: CCE-83046-3
cce@sle15: CCE-85719-3
+ cce@slmicro5: CCE-93760-7
references:
cis-csc: 13,14
@@ -104,6 +109,22 @@ fixtext: |-
Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed.
To encrypt an entire partition, dedicate a partition for encryption in the partition layout.
+ {{% if "slmicro" in product %}}
+ The standard partitioning proposal as suggested by YaST (installation and configuration tool for Linux) does not include an encrypted
+ partition by default. Add it manually in the partitioning dialog.
+
+ The following set of commands will switch {{{ full_name }}} to work in FIPS mode:
+ $ sudo transactional-update pkg install -t pattern microos-fips
+ $ sudo reboot
+
+ Add of modify the following line in the "/etc/default/grub" file to include "fips=1":
+ GRUB_CMDLINE_LINUX_DEFAULT="splash=silent swapaccount=1 apparmor=0 mitigations=auto quiet crashkernel=195M,high crashkernel=72M,low fips=1"
+ $ sudo transactional-update grub.cfg
+ $ sudo reboot
+
+ {{% endif %}}
+
+
srg_requirement: |-
{{{ full_name }}} local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.
@@ -112,7 +133,36 @@ checktext: |-
If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable.
- {{% if 'ubuntu' in product -%}}
+ {{% if "slmicro" in product %}}
+ Verify that the system partitions are all encrypted with the following commands:
+ $ sudo blkid
+
+ Output will be similar to:
+ /dev/sda1: "UUID=26d4a101-7f48-4394-b730-56dc00e65f64" TYPE="crypto_LUKS"
+ /dev/sda2: "UUID=f5b8a790-14cb-4b82-882d-707d52f27765" TYPE="crypto_LUKS"
+ /dev/sda3: "UUID=f2d86128-f975-478d-a5b0-25806c900eac" TYPE="crypto_LUKS"
+
+ Every persistent disk partition present must be of type "crypto_LUKS".
+ If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) or temporary file systems (that are tmpfs)
+ are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted.
+ If there is no evidence that these partitions are encrypted, this is a finding.
+
+ $ sudo more /etc/cryptab
+
+ Output will be similar to:
+ cr_root UUID=26d4a101-7f48-4394-b730-56dc00e65f64
+ cr_home UUID=f5b8a790-14cb-4b82-882d-707d52f27765
+ cr_swap UUID=f2d86128-f975-478d-a5b0-25806c900eac
+
+ Every persistent disk partition present on the system must have an entry in the /etc/crypttab file.
+ If any partitions other than pseudo file systems (such as /proc or /sys) are not listed or "/etc/crypttab" does not exist, this is a finding.
+
+ Verify the system works in FIPS mode with the following command:
+ sudo sysctl - a | grep fips
+
+ crypto.fips_enabled = 1
+
+ {{% elif 'ubuntu' in product %}}
Determine the partition layout for the system with the following command:
$ sudo fdisk -l
diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt
index e2048cb7e6f..fa97cd1984b 100644
--- a/shared/references/cce-slmicro5-avail.txt
+++ b/shared/references/cce-slmicro5-avail.txt
@@ -21,7 +21,6 @@ CCE-93722-7
CCE-93726-8
CCE-93743-3
CCE-93757-3
-CCE-93760-7
CCE-93762-3
CCE-93763-1
CCE-93764-9