diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml
index 29bd8d72ebe..ac2390797e0 100644
--- a/controls/stig_slmicro5.yml
+++ b/controls/stig_slmicro5.yml
@@ -197,8 +197,9 @@ controls:
All SLEM 5 persistent disk partitions must implement cryptographic mechanisms
to prevent unauthorized disclosure or modification of all information that requires
at-rest protection.
- rules: []
- status: pending
+ rules:
+ - encrypt_partitions
+ status: automated
- id: SLEM-05-231045
levels:
diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
index fa03c9518d7..2cb9640c732 100644
--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
@@ -13,7 +13,7 @@ description: |-
option is selected the system will prompt for a passphrase to use in
decrypting the partition. The passphrase will subsequently need to be entered manually
every time the system boots.
- {{% if product not in ["sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
+ {{% if product not in ["sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204"] %}}
For automated/unattended installations, it is possible to use Kickstart by adding
the --encrypted and --passphrase= options to the definition of each partition to be
@@ -36,8 +36,12 @@ description: |-
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/install/install-InstallingOracleLinuxManually.html#system-options") }}}
{{% elif product == "ol9" %}}
{{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/9/install/install-InstallingOracleLinuxManually.html#system-options") }}}
- {{% elif product in ["sle12", "sle15"] %}}
- {{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}}
+ {{% elif product == "sle12" %}}
+ {{{ weblink(link="https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-security-cryptofs.html") }}}
+ {{% elif product == "sle15" %}}
+ {{{ weblink(link="https://documentation.suse.com/sles/15-SP2/html/SLES-all/cha-security-cryptofs.html") }}}
+ {{% elif product == "slmicro5" %}}
+ {{{ weblink(link="https://documentation.suse.com/sles/15-SP3/html/SLES-all/cha-security-cryptofs.html") }}}
{{% elif 'ubuntu' in product %}}
{{{ weblink(link="https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019") }}}
{{% elif product == "fedora" %}}
@@ -59,6 +63,7 @@ identifiers:
cce@rhel10: CCE-89165-5
cce@sle12: CCE-83046-3
cce@sle15: CCE-85719-3
+ cce@slmicro5: CCE-93760-7
references:
cis-csc: 13,14
@@ -104,6 +109,22 @@ fixtext: |-
Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed.
To encrypt an entire partition, dedicate a partition for encryption in the partition layout.
+ {{% if "slmicro" in product %}}
+ The standard partitioning proposal as suggested by YaST (installation and configuration tool for Linux) does not include an encrypted
+ partition by default. Add it manually in the partitioning dialog.
+
+ The following set of commands will switch {{{ full_name }}} to work in FIPS mode:
+
$ sudo transactional-update pkg install -t pattern microos-fips+
$ sudo reboot+ + Add of modify the following line in the "/etc/default/grub" file to include "fips=1": +
GRUB_CMDLINE_LINUX_DEFAULT="splash=silent swapaccount=1 apparmor=0 mitigations=auto quiet crashkernel=195M,high crashkernel=72M,low fips=1"+
$ sudo transactional-update grub.cfg+
$ sudo reboot+ + {{% endif %}} + + srg_requirement: |- {{{ full_name }}} local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection. @@ -112,7 +133,36 @@ checktext: |- If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable. - {{% if 'ubuntu' in product -%}} + {{% if "slmicro" in product %}} + Verify that the system partitions are all encrypted with the following commands: +
$ sudo blkid+
$ sudo more /etc/cryptab+
sudo sysctl - a | grep fips+
$ sudo fdisk -ldiff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index e2048cb7e6f..fa97cd1984b 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -21,7 +21,6 @@ CCE-93722-7 CCE-93726-8 CCE-93743-3 CCE-93757-3 -CCE-93760-7 CCE-93762-3 CCE-93763-1 CCE-93764-9