Update of the rule encrypt_partitions to support SLEM

Author: rumch-se

controls/stig_slmicro5.yml

@@ -197,8 +197,9 @@ controls:
           All SLEM 5 persistent disk partitions must implement cryptographic mechanisms
           to prevent unauthorized disclosure or modification of all information that requires
           at-rest protection.
-      rules: []
-      status: pending
+      rules: 
+          - encrypt_partitions
+      status: automated
 
     - id: SLEM-05-231045
       levels:

linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml

@@ -13,7 +13,7 @@ description: |-
     option is selected the system will prompt for a passphrase to use in
     decrypting the partition. The passphrase will subsequently need to be entered manually
     every time the system boots.
-    {{% if product not in ["sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
+    {{% if product not in ["sle12", "sle15", "slmicro5",  "ubuntu2004", "ubuntu2204"] %}}
     <br /><br />
     For automated/unattended installations, it is possible to use Kickstart by adding
     the <tt>--encrypted</tt> and <tt>--passphrase=</tt> options to the definition of each partition to be
@@ -36,8 +36,12 @@ description: |-
         {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/install/install-InstallingOracleLinuxManually.html#system-options") }}}
     {{% elif product == "ol9" %}}
         {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/9/install/install-InstallingOracleLinuxManually.html#system-options") }}}
-    {{% elif product in ["sle12", "sle15"] %}}
-        {{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}}
+    {{% elif product == "sle12" %}}
+        {{{ weblink(link="https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-security-cryptofs.html") }}}
+    {{% elif product == "sle15" %}}
+        {{{ weblink(link="https://documentation.suse.com/sles/15-SP2/html/SLES-all/cha-security-cryptofs.html") }}}
+    {{% elif product == "slmicro5" %}}
+        {{{ weblink(link="https://documentation.suse.com/sles/15-SP3/html/SLES-all/cha-security-cryptofs.html") }}}
     {{% elif 'ubuntu' in product %}}
         {{{ weblink(link="https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019") }}}
     {{% elif product == "fedora" %}}
@@ -59,6 +63,7 @@ identifiers:
     cce@rhel10: CCE-89165-5
     cce@sle12: CCE-83046-3
     cce@sle15: CCE-85719-3
+    cce@slmicro5: CCE-93760-7
 
 references:
     cis-csc: 13,14
@@ -104,6 +109,22 @@ fixtext: |-
     Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed.
     To encrypt an entire partition, dedicate a partition for encryption in the partition layout.
 
+    {{% if "slmicro" in product %}}
+    The standard partitioning proposal as suggested by YaST (installation and configuration tool for Linux) does not include an encrypted 
+    partition by default. Add it manually in the partitioning dialog.
+    
+    The following set of commands will switch {{{ full_name }}} to work in FIPS mode:
+    <pre>$ sudo transactional-update pkg install -t pattern microos-fips</pre>
+    <pre>$ sudo reboot</pre>
+
+    Add of modify the following line in the "/etc/default/grub" file to include "fips=1":
+    <pre>GRUB_CMDLINE_LINUX_DEFAULT="splash=silent swapaccount=1 apparmor=0 mitigations=auto quiet crashkernel=195M,high crashkernel=72M,low fips=1"</pre>
+    <pre>$ sudo transactional-update grub.cfg</pre>
+    <pre>$ sudo reboot</pre>
+
+    {{% endif %}}
+
+
 srg_requirement: |-
     {{{ full_name }}} local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.
 
@@ -112,7 +133,36 @@ checktext: |-
 
     If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable.
 
-    {{% if 'ubuntu' in product -%}}
+    {{% if "slmicro" in product %}}
+    Verify that the system partitions are all encrypted with the following commands:
+    <pre>$ sudo blkid</pre>
+    <br /><br />
+    Output will be similar to:
+    /dev/sda1: "UUID=26d4a101-7f48-4394-b730-56dc00e65f64" TYPE="crypto_LUKS"
+    /dev/sda2: "UUID=f5b8a790-14cb-4b82-882d-707d52f27765" TYPE="crypto_LUKS"
+    /dev/sda3: "UUID=f2d86128-f975-478d-a5b0-25806c900eac" TYPE="crypto_LUKS"
+
+    Every persistent disk partition present must be of type "crypto_LUKS". 
+    If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) or temporary file systems (that are tmpfs) 
+    are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. 
+    If there is no evidence that these partitions are encrypted, this is a finding.
+
+    <pre>$ sudo more /etc/cryptab</pre>
+    <br /><br />
+    Output will be similar to:    
+    cr_root UUID=26d4a101-7f48-4394-b730-56dc00e65f64
+    cr_home UUID=f5b8a790-14cb-4b82-882d-707d52f27765
+    cr_swap UUID=f2d86128-f975-478d-a5b0-25806c900eac    
+    
+    Every persistent disk partition present on the system must have an entry in the /etc/crypttab file. 
+    If any partitions other than pseudo file systems (such as /proc or /sys) are not listed or "/etc/crypttab" does not exist, this is a finding.
+
+    Verify the system works in FIPS mode with the following command:
+    <pre>sudo sysctl - a | grep fips</pre>
+    <br /><br />
+    crypto.fips_enabled = 1
+
+    {{% elif 'ubuntu' in product %}}
     Determine the partition layout for the system with the following command:
     <pre>$ sudo fdisk -l</pre>
 

shared/references/cce-slmicro5-avail.txt

@@ -21,7 +21,6 @@ CCE-93722-7
 CCE-93726-8
 CCE-93743-3
 CCE-93757-3
-CCE-93760-7
 CCE-93762-3
 CCE-93763-1
 CCE-93764-9