NixOS must protect the confidentiality and integrity of all information at rest.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-268144 | ANIX-00-001010 | SV-268144r1039320_rule | CCI-001199 | high |
| Description | ||||
| Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. This requirement addresses protection of user-generated data, as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information. Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184, SRG-OS-000780-GPOS-00240 | ||||
| STIG | Date | |||
| Anduril NixOS Security Technical Implementation Guide | 2024-10-25 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
SC-28
1.00
- DISA · 1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.13.16
1.00
- DISA · 1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-001199
1.00
- DISA · 1 · disa_xccdf · related
Details
Check Text (C-268144r1039320_chk)
Verify NixOS prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption.
Verify all system partitions are encrypted with the following command:
$ sudo blkid
/dev/sda1: LABEL="nixos" UUID="67b7d7fe-de60-6fd0-befb-e6748cf97743" TYPE="crypto_LUKS"
Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that these partitions are encrypted, this is a finding.
Fix Text (F-71971r1039319_fix)
Configure NixOS to prevent unauthorized modification of all information at rest by using disk encryption.
Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout.
Refer to the NixOS manual Section 8.1 "LUKS-Encrypted File Systems" for further details.
NixOS Wiki: https://nixos.wiki/wiki/Full_Disk_Encryption