NixOS must protect the confidentiality and integrity of all information at rest.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-268144	SRG-OS-000185-GPOS-00079	ANIX-00-001010	SV-268144r1039320_rule	2024-10-25	1

Description
Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. This requirement addresses protection of user-generated data, as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information. Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184, SRG-OS-000780-GPOS-00240

Description

Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. This requirement addresses protection of user-generated data, as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information. Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184, SRG-OS-000780-GPOS-00240

ℹ️ Check
Verify NixOS prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. Verify all system partitions are encrypted with the following command: $ sudo blkid /dev/sda1: LABEL="nixos" UUID="67b7d7fe-de60-6fd0-befb-e6748cf97743" TYPE="crypto_LUKS" Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that these partitions are encrypted, this is a finding.

ℹ️ Check

Verify NixOS prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. Verify all system partitions are encrypted with the following command: $ sudo blkid /dev/sda1: LABEL="nixos" UUID="67b7d7fe-de60-6fd0-befb-e6748cf97743" TYPE="crypto_LUKS" Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that these partitions are encrypted, this is a finding.

✔️ Fix
Configure NixOS to prevent unauthorized modification of all information at rest by using disk encryption. Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. Refer to the NixOS manual Section 8.1 "LUKS-Encrypted File Systems" for further details. NixOS Wiki: https://nixos.wiki/wiki/Full_Disk_Encryption

✔️ Fix

Configure NixOS to prevent unauthorized modification of all information at rest by using disk encryption. Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. Refer to the NixOS manual Section 8.1 "LUKS-Encrypted File Systems" for further details. NixOS Wiki: https://nixos.wiki/wiki/Full_Disk_Encryption