NixOS must protect the confidentiality and integrity of all information at rest.
An XCCDF Rule
Description
Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. This requirement addresses protection of user-generated data, as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information. Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184, SRG-OS-000780-GPOS-00240
- ID
- SV-268144r1039320_rule
- Version
- ANIX-00-001010
- Severity
- High
- References
- Updated
Remediation Templates
A Manual Procedure
Configure NixOS to prevent unauthorized modification of all information at rest by using disk encryption.
Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout.
Refer to the NixOS manual Section 8.1 "LUKS-Encrypted File Systems" for further details.
NixOS Wiki: https://nixos.wiki/wiki/Full_Disk_Encryption