The operating system must use cryptographic mechanisms to protect and restrict access to information on portable digital media.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-216411	SOL-11.1-060140	SV-216411r959010_rule		Medium

Description
When data is written to portable digital media, such as thumb drives, floppy diskettes, compact disks, and magnetic tape, etc., there is risk of data loss. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations need to document in policy and procedures the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls where the media resides provide adequate protection. The employment of cryptography is at the discretion of the information owner/steward. When the organization has determined the risk warrants it, data written to portable digital media must be encrypted.

Description

When data is written to portable digital media, such as thumb drives, floppy diskettes, compact disks, and magnetic tape, etc., there is risk of data loss. An organizational assessment of risk guides the selection of media and associated information contained on the media requiring restricted access. Organizations need to document in policy and procedures the media requiring restricted access, individuals authorized to access the media, and the specific measures taken to restrict access. Fewer protection measures are needed for media containing information determined by the organization to be in the public domain, to be publicly releasable, or to have limited or no adverse impact if accessed by other than authorized personnel. In these situations, it is assumed the physical access controls where the media resides provide adequate protection. The employment of cryptography is at the discretion of the information owner/steward. When the organization has determined the risk warrants it, data written to portable digital media must be encrypted.

STIG	Date
Solaris 11 SPARC Security Technical Implementation Guide	2024-05-30

Details

Check Text ( C-17647r371321_chk )
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Determine the logical node of all attached removable media: # rmformat This command lists all attached removable devices. Note the device logical node name. For example: /dev/rdsk/c8t0d0p0 Determine which zpool is mapped to the device: # zpool status Determine the file system names of the portable digital media: # zfs list \| grep [poolname] Using the file system name, determine if the removal media is encrypted: # zfs get encryption [filesystem] If "encryption off" is listed, this is a finding.

Check Text ( C-17647r371321_chk )

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Determine the logical node of all attached removable media:

# rmformat

This command lists all attached removable devices. Note the device logical node name. For example: /dev/rdsk/c8t0d0p0

Determine which zpool is mapped to the device:

# zpool status

Determine the file system names of the portable digital media:

# zfs list | grep [poolname]

Using the file system name, determine if the removal media is encrypted:

# zfs get encryption [filesystem]

If "encryption off" is listed, this is a finding.

Fix Text (F-17645r371322_fix)
The root role is required. Format a removable device as a ZFS encrypted file system. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. The ZFS File System Management and ZFS Storage management profiles are required. Insert the removable device: # rmformat This command lists all attached removable devices. Note the device logical node name. For example: /dev/rdsk/c8t0d0p0 Create an encrypted zpool on this device using a poolname of your choice: # pfexec zpool create -O encryption=on [poolname] c8t0d0p0 Enter a passphrase and confirm the passphrase. Keep the passphrase secure. Export the zpool before removing the media: # pfexec export [poolname] It will be necessary to enter the passphrase when inserting and importing the removable media zpool: Insert the removable media # pfexec import [poolname] Only store data in the encrypted file system.

Fix Text (F-17645r371322_fix)

The root role is required.

Format a removable device as a ZFS encrypted file system.

This action applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this action applies.

The ZFS File System Management and ZFS Storage management profiles are required.

Insert the removable device:

# rmformat

This command lists all attached removable devices. Note the device logical node name. For example: /dev/rdsk/c8t0d0p0

Create an encrypted zpool on this device using a poolname of your choice:

# pfexec zpool create -O encryption=on [poolname] c8t0d0p0

Enter a passphrase and confirm the passphrase. Keep the passphrase secure.

Export the zpool before removing the media:

# pfexec export [poolname]

It will be necessary to enter the passphrase when inserting and importing the removable media zpool:
Insert the removable media
# pfexec import [poolname]

Only store data in the encrypted file system.