1.3.1 Ensure dm-verity is configured

Information

dm-verity provides transparent integrity checking of block devices using a cryptographic digest. Because dm-verity devices are read-only, filesystems mounted from the devices are also read-only.

Rationale:

Using dm-verity prevents direct modification of the root filesystem. Indirect modifications, whether accidental or malicious, can be detected by rebooting the system if corrupt blocks are found.

Solution

Replace the system or reinstall the distribution.

See Also

https://workbench.cisecurity.org/benchmarks/6709

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1

Plugin: Unix

Control ID: e539d680a2fc68be7250731d6191be827d730292faf2bfa29347600c1ec98ac3