The ESXi host must use sufficient entropy for cryptographic operations.
An XCCDF Rule
Description
<VulnDiscussion>Starting in vSphere 8.0, the ESXi Entropy implementation supports the FIPS 140-3 and EAL4 certifications. Kernel boot options control which entropy sources to activate on an ESXi host. In computing, the term "entropy" refers to random characters and data that are collected for use in cryptography, such as generating encryption keys to secure data transmitted over a network. Entropy is required by security for generating keys and communicating securely over the network. Entropy is often collected from a variety of sources on a system. FIPS entropy handling is the default behavior if the following conditions are true: -The hardware supports RDSEED. -The disableHwrng VMkernel boot option is not present or is FALSE. -The entropySources VMkernel boot option is not present or is 0 (zero).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-258799r933458_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
From an ESXi shell, run the following commands:
# esxcli system settings kernel set -s disableHwrng -v FALSE
# esxcli system settings kernel set -s entropySources -v 0
or