Skip to content

Enable the Hardware RNG Entropy Gatherer Service

An XCCDF Rule

Description

The Hardware RNG Entropy Gatherer service should be enabled. The rngd service can be enabled with the following command:

$ sudo systemctl enable rngd.service

warning alert: Warning

For RHEL versions 8.4 and above running with kernel FIPS mode enabled this rule is not applicable. The in-kernel deterministic random bit generator (DRBG) is used in FIPS mode instead. Consequently, the rngd service can't be started in FIPS mode.

Rationale

The rngd service feeds random data from hardware device to kernel random device.

ID
xccdf_org.ssgproject.content_rule_service_rngd_enabled
Severity
Low
References
Updated



Remediation - OS Build Blueprint


[customizations.services]
enabled = ["rngd"]

Remediation - Ansible

- name: Enable service rngd
  block:

  - name: Gather the package facts
    package_facts:
      manager: auto

Remediation - Puppet

include enable_rngd

class enable_rngd {
  service {'rngd':
    enable => true,
    ensure => 'running',

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.3"; printf "%s\n%s" "$real" "$expected" | sort -VC; }; }; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'rngd.service'
"$SYSTEMCTL_EXEC" start 'rngd.service'