Enable the Hardware RNG Entropy Gatherer Service
An XCCDF Rule
Description
The Hardware RNG Entropy Gatherer service should be enabled.
The rngd
service can be enabled with the following command:
$ sudo systemctl enable rngd.service
warning alert: Warning
For RHEL versions 8.4 and above running with kernel FIPS mode enabled this rule is not applicable.
The in-kernel deterministic random bit generator (DRBG) is used in FIPS mode instead.
Consequently, the rngd service can't be started in FIPS mode.
Rationale
The rngd
service
feeds random data from hardware device to kernel random device.
- ID
- xccdf_org.ssgproject.content_rule_service_rngd_enabled
- Severity
- Low
- Updated
Remediation - OS Build Blueprint
[customizations.services]
enabled = ["rngd"]
Remediation - Ansible
- name: Enable service rngd
block:
- name: Gather the package facts
package_facts:
manager: auto
Remediation - Puppet
include enable_rngd
class enable_rngd {
service {'rngd':
enable => true,
ensure => 'running',
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.3"; printf "%s\n%s" "$real" "$expected" | sort -VC; }; }; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'rngd.service'
"$SYSTEMCTL_EXEC" start 'rngd.service'