Enable the Hardware RNG Entropy Gatherer Service
An XCCDF Rule
Description
The Hardware RNG Entropy Gatherer service should be enabled.
The rngd service can be enabled with the following command:
$ sudo systemctl enable rngd.service
warning alert: Warning
For RHEL versions 8.4 and above running with kernel FIPS mode enabled this rule is not applicable.
The in-kernel deterministic random bit generator (DRBG) is used in FIPS mode instead.
Consequently, the rngd service can't be started in FIPS mode.
Rationale
The rngd service
feeds random data from hardware device to kernel random device.
- ID
- xccdf_org.ssgproject.content_rule_service_rngd_enabled
- Severity
- Low
- Updated
Remediation - Puppet
include enable_rngd
class enable_rngd {
service {'rngd':
enable => true,
ensure => 'running',
Remediation - script:kickstart
service enable rngd
Remediation - OS Build Blueprint
[customizations.services]
enabled = ["rngd"]
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- DISA-STIG-RHEL-08-010471
- enable_strategy
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel && { grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.3"; printf "%s\n%s" "$real" "$expected" | sort -VC; }; }; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'rngd.service'
"$SYSTEMCTL_EXEC" start 'rngd.service'