Configure kernel to trust the CPU random number generator
An XCCDF Rule
Description
There exist two ways how to ensure that the Linux kernel trusts the CPU
hardware random number generator. If the option is configured during kernel
compilation, e.g. the option CONFIG_RANDOM_TRUST_CPU is set to
Y, make sure that it is not overridden with the boot parameter.
There must not exist the boot parameter random.trust_cpu=off. If
the option is not compiled in, make sure that random.trust_cpu=on
is configured as a boot parameter.
To ensure that random.trust_cpu=on is added as a kernel command line
argument to newly installed kernels, add random.trust_cpu=on to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... random.trust_cpu=on ..."Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="random.trust_cpu=on"
Rationale
The Linux kernel offers an option which signifies if the kernel should trust data provided by CPU hardware random number generator. Hardware random number generators can provide random data very quickly and are used to generate random cryptographic keys. They can be useful during boot time when other means of getting random data can be slow because there is not yet enough entropy in the system.
- ID
- xccdf_org.ssgproject.content_rule_grub2_kernel_trust_cpu_rng
- Severity
- Medium
- References
- Updated
Remediation - OS Build Blueprint
[customizations.kernel]
append = "random.trust_cpu=on"
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- grub2_kernel_trust_cpu_rng
- low_disruption
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
grubby --update-kernel=ALL --args=random.trust_cpu=on --env=/boot/grub2/grubenv
else