Skip to content
Log In

Enable the Hardware RNG Entropy Gatherer Service

An XCCDF Rule

Description

The Hardware RNG Entropy Gatherer service should be enabled. The rngd service can be enabled with the following command: 
$ sudo systemctl enable rngd.service

warning alert: Warning

For RHEL versions 8.4 and above running with kernel FIPS mode enabled this rule is not applicable. The in-kernel deterministic random bit generator (DRBG) is used in FIPS mode instead. Consequently, the rngd service can't be started in FIPS mode.

Rationale

The rngd service feeds random data from hardware device to kernel random device.

ID
xccdf_org.ssgproject.content_rule_service_rngd_enabled
Severity
Low
References
Updated

Remediation Templates

script:kickstart

service enable rngd

OS Build Blueprint

[customizations.services]
enabled = ["rngd"]

A Puppet Snippet

include enable_rngd
class enable_rngd {
  service {'rngd':
    enable => true,
    ensure => 'running',
  }
}

An Ansible Snippet

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-82831-9
  - DISA-STIG-RHEL-08-010471

A Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel && { grep -qP "^ID=[\"']?rhel[\"']?$" "/etc/os-release" && { real="$(grep -P "^VERSION_ID=[\"']?[\w.]+[\"']?$" /etc/os-release | sed "s/^VERSION_ID=[\"']\?\([^\"']\+\)[\"']\?$/\1/")"; expected="8.3"; printf "%s\n%s" "$real" "$expected" | sort -VC; }; }; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'rngd.service'
"$SYSTEMCTL_EXEC" start 'rngd.service'
"$SYSTEMCTL_EXEC" enable 'rngd.service'