SSH client uses strong entropy to seed (Bash-like shells)

An XCCDF Rule

Description

To set up SSH client to use entropy from a high-quality source, make sure that the appropriate shell environment variable is configured. The SSH_USE_STRONG_RNG environment variable determines how many bytes of entropy to use. Make sure that the file /etc/profile.d/cc-ssh-strong-rng.sh contains line

export SSH_USE_STRONG_RNG=32

Rationale

Some SSH implementations use the openssl library for entropy, which by default, doesn't use high-entropy sources. Randomness is needed to generate considerably more secure data-encryption keys. Plaintext padding, initialization vectors in encryption algorithms, and high-quality entropy eliminates the possibility that the output of the random number generator used by SSH would be known to potential attackers.

ID: xccdf_org.ssgproject.content_rule_ssh_client_use_strong_rng_sh
Severity: Medium
References: SRG-OS-000480-GPOS-00227

CCE-83346-7
Updated: over 1 year ago

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then

# put line into the file
echo "export SSH_USE_STRONG_RNG=32" > /etc/profile.d/cc-ssh-strong-rng.sh
# remove eventual override in /etc/profile
sed -i '/^[[:space:]]*export[[:space:]]\+SSH_USE_STRONG_RNG=.*$/d' /etc/profile

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-83346-7
  - configure_strategy  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - ssh_client_use_strong_rng_sh

- name: Ensure that correct variable is exported in /etc/profile.d/cc-ssh-strong-rng.sh
  lineinfile:
    path: /etc/profile.d/cc-ssh-strong-rng.sh
    regexp: ^[\s]*export[\s]+SSH_USE_STRONG_RNG=.*$
    line: export SSH_USE_STRONG_RNG=32
    state: present
    create: true
  when: '"kernel" in ansible_facts.packages'
  tags:
  - CCE-83346-7
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - ssh_client_use_strong_rng_sh

- name: Ensure that the configuration is not overridden in /etc/profile
  lineinfile:
    path: /etc/profile
    regexp: ^[\s]*export[\s]+SSH_USE_STRONG_RNG=.*$
    state: absent
  when: '"kernel" in ansible_facts.packages'
  tags:
  - CCE-83346-7
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - ssh_client_use_strong_rng_sh

SSH client uses strong entropy to seed (Bash-like shells)

Description

Rationale

Remediation - Shell Script

Remediation - Ansible