SSH server uses strong entropy to seed

An XCCDF Rule

Description

To set up SSH server to use entropy from a high-quality source, edit the /etc/sysconfig/sshd file. The SSH_USE_STRONG_RNG configuration value determines how many bytes of entropy to use, so make sure that the file contains line

SSH_USE_STRONG_RNG=32

warning alert: Warning

This setting can cause problems on computers without the hardware random generator, because insufficient entropy causes the connection to be blocked until enough entropy is available.

Rationale

SSH implementation in Red Hat Enterprise Linux 8 uses the openssl library, which doesn't use high-entropy sources by default. Randomness is needed to generate data-encryption keys, and as plaintext padding and initialization vectors in encryption algorithms, and high-quality entropy elliminates the possibility that the output of the random number generator used by SSH would be known to potential attackers.

ID: xccdf_org.ssgproject.content_rule_sshd_use_strong_rng
Severity: Low
References: CCI-000366

FCS_RBG_EXT.1.2

SRG-OS-000480-GPOS-00227 SRG-OS-000480-GPOS-00232

RHEL-08-010292

SV-230253r627750_rule

CCE-82462-3
Updated: about 1 year ago

- name: Setting unquoted shell-style assignment of 'SSH_USE_STRONG_RNG' to '32' in
    '/etc/sysconfig/sshd'
  block:

  - name: Check for duplicate values
    lineinfile:      path: /etc/sysconfig/sshd
      create: true
      regexp: ^\s*SSH_USE_STRONG_RNG=
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/sysconfig/sshd
    lineinfile:
      path: /etc/sysconfig/sshd
      create: true
      regexp: ^\s*SSH_USE_STRONG_RNG=
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/sysconfig/sshd
    lineinfile:
      path: /etc/sysconfig/sshd
      create: true
      regexp: ^\s*SSH_USE_STRONG_RNG=
      line: SSH_USE_STRONG_RNG=32
      state: present
      insertbefore: ^# SSH_USE_STRONG_RNG
      validate: /usr/bin/bash -n %s
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82462-3
  - DISA-STIG-RHEL-08-010292
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy
  - sshd_use_strong_rng

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/sysconfig/sshd" ] ; then
    
    LC_ALL=C sed -i "/^\s*SSH_USE_STRONG_RNG\s*=\s*/d" "/etc/sysconfig/sshd"else
    touch "/etc/sysconfig/sshd"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/sysconfig/sshd"

cp "/etc/sysconfig/sshd" "/etc/sysconfig/sshd.bak"
# Insert before the line matching the regex '^#\s*SSH_USE_STRONG_RNG'.
line_number="$(LC_ALL=C grep -n "^#\s*SSH_USE_STRONG_RNG" "/etc/sysconfig/sshd.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^#\s*SSH_USE_STRONG_RNG', insert at
    # the end of the file.
    printf '%s\n' "SSH_USE_STRONG_RNG=32" >> "/etc/sysconfig/sshd"
else
    head -n "$(( line_number - 1 ))" "/etc/sysconfig/sshd.bak" > "/etc/sysconfig/sshd"
    printf '%s\n' "SSH_USE_STRONG_RNG=32" >> "/etc/sysconfig/sshd"
    tail -n "+$(( line_number ))" "/etc/sysconfig/sshd.bak" >> "/etc/sysconfig/sshd"
fi
# Clean up after ourselves.
rm "/etc/sysconfig/sshd.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

SSH server uses strong entropy to seed

Description

Rationale

Remediation - Ansible

Remediation - Shell Script