OpenSSL uses strong entropy source
An XCCDF Rule
Description
By default, OpenSSL doesn't always use a SP800-90A compliant random number generator.
A way to configure OpenSSL to always use a strong source is to setup a wrapper that
defines a shell function that shadows the actual openssl binary,
and that ensures that the -rand /dev/random option is added to every openssl invocation.
To do so, place the following shell snippet exactly as-is to /etc/profile.d/openssl-rand.sh:
# provide a default -rand /dev/random option to openssl commands that
# support it
# written inefficiently for maximum shell compatibility
openssl()
(
openssl_bin=/usr/bin/openssl
case "$*" in
# if user specified -rand, honor it
*\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
esac
cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
for i in `$openssl_bin list -commands`; do
if $openssl_bin list -options "$i" | grep -q '^rand '; then
cmds=" $i $cmds"
fi
done
case "$cmds" in
*\ "$1"\ *)
cmd="$1"; shift
exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
esac
exec $openssl_bin "$@"
)
warning alert: Warning
This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available.
Rationale
This rule ensures that openssl invocations always uses SP800-90A compliant random number generator as a default behavior.
- ID
- xccdf_org.ssgproject.content_rule_openssl_use_strong_entropy
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Put a file with shell wrapper to configure OpenSSL to always use strong entropy
copy:
dest: /etc/profile.d/openssl-rand.sh
content: |
# provide a default -rand /dev/random option to openssl commands that
# support it
Remediation - Shell Script
cat > /etc/profile.d/openssl-rand.sh <<- 'EOM'
# provide a default -rand /dev/random option to openssl commands that
# support it
# written inefficiently for maximum shell compatibility