1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
documentation_complete: true
title: 'Enable the Hardware RNG Entropy Gatherer Service'
description: |-
The Hardware RNG Entropy Gatherer service should be enabled.
{{{ describe_service_enable(service="rngd") }}}
rationale: |-
The <tt>rngd</tt> service
feeds random data from hardware device to kernel random device.
severity: low
identifiers:
cce@rhcos4: CCE-82535-6
cce@rhel8: CCE-82831-9
cce@rhel9: CCE-84223-7
cce@rhel10: CCE-88930-3
references:
disa: CCI-000366
srg: SRG-OS-000480-GPOS-00227
stigid@ol8: OL08-00-010473
stigid@rhel8: RHEL-08-010471
{{% if product == "ol8" %}}
platform: os_linux[ol]<8.4 or not runtime_kernel_fips_enabled
{{% endif %}}
ocil_clause: '{{{ ocil_clause_service_enabled("rngd") }}}'
ocil: |-
{{{ ocil_service_enabled(service="rngd") }}}
fixtext: '{{{ fixtext_service_disabled("rngd") }}}'
srg_requirement: '{{{ srg_requirement_service_disabled("rngd") }}}'
{{% if product == "rhel8" %}}
platform: os_linux[rhel]<=8.3
warnings:
- general: |-
For RHEL versions 8.4 and above running with kernel FIPS mode enabled this rule is not applicable.
The in-kernel deterministic random bit generator (DRBG) is used in FIPS mode instead.
Consequently, the rngd service can't be started in FIPS mode.
{{% endif %}}
{{% if product == "rhel9" or product == "rhel10" or product == "ol9" or product == "ol10" %}}
platform: not runtime_kernel_fips_enabled
warnings:
- general: |-
For {{{ full_name }}} running with kernel FIPS mode enabled this rule is not applicable.
The in-kernel deterministic random bit generator (DRBG) is used in FIPS mode instead.
Consequently, the rngd service can't be started in FIPS mode.
{{% endif %}}
template:
name: service_enabled
vars:
servicename: rngd
packagename: rng-tools
|
