File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (56 lines) | stat: -rw-r--r-- 2,301 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
 
documentation_complete: true


title: 'Configure kernel to trust the CPU random number generator'

description: |-
    There exist two ways how to ensure that the Linux kernel trusts the CPU
    hardware random number generator. If the option is configured during kernel
    compilation, e.g. the option <tt>CONFIG_RANDOM_TRUST_CPU</tt> is set to
    <tt>Y</tt>, make sure that it is not overridden with the boot parameter.
    There must not exist the boot parameter <tt>random.trust_cpu=off</tt>. If
    the option is not compiled in, make sure that <tt>random.trust_cpu=on</tt>
    is configured as a boot parameter.
    {{{ describe_grub2_argument("random.trust_cpu=on") | indent(4) }}}

rationale: |-
    The Linux kernel offers an option which signifies if the kernel should trust
    data provided by CPU hardware random number generator. Hardware random
    number generators can provide random data very quickly and are used to generate random cryptographic keys. They can
    be useful during boot time when other means of getting random data can be
    slow because there is not yet enough entropy in the system.

severity: medium

identifiers:
    cce@rhel8: CCE-83314-5
    cce@rhel9: CCE-83841-7
    cce@rhel10: CCE-89051-7

references:
    srg: SRG-OS-000480-GPOS-00227

ocil_clause: 'the kernel is not configured to trust the CPU RNG'

ocil: |-
    Make sure that the kernel is configured to trust the CPU RNG by following
    commands. To check if the option was correctly configured at kernel compile
    time, run the following command:
    <pre>grep -q CONFIG_RANDOM_TRUST_CPU=y /boot/config-`uname -r`</pre>
    If the command outputs:
    <pre>CONFIG_RANDOM_TRUST_CPU=y</pre>,
    it means that the option is compiled into the kernel. Make sure that the
    option is not overridden through a boot parameter:
    <pre>sudo grep 'kernelopts.*random\.trust_cpu=off.*' {{{ grub2_boot_path }}}/grubenv</pre>
    The command should not return any output. If the option is not compiled into
    the kernel, check that the option is configured through boot parameter.
    {{{ ocil_grub2_argument("random.trust_cpu=on") | indent(4) }}}


template:
    name: grub2_bootloader_argument
    vars:
        arg_name: random.trust_cpu
        arg_value: 'on'
    backends:
        oval: "off"