{"description": "By default, OpenSSL doesn't always use a SP800-90A compliant random number generator.\nA way to configure OpenSSL to always use a strong source is to setup a wrapper that\ndefines a shell function that shadows the actual <tt>openssl</tt> binary,\nand that ensures that the <tt>-rand /dev/random</tt> option is added to every <tt>openssl</tt> invocation.\n\nTo do so, place the following shell snippet exactly as-is to <tt>/etc/profile.d/openssl-rand.sh</tt>:\n<pre>\n# provide a default -rand /dev/random option to openssl commands that\n# support it\n\n# written inefficiently for maximum shell compatibility\nopenssl()\n(\n  openssl_bin=/usr/bin/openssl\n\n  case \"$*\" in\n    # if user specified -rand, honor it\n    *\\ -rand\\ *|*\\ -help*) exec $openssl_bin \"$@\" ;;\n  esac\n\n  cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\\n' ' '`\n  for i in `$openssl_bin list -commands`; do\n    if $openssl_bin list -options \"$i\" | grep -q '^rand '; then\n      cmds=\" $i $cmds\"\n    fi\n  done\n\n  case \"$cmds\" in\n    *\\ \"$1\"\\ *)\n      cmd=\"$1\"; shift\n      exec $openssl_bin \"$cmd\" -rand /dev/random \"$@\" ;;\n  esac\n\n  exec $openssl_bin \"$@\"\n)\n</pre>", "rationale": "This rule ensures that <tt>openssl</tt> invocations always uses SP800-90A compliant random number generator as a default behavior.", "severity": "medium", "references": {"srg": ["SRG-OS-000480-GPOS-00227"], "ism": ["1277", "1552"]}, "control_references": {"ism": ["1277", "1552"]}, "components": [], "identifiers": {}, "ocil_clause": "there is no <tt>/etc/profile.d/openssl-rand.sh</tt> file, or its contents don't match those in the description", "ocil": "To determine whether OpenSSL is wrapped by a shell function that ensures that every invocation\nuses a SP800-90A compliant entropy source,\nmake sure that the <tt>/etc/profile.d/openssl-rand.sh</tt> file contents exactly match those\nthat are included in the rule's description.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "This setting can cause problems on computers without the hardware random generator, because insufficient entropy blocks the program until enough entropy is available."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "OpenSSL uses strong entropy source", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/rule.yml", "template": null}