{"description": "There exist two ways how to ensure that the Linux kernel trusts the CPU\nhardware random number generator. If the option is configured during kernel\ncompilation, e.g. the option CONFIG_RANDOM_TRUST_CPU is set to\nY, make sure that it is not overridden with the boot parameter.\nThere must not exist the boot parameter random.trust_cpu=off. If\nthe option is not compiled in, make sure that random.trust_cpu=on\nis configured as a boot parameter.\nTo ensure that random.trust_cpu=on is added as a kernel command line\nargument to newly installed kernels, add random.trust_cpu=on to the\ndefault Grub2 command line for Linux operating systems. Modify the line within\n/etc/default/grub as shown below:\n
GRUB_CMDLINE_LINUX=\"... random.trust_cpu=on ...\"
\nRun the following command to update command line for already installed kernels:
# update-grub
", "rationale": "The Linux kernel offers an option which signifies if the kernel should trust\ndata provided by CPU hardware random number generator. Hardware random\nnumber generators can provide random data very quickly and are used to generate random cryptographic keys. They can\nbe useful during boot time when other means of getting random data can be\nslow because there is not yet enough entropy in the system.", "severity": "medium", "references": {"srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the kernel is not configured to trust the CPU RNG", "ocil": "Make sure that the kernel is configured to trust the CPU RNG by following\ncommands. To check if the option was correctly configured at kernel compile\ntime, run the following command:\n
grep -q CONFIG_RANDOM_TRUST_CPU=y /boot/config-`uname -r`
\nIf the command outputs:\n
CONFIG_RANDOM_TRUST_CPU=y
,\nit means that the option is compiled into the kernel. Make sure that the\noption is not overridden through a boot parameter:\n
sudo grep 'kernelopts.*random\\.trust_cpu=off.*' /boot/grub/grubenv
\nThe command should not return any output. If the option is not compiled into\nthe kernel, check that the option is configured through boot parameter.\nInspect the form of default GRUB 2 command line for the Linux operating system\nin /etc/default/grub. If it includes random.trust_cpu=on,\nthen the parameter will be configured for newly installed kernels.\nFirst check if the GRUB recovery is enabled:\n
$ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub
\nIf this option is set to true, then check that a line is output by the following command:\n
$ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*random.trust_cpu=on.*' /etc/default/grub
\nIf the recovery is disabled, check the line with\n
$ sudo grep 'GRUB_CMDLINE_LINUX.*random.trust_cpu=on.*' /etc/default/grub
.Moreover, current Grub config file grub.cfg must be checked. The file can be found\neither in /boot/grub in case of legacy BIOS systems, or in /boot/grub in case of UEFI systems.\nIf they include random.trust_cpu=on, then the parameter\nis configured at boot time.\n
$ sudo grep vmlinuz GRUB_CFG_FILE_PATH | grep -v 'random.trust_cpu=on'
\nFill in GRUB_CFG_FILE_PATH based on information above.\nThis command should not return any output.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 Must Be Configured In Accordance With The Security Configuration Settings Based On Dod Security Configuration Or Implementation Guidance, Including Stigs, Nsa Configuration Guides, Ctos, And Dtms.", "vuldiscussion": "The Linux kernel offers an option which signifies if the kernel should trust\ndata provided by CPU hardware random number generator. Hardware random\nnumber generators can provide random data very quickly and are used to generate random cryptographic keys. They can\nbe useful during boot time when other means of getting random data can be\nslow because there is not yet enough entropy in the system.", "checktext": "Make sure that the kernel is configured to trust the CPU RNG by following\ncommands. To check if the option was correctly configured at kernel compile\ntime, run the following command:\n grep -q CONFIG_RANDOM_TRUST_CPU=y /boot/config-`uname -r`\nIf the command outputs:\n CONFIG_RANDOM_TRUST_CPU=y ,\nit means that the option is compiled into the kernel. Make sure that the\noption is not overridden through a boot parameter:\n sudo grep 'kernelopts.*random\\.trust_cpu=off.*' /boot/grub2/grubenv\nThe command should not return any output. If the option is not compiled into\nthe kernel, check that the option is configured through boot parameter.\nInspect the form of default GRUB 2 command line for the Linux operating system\nin \"/etc/default/grub\". If it includes \"random.trust_cpu=on\",\nthen the parameter will be configured for newly installed kernels.\nFirst check if the GRUB recovery is enabled:\n $ sudo grep 'GRUB_DISABLE_RECOVERY' /etc/default/grub\nIf this option is set to true, then check that a line is output by the following command:\n $ sudo grep 'GRUB_CMDLINE_LINUX_DEFAULT.*random.trust_cpu=on.*' /etc/default/grub\nIf the recovery is disabled, check the line with\n $ sudo grep 'GRUB_CMDLINE_LINUX.*random.trust_cpu=on.*' /etc/default/grub .Moreover, command line parameters for currently installed kernels should be checked as well.\nRun the following command:\n $ sudo grubby --info=ALL | grep args | grep -v 'random.trust_cpu=on'\nThe command should not return any output.\n\nIf the kernel is not configured to trust the CPU RNG, then this is a finding."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["grub2 and system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["grub2_and_system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure kernel to trust the CPU random number generator", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/bootloader-grub2/grub2_kernel_trust_cpu_rng/rule.yml", "template": {"name": "grub2_bootloader_argument", "vars": {"arg_name": "random.trust_cpu", "arg_value": "on"}, "backends": {"oval": "off"}}}