{"description": "To set up SSH client to use entropy from a high-quality source, make sure\nthat the appropriate shell environment variable is configured. The\n<tt>SSH_USE_STRONG_RNG</tt> environment variable determines how many bytes\nof entropy to use. Make sure that the file\n<tt>/etc/profile.d/cc-ssh-strong-rng.csh</tt> contains line\n<pre>setenv SSH_USE_STRONG_RNG 32</pre>.", "rationale": "Some SSH implementations use the openssl library for entropy, which by default, doesn't use high-entropy sources.\nRandomness is needed to generate considerably more secure data-encryption keys. Plaintext padding, initialization vectors\nin encryption algorithms, and high-quality entropy eliminates the possibility that the output of\nthe random number generator used by SSH would be known to potential attackers.", "severity": "medium", "references": {"srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "SSH client is not configured to use 32 bytes of entropy or more", "ocil": "Run the following command to verify that SSH client is configured to use 32 bytes of entropy:\n<pre>grep SSH_USE_STRONG_RNG /etc/profile.d/cc-ssh-strong-rng.csh</pre>\nIt should return the following output:\n<pre>setenv SSH_USE_STRONG_RNG 32</pre>.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "SSH client uses strong entropy to seed (for CSH like shells)", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/ssh/ssh_client/ssh_client_use_strong_rng_csh/rule.yml", "template": null}