Merge pull request #3030 from ferricoxide/Issue_3025

Update EL8 Findings README To Speak To Recently-Reported Findings
plus3it · Jul 19, 2023 · b2deb5c · b2deb5c
2 parents c00abce + 47cb601
commit b2deb5c
Showing 1 changed file with 28 additions and 2 deletions.
diff --git a/docs/findings/el8.md b/docs/findings/el8.md
@@ -9,6 +9,8 @@
 
 # Findings Summary-Table
 
+A few scans performed against EL8 systems are version-dependent. Watchmaker is designed to ensure that a given EL8 host is running at the latest-available EL8 minor-release version. Some of the version-dependent scans are for versions (well) prior "the latest-available EL8 minor-release version". The person responding to scan-findings should make sure to notice if the findings-text includes mention of specific EL8 minor-release version or version-ranges and compare that to the EL8 minor-release of the scanned system. If the version/version-range is less than that of the scanned version, the scan result may be immediately flagged as "**INVALID FINDING**". Anything that cannot be immediate flagged in this way should be checked against the following table of known findings[^1].
+
 ```{eval-rst}
   .. _Prevent System Daemons From Using Kerberos For Authentication: #prevent-system-daemons-from-using-kerberos-for-authentication
   .. _Users Must Provide A Password For Privilege Escalation: #users-must-provide-a-password-for-privilege-escalation
@@ -30,7 +32,7 @@
   .. _Oracle Linux 8 STIGs Specify Conflicting ClientAliveCountMax values: #oracle-linux-8-stigs-specify-conflicting-clientalivecountmax-values
   .. _Record Events When Privileged Executables Are Run: #record-events-when-privileged-executables-are-run
   .. _EL 8 systems less than v8.4 must configure the password complexity module in the system-auth allow three retries or less: #el-8-systems-less-than-v8.4-must-configure-the-password-complexity-module-in-the-system-auth-allow-three-retries-or-less
-
+  .. _ EL 8 must enable the hardware random number generator entropy gatherer service: #el-8-must-enable-the-hardware-random-number-generator-entropy-gatherer-service
 
 
   +-----------------------------------------------------------------------------------------------------------------------------+---------------------+
@@ -116,9 +118,12 @@
   |                                                                                                                             |                     |
   |                                                                                                                             | RHEL-08-020102      |
   +-----------------------------------------------------------------------------------------------------------------------------+---------------------+
+  | `EL 8 must enable the hardware random number generator entropy gatherer service`_                                           | V-230285            |
+  |                                                                                                                             |                     |
+  |                                                                                                                             | RHEL-08-010471      |
+  +-----------------------------------------------------------------------------------------------------------------------------+---------------------+
 ```
 
-
 # Prevent System Daemons From Using Kerberos For Authentication
 
 **Condtionally-valid Finding:**
@@ -408,3 +413,24 @@ It is the presence of the content in the file in the `/etc/audit/rules.d/` direc
 **Invalid Finding:**
 
 This finding applies _only_ to Enterprise Linux distros 8.0, 8.1, 8.2 and 8.3. As of the writing of this document all, properly-patched Enterprise Linux deployments are running 8.4 or higher. This finding does not apply to such systems
+
+# EL 8 must enable the hardware random number generator entropy gatherer service
+
+**Invalid Finding:**
+
+While this finding states that the `rngd` systemd unit must be enabled _and_ active. Per the output from the `rngd.service` systemd unit:
+
+~~~
+$ systemctl status rngd
+* rngd.service - Hardware RNG Entropy Gatherer Daemon
+   Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
+   Active: inactive (dead) since Tue 2023-06-27 15:21:25 UTC; 49s ago
+Condition: start condition failed at Tue 2023-06-27 15:21:32 UTC; 42s ago
+             ConditionKernelCommandLine=!fips=1 was not met
+ Main PID: 214 (code=exited, status=0/SUCCESS)
+~~~
+
+The above-captured output's `ConditionKernelCommandLine`'s indication that the condition of `!fips=1` "was not met" means that this capability is not (currently) compatible with a system running with FIPS mode enabled. Enablement of FIPS mode is specified in another, earlier, higher-priority STIG-finding. As such, this setting will not be enableable while the higher-priority configuration-state is in place.
+
+
+[^1]: Do not try to perform an exact-match from the scan-report to this table. The findings table's link-titles are distillations of the scan-findings title-text rather than being verbatim copies.