From 882d82a223901697a06a0e80ddc8f89d3f8410fe Mon Sep 17 00:00:00 2001
From: Thomas H Jones II <github@xanthia.com>
Date: Fri, 30 Jun 2023 12:01:37 -0400
Subject: [PATCH 1/3] Address V-230285 (RHEL-08-010471)

Closes #3025
---
 docs/findings/el8.md | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/docs/findings/el8.md b/docs/findings/el8.md
index d49c0eeeb..1beb45e44 100644
--- a/docs/findings/el8.md
+++ b/docs/findings/el8.md
@@ -30,7 +30,7 @@
   .. _Oracle Linux 8 STIGs Specify Conflicting ClientAliveCountMax values: #oracle-linux-8-stigs-specify-conflicting-clientalivecountmax-values
   .. _Record Events When Privileged Executables Are Run: #record-events-when-privileged-executables-are-run
   .. _EL 8 systems less than v8.4 must configure the password complexity module in the system-auth allow three retries or less: #el-8-systems-less-than-v8.4-must-configure-the-password-complexity-module-in-the-system-auth-allow-three-retries-or-less
-
+  .. _ EL 8 must enable the hardware random number generator entropy gatherer service: #el-8-must-enable-the-hardware-random-number-generator-entropy-gatherer-service
 
 
   +-----------------------------------------------------------------------------------------------------------------------------+---------------------+
@@ -116,6 +116,10 @@
   |                                                                                                                             |                     |
   |                                                                                                                             | RHEL-08-020102      |
   +-----------------------------------------------------------------------------------------------------------------------------+---------------------+
+  | `EL 8 must enable the hardware random number generator entropy gatherer service`_                                           | V-230285            |
+  |                                                                                                                             |                     |
+  |                                                                                                                             | RHEL-08-010471      |
+  +-----------------------------------------------------------------------------------------------------------------------------+---------------------+
 ```
 
 
@@ -408,3 +412,21 @@ It is the presence of the content in the file in the `/etc/audit/rules.d/` direc
 **Invalid Finding:**
 
 This finding applies _only_ to Enterprise Linux distros 8.0, 8.1, 8.2 and 8.3. As of the writing of this document all, properly-patched Enterprise Linux deployments are running 8.4 or higher. This finding does not apply to such systems
+
+# EL 8 must enable the hardware random number generator entropy gatherer service
+
+**Invalid Finding:**
+
+While this finding states that the `rngd` systemd unit must be enabled _and_ active. Per the output from the `rngd.service` systemd unit:
+
+~~~
+$ systemctl status rngd
+* rngd.service - Hardware RNG Entropy Gatherer Daemon
+   Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
+   Active: inactive (dead) since Tue 2023-06-27 15:21:25 UTC; 49s ago
+Condition: start condition failed at Tue 2023-06-27 15:21:32 UTC; 42s ago
+             ConditionKernelCommandLine=!fips=1 was not met
+ Main PID: 214 (code=exited, status=0/SUCCESS)
+~~~
+
+The above-captured output's `ConditionKernelCommandLine`'s indication that the codition of `!fips=1` "was not met" means that this capability is not (currently) compatible with a system running with FIPS mode enabled. Enablement of FIPS mode is specified in another, earlier, higher-priority STIG-finding. As such, this setting will not be enableable while the higher-priority configuration-state is in place.

From 0ffa5390c95b5774aabbe1c05310169abea73e01 Mon Sep 17 00:00:00 2001
From: Thomas H Jones II <github@xanthia.com>
Date: Fri, 30 Jun 2023 14:04:50 -0400
Subject: [PATCH 2/3] Add a 'check EL version-validity' paragraph to beginning
 of doc

Closes #3028
---
 docs/findings/el8.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/docs/findings/el8.md b/docs/findings/el8.md
index 1beb45e44..473656068 100644
--- a/docs/findings/el8.md
+++ b/docs/findings/el8.md
@@ -9,6 +9,8 @@
 
 # Findings Summary-Table
 
+A few scans performed against EL8 systems are version-dependent. Watchmaker is designed to ensure that a given EL8 host is running at the latest-available EL8 minor-release version. Some of the version-dependent scans are for versions (well) prior "the latest-available EL8 minor-release version". The person responding to scan-findings should make sure to notice if the findings-text includes mention of specific EL8 minor-release version or version-ranges and compare that to the EL8 minor-release of the scanned system. If the version/version-range is less than that of the scanned version, the scan result may be immediately flagged as "**INVALID FINDING**". Anything that cannot be immediate flagged in this way should be checked against the following table of known findings[^1].
+
 ```{eval-rst}
   .. _Prevent System Daemons From Using Kerberos For Authentication: #prevent-system-daemons-from-using-kerberos-for-authentication
   .. _Users Must Provide A Password For Privilege Escalation: #users-must-provide-a-password-for-privilege-escalation
@@ -122,7 +124,6 @@
   +-----------------------------------------------------------------------------------------------------------------------------+---------------------+
 ```
 
-
 # Prevent System Daemons From Using Kerberos For Authentication
 
 **Condtionally-valid Finding:**
@@ -430,3 +431,6 @@ Condition: start condition failed at Tue 2023-06-27 15:21:32 UTC; 42s ago
 ~~~
 
 The above-captured output's `ConditionKernelCommandLine`'s indication that the codition of `!fips=1` "was not met" means that this capability is not (currently) compatible with a system running with FIPS mode enabled. Enablement of FIPS mode is specified in another, earlier, higher-priority STIG-finding. As such, this setting will not be enableable while the higher-priority configuration-state is in place.
+
+
+[^1]: Do not try to perform an exact-match from the scan-report to this table. The findings table's link-titles are distillations of the scan-findings title-text rather than being verbatim copies.

From 47cb6016706efbc78f02da0aecc0ed11ec77345c Mon Sep 17 00:00:00 2001
From: Thomas H Jones II <ferricoxide@users.noreply.github.com>
Date: Wed, 19 Jul 2023 09:27:48 -0400
Subject: [PATCH 3/3] Update docs/findings/el8.md

ypto

Co-authored-by: Loren Gordon <lorengordon@users.noreply.github.com>
---
 docs/findings/el8.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/findings/el8.md b/docs/findings/el8.md
index 473656068..f63b91563 100644
--- a/docs/findings/el8.md
+++ b/docs/findings/el8.md
@@ -430,7 +430,7 @@ Condition: start condition failed at Tue 2023-06-27 15:21:32 UTC; 42s ago
  Main PID: 214 (code=exited, status=0/SUCCESS)
 ~~~
 
-The above-captured output's `ConditionKernelCommandLine`'s indication that the codition of `!fips=1` "was not met" means that this capability is not (currently) compatible with a system running with FIPS mode enabled. Enablement of FIPS mode is specified in another, earlier, higher-priority STIG-finding. As such, this setting will not be enableable while the higher-priority configuration-state is in place.
+The above-captured output's `ConditionKernelCommandLine`'s indication that the condition of `!fips=1` "was not met" means that this capability is not (currently) compatible with a system running with FIPS mode enabled. Enablement of FIPS mode is specified in another, earlier, higher-priority STIG-finding. As such, this setting will not be enableable while the higher-priority configuration-state is in place.
 
 
 [^1]: Do not try to perform an exact-match from the scan-report to this table. The findings table's link-titles are distillations of the scan-findings title-text rather than being verbatim copies.