Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1819

DISA STIG should not require rngd.service on RHEL >= 8.4 (was: rngd.service fails to start with fips enabled)

    • None
    • Important
    • rhel-sst-security-compliance
    • ssg_security
    • 26
    • None
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • None

      Description of problem:
      rngd.service fails to start with fips enabled

      Version-Release number of selected component (if applicable):
      RHEL8.8
      rng-tools 6.15-3.el8

      How reproducible:

      1. fips-mode-setup --check
        FIPS mode is enabled.
      1. systemctl restart rngd.service
      1. systemctl status rngd.service
        ● rngd.service - Hardware RNG Entropy Gatherer Daemon
        Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
        Active: inactive (dead) since Wed 2023-05-17 19:22:15 UTC; 6min ago
        Condition: start condition failed at Wed 2023-05-17 19:28:26 UTC; 2s ago
        └─ ConditionKernelCommandLine=!fips=1 was not met
        Main PID: 231 (code=exited, status=0/SUCCESS)

      May 17 19:22:05 localhost rngd[231]: [rdrand]: Enabling RDRAND rng support
      May 17 19:22:05 localhost rngd[231]: [rdrand]: Initialized
      May 17 19:22:05 localhost rngd[231]: [jitter]: JITTER timeout set to 5 sec
      May 17 19:22:05 localhost rngd[231]: [jitter]: Initializing AES buffer
      May 17 19:22:09 localhost rngd[231]: [jitter]: Unable to obtain AES key, disabling JITTER source
      May 17 19:22:09 localhost rngd[231]: [jitter]: Initialization Failed
      May 17 19:22:15 localhost rngd[231]: [rdrand]: Shutting down
      May 17 19:22:15 localhost systemd[1]: Stopping Hardware RNG Entropy Gatherer Daemon...
      May 17 19:22:15 localhost systemd[1]: rngd.service: Succeeded.
      May 17 19:22:15 localhost systemd[1]: Stopped Hardware RNG Entropy Gatherer Daemon.

      Steps to Reproduce:
      1. check and enable fips and reboot

      1. fips-mode-setup --check
        Installation of FIPS modules is not completed.
        FIPS mode is disabled.
      1. fips-mode-setup --enable
        Kernel initramdisks are being regenerated. This might take some time.
        Setting system policy to FIPS
        Note: System-wide crypto policies are applied on application start-up.
        It is recommended to restart the system for the change of policies
        to fully take place.
        FIPS mode will be enabled.
        Please reboot the system for the setting to take effect.
      1. shutdown -r now

      2. check the fips mode is enabled after the reboot

      1. fips-mode-setup --check
        FIPS mode is enabled.

      3. install rng-tools

      1. dnf install rng-tools

      4. start rngd.service

      1. systemctl start rngd.service

      5. check the status of rngd.service

      1. systemctl status rngd.service
        ● rngd.service - Hardware RNG Entropy Gatherer Daemon
        Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
        Active: inactive (dead) since Wed 2023-05-17 19:22:15 UTC; 6min ago
        Condition: start condition failed at Wed 2023-05-17 19:28:26 UTC; 2s ago
        └─ ConditionKernelCommandLine=!fips=1 was not met
        Main PID: 231 (code=exited, status=0/SUCCESS)

      May 17 19:22:05 localhost rngd[231]: [rdrand]: Enabling RDRAND rng support
      May 17 19:22:05 localhost rngd[231]: [rdrand]: Initialized
      May 17 19:22:05 localhost rngd[231]: [jitter]: JITTER timeout set to 5 sec
      May 17 19:22:05 localhost rngd[231]: [jitter]: Initializing AES buffer
      May 17 19:22:09 localhost rngd[231]: [jitter]: Unable to obtain AES key, disabling JITTER source
      May 17 19:22:09 localhost rngd[231]: [jitter]: Initialization Failed
      May 17 19:22:15 localhost rngd[231]: [rdrand]: Shutting down
      May 17 19:22:15 localhost systemd[1]: Stopping Hardware RNG Entropy Gatherer Daemon...
      May 17 19:22:15 localhost systemd[1]: rngd.service: Succeeded.
      May 17 19:22:15 localhost systemd[1]: Stopped Hardware RNG Entropy Gatherer Daemon.

      Actual results:
      rngd.service fails to start when fips enabled

      Expected results:
      rngd.service starts normally with fips enabled

      Additional info:
      I've noticed a new condition, "ConditionKernelCommandLine=!fips=1", added to "/usr/lib/systemd/system/rngd.service" file.
      If I remove that line from the file then the service starts normally.
      Is there a reason that this condition was added for fips?

              jcerny@redhat.com Jan Cerny
              jira-bugzilla-migration RH Bugzilla Integration
              Jan Cerny Jan Cerny
              Milan Lysonek Milan Lysonek
              Votes:
              0 Vote for this issue
              Watchers:
              15 Start watching this issue

                Created:
                Updated:
                Resolved: