Noticed that openscap has more profiles for RHEL8 now, which is nice. Looking at the NIST one, it definitely addresses some things that the DISA one overlooks. For instance, I don’t think DISA has any entropy hardening which seems like an oversight.
Warning: This setting can cause problems on computers without the hardware random generator, because insufficient entropy causes the connection to be blocked until enough entropy is available.
A quick search on this yielded this helpful RHEL article which mentions that Intel has included a hardware random generator starting with Ivy Bridge. I assume AMD offers something comparable. Anyone know what the flag is for it so I can set this conditionally in a script?
But what does this mean for earlier processors? I have some old servers running Westmere chips. What’s the entropy source there, or was it just left up to software to work out based on inputs, jitter and that sort of thing? Will configuring ssh this way on those systems lead to the system hanging? Is havgead relevant here?
You can buy usb entropy generators. These appear to be marketed to raspberry pis and similar which makes sense. Is it worth getting something like this for a server from 2011?