-
-
Notifications
You must be signed in to change notification settings - Fork 625
Entropy
You can file an issue about it and ask that it be added.
Not available from C2S/CIS standard.
Entropy is the measure of the random numbers available from /dev/urandom.
It is important for a secure operating system to have sufficient quantities of entropy available for various crypotographic and non-cryptographic purposes, such as:
- generation of cryptographic keys
- TCP port randomisation (NAT, outbound connection)
- TCP sequence number selection
- writing random files for testing network functionality and throughput
- overwriting hard disks prior to reuse or resale or encryption
It is generally recommended wherever entropy is used heavily to supply additional entropy sources.
Haveged was created to remedy low-entropy conditions in the Linux random device that can occur under some workloads, especially on headless servers.
# Add haveged daemon to autostart
systemctl enable haveged
# For temporary change:
echo "1024" > /proc/sys/kernel/random/write_wakeup_threshold
# For permanent change (edit /etc/rc.local):
/usr/local/sbin/haveged -w 1024To check the status of your server’s entropy, just run the following:
cat /proc/sys/kernel/random/entropy_availTo check the maximum limit of entropy:
cat /proc/sys/kernel/random/poolsizeThe Practical Linux Hardening Guide provides a high-level overview of the hardening GNU/Linux systems. It is not an official standard or handbook but it touches and use industry standards.