ESXI-80-000245 The ESXi host must use sufficient entropy for cryptographic operations.

Information

Starting in vSphere 8.0, the ESXi Entropy implementation supports the FIPS 140-3 and EAL4 certifications. Kernel boot options control which entropy sources to activate on an ESXi host.

In computing, the term "entropy" refers to random characters and data that are collected for use in cryptography, such as generating encryption keys to secure data transmitted over a network. Entropy is required by security for generating keys and communicating securely over the network. Entropy is often collected from a variety of sources on a system.

FIPS entropy handling is the default behavior if the following conditions are true:

-The hardware supports RDSEED.
-The disableHwrng VMkernel boot option is not present or is FALSE.
-The entropySources VMkernel boot option is not present or is 0 (zero).

Solution

From an ESXi shell, run the following commands:

# esxcli system settings kernel set -s disableHwrng -v FALSE
# esxcli system settings kernel set -s entropySources -v 0

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.settings.kernel.set.CreateArgs()
$arguments.setting = "disableHwrng"
$arguments.value = "FALSE"
$esxcli.system.settings.kernel.set.invoke($arguments)
$arguments.setting = "entropySources"
$arguments.value = "0"
$esxcli.system.settings.kernel.set.invoke($arguments)

Reboot the ESXi host after updating entropy settings.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_8-0_Y24M08_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-258799r959010_rule, STIG-ID|ESXI-80-000245, Vuln-ID|V-258799

Plugin: Unix

Control ID: dfc39ee7b419125d106e725137cac70c48fa1928efa0bde426d29789431f73c4