check available entropy in whonixcheck

phabricator-migrator · February 19, 2024, 5:51pm

Information

ID: 202
PHID: PHID-TASK-l7fb2zpalcumpuuga7j5
Author: Patrick
Status at Migration Time: resolved
Priority at Migration Time: Normal

Description

It should not be an issue in most cases, but when someone attempts a port to another platform it might be an issue. Good to check for it protectively.

Similar to:

github.com

martinholovsky/Securix-Linux/blob/master/securix-control/securix-monitor#L165


      
          
          unhide-tcp -n >/dev/null
          if [ "${?}" -eq "0" ]; then
              echo "--- OK: No hidden ports found in system"
              rm -f "${SECURIXVAR}/hidden-tcp.critical"
          else
              echo "--- PROBLEM: Hidden ports found in system!!"
              touch "${SECURIXVAR}/hidden-tcp.critical"
          fi
          
          # Check entropy available bits, 112 is FIPS-140 requirement
          ENTROPYSIZE="$(cat /proc/sys/kernel/random/entropy_avail)"
          if [ "${ENTROPYSIZE}" -lt "112" ]; then
              echo "--- PROBLEM: You have low available entropy. It can potentially affect or DoS your server/service. Install rng-tools to temporary solve it"
              touch "${SECURIXVAR}/entropy.critical"
          else
              echo "--- OK: You have enough entropy available"
              rm -f "${SECURIXVAR}/entropy.critical"
          fi
          
          # process new alerts

# Check entropy available bits, 112 is FIPS-140 requirement
ENTROPYSIZE="$(cat /proc/sys/kernel/random/entropy_avail)"
if [ "${ENTROPYSIZE}" -lt "112" ]; then
    echo "--- PROBLEM: You have low available entropy. It can potentially affect or DoS your server/service. Install rng-tools to temporary solve it"
    touch "${SECURIXVAR}/entropy.critical"
else
    echo "--- OK: You have enough entropy available"
    rm -f "${SECURIXVAR}/entropy.critical"
fi

Comments

Patrick

2015-04-22 14:14:19 UTC