On certain Redhat Linux 5.3 systems (2.6 kernel), the policy server takes a long time to start due to a call to the random method as part of the startup.
The policy server during the startup process calls the random method on the server.
The RedHat OS distribution provides an RNG (random number generator). Two devices are available for this: /dev/random and /dev/urandom. The /dev/random will block and wait for more entropy when the entropy level (something like the 'amount of randomness) is too low while the /dev/urandom will not block, returning immediately. Entropy is generated by various ways (keystrokes, mouse moves, disk i/o etc). Unless used really heavily, /dev/random should NOT run out of entropy.
The delay can be verified by running the below command on the affected server.
dd if=/dev/random bs=1 count=200 > /dev/null
dd if=/dev/urandom bs=1 count=200 > /dev/null
There are a couple of workarounds to address this issue:
- Add a symbolic link for /dev/random to point to dev/urandom. This way the policy server will be forced to use /dev/urandom even when /dev/random is called. There is no question that using /dev/urandom is less secure, however, this vulnerability is only in theory and there is no known cases or ways to abuse this in the non classified literature.
- The 'rngd' daemon can be used to increase the source of randomness for the entropy pool.
You can see the entropy value using following command.
Now, start the 'rngd' daemon using following command and monitor the entropy on the system.
#rngd -r /dev/urandom -o /dev/random -f -t 1
#watch -n 1 cat /proc/sys/kernel/random/entropy_avail