From 008b3f2bc054661f97f369649baec968dd4ed093 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 21 May 2026 16:55:26 +0200
Subject: [PATCH] package_rng-tools_installed: change applicability

according to rhel8 STIG, it should be enabled in the same way as service_rngd_enabled
according to RHEL9 STIG, there are no limitations regarding presenc of this package. But in general, I believe the package does not make much sense on systems in FIPS mode, because the enthropy in FIPS mode is gathered from a different source.
---
 .../system-tools/package_rng-tools_installed/rule.yml  | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml
index a1bbbe567cf0..91a0065011f5 100644
--- a/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_rng-tools_installed/rule.yml
@@ -27,7 +27,15 @@ fixtext: '{{{ fixtext_package_installed("rng-tools") }}}'
 
 srg_requirement: '{{{ srg_requirement_package_installed("rng-tools") }}}'
 
-platform: system_with_kernel and not runtime_kernel_fips_enabled
+{{% if product == "rhel8" %}}
+platform: os_linux[rhel]<=8.3 or (os_linux[rhel]>=8.4 and not runtime_kernel_fips_enabled)
+warnings:
+  - general: |-
+      For RHEL versions 8.4 and above running with kernel FIPS mode enabled this rule is not applicable.
+      The in-kernel deterministic random bit generator (DRBG) is used in FIPS mode instead.
+{{% else %}}
+platform: not runtime_kernel_fips_enabled
+{{% endif %}}
 
 template:
     name: package_installed