Chapter 6. Security

Treating Matches Authoritatively in Look Ups of sudoers Entries

The sudo utility is able to consult the /etc/nsswitch.conf file for sudoers entries and look them up in files or using LDAP. Previously, when a match was found in the first database of sudoers entries, the look up operation still continued in other databases (including files). In Red Hat Enterprise Linux 6.4, an option was added to the /etc/nsswitch.conf file that allows users to specify a database after which a match of a sudoers entry is sufficient. This eliminates the need to query any other databases; thus, improving the performance of sudoers entry look ups in large environments. This behavior is not enabled by default and must be configured by adding the [SUCCESS=return] string after a selected database. When a match is found in a database that directly precedes this string, no other databases are queried.

Additional Password Checks for pam_cracklib

The pam_cracklib module has been updated to add multiple new password strength checks:
  • Certain authentication policies do not allow passwords which contain long continuous sequences such as "abcd" or "98765". This update introduces the possibility to limit the maximum length of these sequences by using the new maxsequence option.
  • The pam_cracklib module now allows to check whether a new password contains the words from the GECOS field from entries in the /etc/passwd file. The GECOS field is used to store additional information about the user, such as the user's full name or a phone number, which could be used by an attacker for an attempt to crack the password.
  • The pam_cracklib module now allows to specify the maximum allowed number of consecutive characters of the same class (lowercase, uppercase, number and special characters) in a password via the maxrepeatclass option.
  • The pam_cracklib module now supports the enforce_for_root option, which enforces complexity restrictions on new passwords for the root account.

Size Option for tmpfs Polyinstantiation

On a system with multiple tmpfs mounts, it is necessary to limit their size to prevent them from occupying all of the system memory. PAM has been updated to allow users to specify the maximum size of the tmpfs file system mount when using tmpfs polyinstantiation by using the mntopts=size=<size> option in the /etc/namespace.conf configuration file.

Locking Inactive Accounts

Certain authentication policies require support for locking of an account that is not used for certain period of time. Red Hat Enterprise Linux 6.4 introduces an additional function to the pam_lastlog module, which allows users to lock accounts after a configurable number of days.

New Modes of Operation for libica

The libica library, which contains a set of functions and utilities for accessing the IBM eServer Cryptographic Accelerator (ICA) hardware on IBM System z, has been modified to allow usage of new algorithms that support the Message Security Assist Extension 4 instructions in the Central Processor Assist for Cryptographic Function (CPACF). For the DES and 3DES block ciphers, the following modes of operation are now supported:
  • Cipher Block Chaining with Ciphertext Stealing (CBC-CS)
  • Cipher-based Message Authentication Code (CMAC)
For the AES block cipher, the following modes of operation are now supported:
  • Cipher Block Chaining with Ciphertext Stealing (CBC-CS)
  • Counter with Cipher Block Chaining Message Authentication Code (CCM)
  • Galois/Counter (GCM)
This acceleration of complex cryptographic algorithms significantly improves the performance of IBM System z machines.

Optimization of, and Support for, the zlib Compression Library for System z

The zlib library, a general-purpose lossless data compression library, has been updated to improve compression performance on IBM System z.

Fallback Firewall Configuration

The iptables and ip6tables services now provide the ability to assign a fallback firewall configuration if the default configurations cannot be applied. If applying of the firewall rules from /etc/sysconfig/iptables fails, the fallback file is applied if it exists. The fallback file is named /etc/sysconfig/iptables.fallback and uses the iptables-save file format (same as /etc/sysconfig/iptables). If application of the fallback file also fails, there is no further fallback. To create a fallback file, use the standard firewall configuration tools and rename or copy the file to the fallback file. Use the same process for the ip6tables service, only replace all occurrences of iptables with ip6tables.