Chapter 14. Security

OpenSSH chroot Shell Logins

Generally, each Linux user is mapped to an SELinux user using SELinux policy, enabling Linux users to inherit the restrictions placed on SELinux users. There is a default mapping in which Linux users are mapped to the SELinux unconfined_u user.
In Red Hat Enterprise Linux 7, the ChrootDirectory option for chrooting users can be used with unconfined users without any change, but for confined users, such as staff_u, user_u, or guest_u, the SELinux selinuxuser_use_ssh_chroot variable has to be set. Administrators are advised to use the guest_u user for all chrooted users when using the ChrootDirectory option to achieve higher security.

OpenSSH - Multiple Required Authentications

Red Hat Enterprise Linux 7 supports multiple required authentications in SSH protocol version 2 using the AuthenticationMethods option. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete. This enables, for example, requiring a user to have to authenticate using the public key or GSSAPI before they are offered password authentication.

GSS Proxy

GSS Proxy is the system service that establishes GSS API Kerberos context on behalf of other applications. This brings security benefits; for example, in a situation when the access to the system keytab is shared between different processes, a successful attack against that process leads to Kerberos impersonation of all other processes.

Changes in NSS

The nss packages have been upgraded to upstream version 3.15.2. Message-Digest algorithm 2 (MD2), MD4, and MD5 signatures are no longer accepted for online certificate status protocol (OCSP) or certificate revocation lists (CRLs), consistent with their handling for general certificate signatures.
Advanced Encryption Standard Galois Counter Mode (AES-GCM) Cipher Suite (RFC 5288 and RFC 5289) has been added for use when TLS 1.2 is negotiated. Specifically, the following cipher suites are now supported:

New Boolean Names

Several SELinux boolean names have been changed to be more domain-specific. The old names can still be used, however, only the new names will appear in the lists of booleans.
The old boolean names and their respective new names are available from the /etc/selinux/<policy_type>/booleans.subs_dist file.

SCAP Workbench

SCAP Workbench is a GUI front end that provides scanning functionality for SCAP content. SCAP Workbench is included as a Technology Preview in Red Hat Enterprise Linux 7.
You can find detailed information on the website of the upstream project:

OSCAP Anaconda Add-On

Red Hat Enterprise Linux 7 introduces the OSCAP Anaconda add-on as a Technology Preview. The add-on integrates OpenSCAP utilities with the installation process and enables installation of a system following restrictions given by SCAP content.