Chapter 14. Security
OpenSSH chroot Shell Logins
Generally, each Linux user is mapped to an SELinux user using SELinux policy, enabling Linux users to inherit the restrictions placed on SELinux users. There is a default mapping in which Linux users are mapped to the SELinux unconfined_u user.
In Red Hat Enterprise Linux 7, the
ChrootDirectoryoption for chrooting users can be used with unconfined users without any change, but for confined users, such as staff_u, user_u, or guest_u, the SELinux
selinuxuser_use_ssh_chrootvariable has to be set. Administrators are advised to use the guest_u user for all chrooted users when using the
ChrootDirectoryoption to achieve higher security.
OpenSSH - Multiple Required Authentications
Red Hat Enterprise Linux 7 supports multiple required authentications in SSH protocol version 2 using the
AuthenticationMethodsoption. This option lists one or more comma-separated lists of authentication method names. Successful completion of all the methods in any list is required for authentication to complete. This enables, for example, requiring a user to have to authenticate using the public key or GSSAPI before they are offered password authentication.
GSS Proxy is the system service that establishes GSS API Kerberos context on behalf of other applications. This brings security benefits; for example, in a situation when the access to the system keytab is shared between different processes, a successful attack against that process leads to Kerberos impersonation of all other processes.
Changes in NSS
The nss packages have been upgraded to upstream version 3.15.2. Message-Digest algorithm 2 (MD2), MD4, and MD5 signatures are no longer accepted for online certificate status protocol (OCSP) or certificate revocation lists (CRLs), consistent with their handling for general certificate signatures.
Advanced Encryption Standard Galois Counter Mode (AES-GCM) Cipher Suite (RFC 5288 and RFC 5289) has been added for use when TLS 1.2 is negotiated. Specifically, the following cipher suites are now supported:
New Boolean Names
Several SELinux boolean names have been changed to be more domain-specific. The old names can still be used, however, only the new names will appear in the lists of booleans.
The old boolean names and their respective new names are available from the
SCAP Workbench is a GUI front end that provides scanning functionality for SCAP content. SCAP Workbench is included as a Technology Preview in Red Hat Enterprise Linux 7.
You can find detailed information on the website of the upstream project:
OSCAP Anaconda Add-On
Red Hat Enterprise Linux 7 introduces the OSCAP Anaconda add-on as a Technology Preview. The add-on integrates OpenSCAP utilities with the installation process and enables installation of a system following restrictions given by SCAP content.