Chapter 12. Security

GSSAPI key-exchange algorithms can now be selectively disabled

In view of the Logjam security vulnerability, the gss-group1-sha1-* key-exchange methods are no longer considered secure. While there was the possibility to disable this key-exchange method as a normal key exchange, it was not possible to disable it as a GSSAPI key exchange. With this update, the administrator can selectively disable this or other algorithms used by the GSSAPI key exchange.

SELinux policy for Red Hat Gluster Storage has been added

Previously, SELinux policy for Red Hat Gluster Storage (RHGS) components was missing, and Gluster worked correctly only when SELinux was in permissive mode. With this update, SELinux policy rules for the glusterd (glusterFS Management Service), glusterfsd (NFS sever), smbd, nfsd, rpcd, adn ctdbd processes have been updated providing SELinux support for Gluster.

openscap rebase to version 1.2.5

The openscap packages have been upgraded to upstream version 1.2.5, which provides a number of bug fixes and enhancements over the previous version.
Notable enhancements include:
* Support for OVAL version 5.11, which brings multiple improvements such as for systemd properties
* Introduced native support of xml.bz2 input files
* Introduced the oscap-ssh tool for assessing remote systems
* Introduced the oscap-docker tool for assessing containers/images

scap-security-guide rebase to version 0.1.25

The scap-security-guide tool has been upgraded to upstream version 0.1.25, which provides a number of bug fixes and enhancements over the previous version.
Notable enhancements include:
* New security profiles for Red Hat Enterprise Linux 7 Server: Common Profile for General-Purpose Systems, Draft PCI-DSS v3 Control Baseline, Standard System Security Profile, and Draft STIG for Red Hat Enterprise Linux 7 Server.
* New security benchmarks for Firefox and Java Runtime Environment (JRE) components running on Red Hat Enterprise Linux 6 and 7.
* New scap-security-guide-doc subpackage, which contains HTML-formatted documents containing security guides generated from XCCDF benchmarks (for every security profile shipped in security benchmarks for Red Hat Enterprise Linux 6 and 7, Firefox, and JRE).