The SELinux user space packages rebased to version 2.5
The SELinux user space packages have been upgraded to upstream version 2.5, which provides a number of enhancements, bug fixes, and performance improvements over the previous version. The most important new features in the SELinux userspace 2.5 include:
The new SELinux module store supports priorities. The priority concept provides an ability to override a system module with a module of a higher priority.
SELinux Common Intermediate Language (CIL) provides clear and simple syntax that is easy to read, parse, and to generate by high-level compilers, analysis tools, and policy generation tools.
Time-consuming SELinux operations, such as policy installations or loading new policy modules, are now significantly faster.
Note: The default location of the SELinux modules remains in the
/etc/selinux/ directory in Red Hat Enterprise Linux 7, whereas the upstream version uses
/var/lib/selinux/. To change this location for migration, set the
store-root= option in the
/etc/selinux/semanage.conf file. (BZ#1297815)
scap-workbench rebased to version 1.1.2
The scap-workbench package has been rebased to version 1.1.2, which provides a new SCAP Security Guide integration dialog. The dialog helps the administrator choose a product that needs to be scanned instead of choosing content files. The new version also offers a number of performance and user-experience improvements, including improved rule-searching in the tailoring window, the possibility to fetch remote resources in SCAP content using the GUI, and the dry-run feature. The dry-run feature enables to user to get oscap command-line arguments to the diagnostics window instead of running the scan. (BZ#1202854)
openscap rebased to version 1.2.10
The OpenSCAP suite that enables integration of the Security Content Automation Protocol (SCAP) line of standards has been rebased to version 1.2.10, the latest upstream version. The openscap packages provide the OpenSCAP library and the
oscap utility. Most notably, this update adds support for scanning containers using the
atomic scan command. In addition, this update provides the following enhancements:
oscap-vm, a tool for offline scanning of virtual machines
oscap-chroot, a tool for offline scanning of file systems mounted at arbitrary paths
Full support for Open Vulnerability and Assessment Language (OVAL) 5.11.1
Native support for remote .xml.bz2 files
Grouping HTML report results according to various criteria
HTML report improvements
Verbose mode for debugging OVAL evaluation (BZ#1278147
firewalld rebased to version 0.4.3.2
The firewalld packages have been upgraded to upstream version 0.4.3.2 which provides a number of enhancements and bug fixes over the previous version. Notable changes include the following:
firewalld starts and restarts significantly faster thanks to the new transaction model which groups together rules that are applied simultaneously. This model uses the
iptables restore commands. Also, the
firewall-applet tools have been improved with performance in mind.
The improved management of connections, interfaces and sources: The user can now control zone settings for connections in
NetworkManager. In addition, zone settings for interfaces are also controlled by
firewalld and in the
Default logging option: With the new
LogDenied setting, the user can easily debug and log denied packets.
firewalld now supports several IP sets as zone sources, within rich and direct rules. Note that in Red Hat Enterprise Linux 7.3,
firewalld supports only the following
audit rebased to version 2.6.5
The audit packages contain the user space utilities for storing and searching the audit records which have been generated by the audit subsystem in the Linux kernel. The audit packages have been upgraded to upstream version 2.6.5, which provides a number of enhancements and bug fixes over the previous version. Notable changes include the following:
audit daemon now includes a new flush technique called
incremental_async, which improves its performance approximately 90 times.
audit system now has many more rules that can be composed into an
audit policy. Some of these new rules include support for the Security Technical Implementation Guide (STIG), PCI Data Security Standard, and other capabilities such as auditing the occurrence of 32-bit syscalls, significant power usage, or module loading.
auditd.conf configuration file and the
auditctl command now support many new options.
system now supports a new log format called
, which resolves UID, GID, syscall, architecture, and network addresses. This will aid in log analysis on a machine that differs from where the log was generated. (BZ#1296204
MACsec (IEEE 802.1AE) is now supported
With this update, the Media Access Control Security (MACsec) encryption over Ethernet is supported. MACsec encrypts and authenticates all traffic in LANs with the GCM-AES-128 algorithm. (BZ#1104151)
The rsyslog RELP module now binds to a specific rule set
With this update, the rsyslog
Reliable Event-Logging Protocol (RELP) module is now capable of binding to specific rule set with each input instance. The
instance rule set has higher priority than the
rule set. (BZ#1223566
rsyslog imfile module now supports a wildcard file name
packages provide an enhanced, multi-threaded syslog daemon. With this update, the rsyslog
imfile module supports using wildcards inside file names and adding the actual file name to the message's metadata. This is useful, when rsyslog
needs to read logs under a directory and does not know the names of files in advance. (BZ#1303617
audit.log are now converted to text
With this update,
auditd converts system call numbers to their names prior to forwarding them to syslog daemon through the
audispd event multiplexor. (BZ#1127343)
audit subsystem can now filter by process name
The user can now audit by executable name (with the
-F exe=<path-to-executable> option), which allows expression of many new audit rules. You can use this functionality to detect events such as the bash shell opening a network connection. (BZ#1135562)
mod_security_crs rebased to version 2.2.9
The mod_security_crs package has been upgraded to upstream version 2.2.9, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
opencryptoki rebased to version 3.5
The opencryptoki packages have been upgraded to version 3.5, which provides a number of bug fixes and enhancements over the previous version.
Notable changes include:
openCryptoki service automatically creates
log/ directories, if not present.
PKCS#11 API supports hash-based message authentication code (HMAC) with SHA hashes in all tokens.
openCryptoki library provides dynamic tracing set by the
OPENCRYPTOKI_TRACE_LEVEL environment variable. (BZ#1185421)
gnutls now uses the central certificate store
packages provide the GNU Transport Layer Security (GnuTLS) library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS. With this update, GnuTLS uses the central certificate store of Red Hat Enterprise Linux through the p11-kit
packages. Certificate Authority (CA) updates, as well as certificate black lists, are now visible to applications at runtime. (BZ#1110750
firewall-cmd command can now provide additional details
With this update, firewalld shows details of a service, zone, and
ICMP type. Additionally, the user can list the full path to the source XML file. The new options for
pam_faillock can be now configured with
module now allows specifying using the
option that the user authentication lock caused by multiple authentication failures should never expire. (BZ#1273373
libica rebased to version 2.6.2
The libica packages have been updated to upstream version 2.6.2, which provides a number of bug fixes and enhancements over the previous version. Notably, this update adds support for generation of pseudo random numbers, including enhanced support for Deterministic Random Bit Generator (DRBG), according to updated security specification NIST SP 800-90A. (BZ#1274390)
lastlog utility now has the new
--set options, which allow the system administrator to reset a user's lastlog entry to the
never logged in value or to the current time. This means you can now re-enable user accounts previously locked due to inactivity. (BZ#1114081)
libreswan rebased to version 3.15
Libreswan is an implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE) for Linux. The libreswan packages have been upgraded to upstream version 3.15, which provides a number of enhancements and bug fixes over the previous version. Notable changes include the following:
The nonce size is increased to meet the RFC requirements when using the SHA2 algorithms.
Libreswan now calls the
NetworkManager helper in case of a connection error.
CRLdistributionpoints in a certificate are now processed.
Libreswan no longer tries to delete non-existing IPsec Security Associations (SAs).
pluto IKE daemon now has the
pluto no longer crashes when on-demand tunnels are used.
pam_acct_mgmt is now properly set.
The regression was fixed so tunnels with
keyingtries=0 try to establish the tunnel indefinitely.
The delay before re-establishing the deleted tunnel that is configured to remain up is now less than one second. (BZ#1389316
The SHA-3 implementation in nettle now conforms to FIPS 202
is a cryptographic library that is designed to fit easily in almost any context. With this update, the Secure Hash Algorithm 3 (SHA-3) implementation has been updated to conform the final Federal Information Processing Standard (FIPS) 202 draft. (BZ#1252936
scap-security-guide rebased to version 0.1.30
The scap-security-guide project provides a guide for configuration of the system from the final system's security point of view. The package has been upgraded to version 0.1.30. Notable improvements include:
The NIST Committee on National Security Systems (CNSS) Instruction No. 1253 profile is now included and updated for Red Hat Enterprise Linux 7.
The U.S. Government Commercial Cloud Services (C2S) profile inspired by the Center for Internet Security (CIS) benchmark is now provided.
remediation scripts are now included in benchmarks directly, and the external shell library is no longer necessary.
The Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) profile for Red Hat Enterprise Linux 7 has been updated to be equal to the DISA STIG profile for Red Hat Enterprise Linux 6.
The draft of the Criminal Justice Information Services (CJIS) Security Policy profile is now available for Red Hat Enterprise Linux 7. (BZ#1390661