Chapter 15. Security
The SELinux user space packages rebased to version 2.5
The SELinux user space packages have been upgraded to upstream version 2.5, which provides a number of enhancements, bug fixes, and performance improvements over the previous version. The most important new features in the SELinux userspace 2.5 include:
- The new SELinux module store supports priorities. The priority concept provides an ability to override a system module with a module of a higher priority.
- SELinux Common Intermediate Language (CIL) provides clear and simple syntax that is easy to read, parse, and to generate by high-level compilers, analysis tools, and policy generation tools.
- Time-consuming SELinux operations, such as policy installations or loading new policy modules, are now significantly faster.
Note: The default location of the SELinux modules remains in the
/etc/selinux/directory in Red Hat Enterprise Linux 7, whereas the upstream version uses
/var/lib/selinux/. To change this location for migration, set the
store-root=option in the
scap-workbench rebased to version 1.1.2
The scap-workbench package has been rebased to version 1.1.2, which provides a new SCAP Security Guide integration dialog. The dialog helps the administrator choose a product that needs to be scanned instead of choosing content files. The new version also offers a number of performance and user-experience improvements, including improved rule-searching in the tailoring window, the possibility to fetch remote resources in SCAP content using the GUI, and the dry-run feature. The dry-run feature enables to user to get oscap command-line arguments to the diagnostics window instead of running the scan. (BZ#1202854)
openscap rebased to version 1.2.10
The OpenSCAP suite that enables integration of the Security Content Automation Protocol (SCAP) line of standards has been rebased to version 1.2.10, the latest upstream version. The openscap packages provide the OpenSCAP library and the
oscaputility. Most notably, this update adds support for scanning containers using the
atomic scancommand. In addition, this update provides the following enhancements:
oscap-vm, a tool for offline scanning of virtual machines
oscap-chroot, a tool for offline scanning of file systems mounted at arbitrary paths
- Full support for Open Vulnerability and Assessment Language (OVAL) 5.11.1
- Native support for remote .xml.bz2 files
- Grouping HTML report results according to various criteria
- HTML report improvements
- Verbose mode for debugging OVAL evaluation (BZ#1278147)
firewalld rebased to version 0.4.3.2
The firewalld packages have been upgraded to upstream version 0.4.3.2 which provides a number of enhancements and bug fixes over the previous version. Notable changes include the following:
- Performance improvements:
firewalldstarts and restarts significantly faster thanks to the new transaction model which groups together rules that are applied simultaneously. This model uses the
iptablesrestore commands. Also, the
firewall-applettools have been improved with performance in mind.
- The improved management of connections, interfaces and sources: The user can now control zone settings for connections in
NetworkManager. In addition, zone settings for interfaces are also controlled by
firewalldand in the
- Default logging option: With the new
LogDeniedsetting, the user can easily debug and log denied packets.
firewalldnow supports several IP sets as zone sources, within rich and direct rules. Note that in Red Hat Enterprise Linux 7.3,
firewalldsupports only the following
- hash:ip (BZ#1302802)
audit rebased to version 2.6.5
The audit packages contain the user space utilities for storing and searching the audit records which have been generated by the audit subsystem in the Linux kernel. The audit packages have been upgraded to upstream version 2.6.5, which provides a number of enhancements and bug fixes over the previous version. Notable changes include the following:
auditdaemon now includes a new flush technique called
incremental_async, which improves its performance approximately 90 times.
auditsystem now has many more rules that can be composed into an
auditpolicy. Some of these new rules include support for the Security Technical Implementation Guide (STIG), PCI Data Security Standard, and other capabilities such as auditing the occurrence of 32-bit syscalls, significant power usage, or module loading.
auditd.confconfiguration file and the
auditctlcommand now support many new options.
auditsystem now supports a new log format called
enriched, which resolves UID, GID, syscall, architecture, and network addresses. This will aid in log analysis on a machine that differs from where the log was generated. (BZ#1296204)
MACsec (IEEE 802.1AE) is now supported
With this update, the Media Access Control Security (MACsec) encryption over Ethernet is supported. MACsec encrypts and authenticates all traffic in LANs with the GCM-AES-128 algorithm. (BZ#1104151)
The rsyslog RELP module now binds to a specific rule set
With this update, the rsyslog Reliable Event-Logging Protocol (RELP) module is now capable of binding to specific rule set with each input instance. The
input()instance rule set has higher priority than the
module()rule set. (BZ#1223566)
rsyslog imfile module now supports a wildcard file name
The rsyslog packages provide an enhanced, multi-threaded syslog daemon. With this update, the rsyslog imfile module supports using wildcards inside file names and adding the actual file name to the message's metadata. This is useful, when rsyslog needs to read logs under a directory and does not know the names of files in advance. (BZ#1303617)
audit.log are now converted to text
With this update,
auditdconverts system call numbers to their names prior to forwarding them to syslog daemon through the
audispdevent multiplexor. (BZ#1127343)
audit subsystem can now filter by process name
The user can now audit by executable name (with the
-F exe=<path-to-executable>option), which allows expression of many new audit rules. You can use this functionality to detect events such as the bash shell opening a network connection. (BZ#1135562)
mod_security_crs rebased to version 2.2.9
The mod_security_crs package has been upgraded to upstream version 2.2.9, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
- A new PHP rule (958977) to detect PHP exploits.
JS overridesfile to identify successful XSS probes.
- New XSS detection rules.
- Fixed session-hijacking rules. (BZ#1150614)
opencryptoki rebased to version 3.5
The opencryptoki packages have been upgraded to version 3.5, which provides a number of bug fixes and enhancements over the previous version.
Notable changes include:
openCryptokiservice automatically creates
log/directories, if not present.
PKCS#11API supports hash-based message authentication code (HMAC) with SHA hashes in all tokens.
openCryptokilibrary provides dynamic tracing set by the
OPENCRYPTOKI_TRACE_LEVELenvironment variable. (BZ#1185421)
gnutls now uses the central certificate store
The gnutls packages provide the GNU Transport Layer Security (GnuTLS) library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS. With this update, GnuTLS uses the central certificate store of Red Hat Enterprise Linux through the p11-kit packages. Certificate Authority (CA) updates, as well as certificate black lists, are now visible to applications at runtime. (BZ#1110750)
firewall-cmd command can now provide additional details
With this update, firewalld shows details of a service, zone, and
ICMPtype. Additionally, the user can list the full path to the source XML file. The new options for
- [--permanent] --info-zone=zone
- [--permanent] --info-service=service
- [--permanent] --info-icmptype=icmptype (BZ#1147500)
pam_faillock can be now configured with
pam_faillockmodule now allows specifying using the
unlock_time=neveroption that the user authentication lock caused by multiple authentication failures should never expire. (BZ#1273373)
libica rebased to version 2.6.2
The libica packages have been updated to upstream version 2.6.2, which provides a number of bug fixes and enhancements over the previous version. Notably, this update adds support for generation of pseudo random numbers, including enhanced support for Deterministic Random Bit Generator (DRBG), according to updated security specification NIST SP 800-90A. (BZ#1274390)
lastlogutility now has the new
--setoptions, which allow the system administrator to reset a user's lastlog entry to the
never logged invalue or to the current time. This means you can now re-enable user accounts previously locked due to inactivity. (BZ#1114081)
libreswan rebased to version 3.15
Libreswanis an implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE) for Linux. The libreswan packages have been upgraded to upstream version 3.15, which provides a number of enhancements and bug fixes over the previous version. Notable changes include the following:
- The nonce size is increased to meet the RFC requirements when using the SHA2 algorithms.
Libreswannow calls the
NetworkManagerhelper in case of a connection error.
CRLdistributionpointsin a certificate are now processed.
Libreswanno longer tries to delete non-existing IPsec Security Associations (SAs).
plutoIKE daemon now has the
plutono longer crashes when on-demand tunnels are used.
pam_acct_mgmtis now properly set.
- The regression was fixed so tunnels with
keyingtries=0try to establish the tunnel indefinitely.
- The delay before re-establishing the deleted tunnel that is configured to remain up is now less than one second. (BZ#1389316)
The SHA-3 implementation in nettle now conforms to FIPS 202
nettle is a cryptographic library that is designed to fit easily in almost any context. With this update, the Secure Hash Algorithm 3 (SHA-3) implementation has been updated to conform the final Federal Information Processing Standard (FIPS) 202 draft. (BZ#1252936)
scap-security-guide rebased to version 0.1.30
The scap-security-guide project provides a guide for configuration of the system from the final system's security point of view. The package has been upgraded to version 0.1.30. Notable improvements include:
- The NIST Committee on National Security Systems (CNSS) Instruction No. 1253 profile is now included and updated for Red Hat Enterprise Linux 7.
- The U.S. Government Commercial Cloud Services (C2S) profile inspired by the Center for Internet Security (CIS) benchmark is now provided.
remediationscripts are now included in benchmarks directly, and the external shell library is no longer necessary.
- The Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) profile for Red Hat Enterprise Linux 7 has been updated to be equal to the DISA STIG profile for Red Hat Enterprise Linux 6.
- The draft of the Criminal Justice Information Services (CJIS) Security Policy profile is now available for Red Hat Enterprise Linux 7. (BZ#1390661)