Chapter 15. Security

The SELinux user space packages rebased to version 2.5

The SELinux user space packages have been upgraded to upstream version 2.5, which provides a number of enhancements, bug fixes, and performance improvements over the previous version. The most important new features in the SELinux userspace 2.5 include:
  • The new SELinux module store supports priorities. The priority concept provides an ability to override a system module with a module of a higher priority.
  • SELinux Common Intermediate Language (CIL) provides clear and simple syntax that is easy to read, parse, and to generate by high-level compilers, analysis tools, and policy generation tools.
  • Time-consuming SELinux operations, such as policy installations or loading new policy modules, are now significantly faster.
Note: The default location of the SELinux modules remains in the /etc/selinux/ directory in Red Hat Enterprise Linux 7, whereas the upstream version uses /var/lib/selinux/. To change this location for migration, set the store-root= option in the /etc/selinux/semanage.conf file. (BZ#1297815)

scap-workbench rebased to version 1.1.2

The scap-workbench package has been rebased to version 1.1.2, which provides a new SCAP Security Guide integration dialog. The dialog helps the administrator choose a product that needs to be scanned instead of choosing content files. The new version also offers a number of performance and user-experience improvements, including improved rule-searching in the tailoring window, the possibility to fetch remote resources in SCAP content using the GUI, and the dry-run feature. The dry-run feature enables to user to get oscap command-line arguments to the diagnostics window instead of running the scan. (BZ#1202854)

openscap rebased to version 1.2.10

The OpenSCAP suite that enables integration of the Security Content Automation Protocol (SCAP) line of standards has been rebased to version 1.2.10, the latest upstream version. The openscap packages provide the OpenSCAP library and the oscap utility. Most notably, this update adds support for scanning containers using the atomic scan command. In addition, this update provides the following enhancements:
  • oscap-vm, a tool for offline scanning of virtual machines
  • oscap-chroot, a tool for offline scanning of file systems mounted at arbitrary paths
  • Full support for Open Vulnerability and Assessment Language (OVAL) 5.11.1
  • Native support for remote .xml.bz2 files
  • Grouping HTML report results according to various criteria
  • HTML report improvements
  • Verbose mode for debugging OVAL evaluation (BZ#1278147)

firewalld rebased to version 0.4.3.2

The firewalld packages have been upgraded to upstream version 0.4.3.2 which provides a number of enhancements and bug fixes over the previous version. Notable changes include the following:
  • Performance improvements: firewalld starts and restarts significantly faster thanks to the new transaction model which groups together rules that are applied simultaneously. This model uses the iptables restore commands. Also, the firewall-cmd, firewall-offline-cmd, firewall-config, and firewall-applet tools have been improved with performance in mind.
  • The improved management of connections, interfaces and sources: The user can now control zone settings for connections in NetworkManager. In addition, zone settings for interfaces are also controlled by firewalld and in the ifcfg file.
  • Default logging option: With the new LogDenied setting, the user can easily debug and log denied packets.
  • ipset support: firewalld now supports several IP sets as zone sources, within rich and direct rules. Note that in Red Hat Enterprise Linux 7.3, firewalld supports only the following ipset types:

audit rebased to version 2.6.5

The audit packages contain the user space utilities for storing and searching the audit records which have been generated by the audit subsystem in the Linux kernel. The audit packages have been upgraded to upstream version 2.6.5, which provides a number of enhancements and bug fixes over the previous version. Notable changes include the following:
  • The audit daemon now includes a new flush technique called incremental_async, which improves its performance approximately 90 times.
  • The audit system now has many more rules that can be composed into an audit policy. Some of these new rules include support for the Security Technical Implementation Guide (STIG), PCI Data Security Standard, and other capabilities such as auditing the occurrence of 32-bit syscalls, significant power usage, or module loading.
  • The auditd.conf configuration file and the auditctl command now support many new options.
  • The audit system now supports a new log format called enriched, which resolves UID, GID, syscall, architecture, and network addresses. This will aid in log analysis on a machine that differs from where the log was generated. (BZ#1296204)

MACsec (IEEE 802.1AE) is now supported

With this update, the Media Access Control Security (MACsec) encryption over Ethernet is supported. MACsec encrypts and authenticates all traffic in LANs with the GCM-AES-128 algorithm. (BZ#1104151)

The rsyslog RELP module now binds to a specific rule set

With this update, the rsyslog Reliable Event-Logging Protocol (RELP) module is now capable of binding to specific rule set with each input instance. The input() instance rule set has higher priority than the module() rule set. (BZ#1223566)

rsyslog imfile module now supports a wildcard file name

The rsyslog packages provide an enhanced, multi-threaded syslog daemon. With this update, the rsyslog imfile module supports using wildcards inside file names and adding the actual file name to the message's metadata. This is useful, when rsyslog needs to read logs under a directory and does not know the names of files in advance. (BZ#1303617)

Syscalls in audit.log are now converted to text

With this update, auditd converts system call numbers to their names prior to forwarding them to syslog daemon through the audispd event multiplexor. (BZ#1127343)

audit subsystem can now filter by process name

The user can now audit by executable name (with the -F exe=<path-to-executable> option), which allows expression of many new audit rules. You can use this functionality to detect events such as the bash shell opening a network connection. (BZ#1135562)

mod_security_crs rebased to version 2.2.9

The mod_security_crs package has been upgraded to upstream version 2.2.9, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
  • A new PHP rule (958977) to detect PHP exploits.
  • A JS overrides file to identify successful XSS probes.
  • New XSS detection rules.
  • Fixed session-hijacking rules. (BZ#1150614)

opencryptoki rebased to version 3.5

The opencryptoki packages have been upgraded to version 3.5, which provides a number of bug fixes and enhancements over the previous version.
Notable changes include:
  • The openCryptoki service automatically creates lock/ and log/ directories, if not present.
  • The PKCS#11 API supports hash-based message authentication code (HMAC) with SHA hashes in all tokens.
  • The openCryptoki library provides dynamic tracing set by the OPENCRYPTOKI_TRACE_LEVEL environment variable. (BZ#1185421)

gnutls now uses the central certificate store

The gnutls packages provide the GNU Transport Layer Security (GnuTLS) library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS. With this update, GnuTLS uses the central certificate store of Red Hat Enterprise Linux through the p11-kit packages. Certificate Authority (CA) updates, as well as certificate black lists, are now visible to applications at runtime. (BZ#1110750)

The firewall-cmd command can now provide additional details

With this update, firewalld shows details of a service, zone, and ICMP type. Additionally, the user can list the full path to the source XML file. The new options for firewall-cmd are:
  • [--permanent] --info-zone=zone
  • [--permanent] --info-service=service
  • [--permanent] --info-icmptype=icmptype (BZ#1147500)

pam_faillock can be now configured with unlock_time=never

The pam_faillock module now allows specifying using the unlock_time=never option that the user authentication lock caused by multiple authentication failures should never expire. (BZ#1273373)

libica rebased to version 2.6.2

The libica packages have been updated to upstream version 2.6.2, which provides a number of bug fixes and enhancements over the previous version. Notably, this update adds support for generation of pseudo random numbers, including enhanced support for Deterministic Random Bit Generator (DRBG), according to updated security specification NIST SP 800-90A. (BZ#1274390)

New lastlog options

The lastlog utility now has the new --clear and --set options, which allow the system administrator to reset a user's lastlog entry to the never logged in value or to the current time. This means you can now re-enable user accounts previously locked due to inactivity. (BZ#1114081)

libreswan rebased to version 3.15

Libreswan is an implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE) for Linux. The libreswan packages have been upgraded to upstream version 3.15, which provides a number of enhancements and bug fixes over the previous version. Notable changes include the following:
  • The nonce size is increased to meet the RFC requirements when using the SHA2 algorithms.
  • Libreswan now calls the NetworkManager helper in case of a connection error.
  • All CRLdistributionpoints in a certificate are now processed.
  • Libreswan no longer tries to delete non-existing IPsec Security Associations (SAs).
  • The pluto IKE daemon now has the CAP_DAC_READ_SEARCH capability.
  • pluto no longer crashes when on-demand tunnels are used.
  • pam_acct_mgmt is now properly set.
  • The regression was fixed so tunnels with keyingtries=0 try to establish the tunnel indefinitely.
  • The delay before re-establishing the deleted tunnel that is configured to remain up is now less than one second. (BZ#1389316)

The SHA-3 implementation in nettle now conforms to FIPS 202

nettle is a cryptographic library that is designed to fit easily in almost any context. With this update, the Secure Hash Algorithm 3 (SHA-3) implementation has been updated to conform the final Federal Information Processing Standard (FIPS) 202 draft. (BZ#1252936)

scap-security-guide rebased to version 0.1.30

The scap-security-guide project provides a guide for configuration of the system from the final system's security point of view. The package has been upgraded to version 0.1.30. Notable improvements include:
  • The NIST Committee on National Security Systems (CNSS) Instruction No. 1253 profile is now included and updated for Red Hat Enterprise Linux 7.
  • The U.S. Government Commercial Cloud Services (C2S) profile inspired by the Center for Internet Security (CIS) benchmark is now provided.
  • The remediation scripts are now included in benchmarks directly, and the external shell library is no longer necessary.
  • The Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) profile for Red Hat Enterprise Linux 7 has been updated to be equal to the DISA STIG profile for Red Hat Enterprise Linux 6.
  • The draft of the Criminal Justice Information Services (CJIS) Security Policy profile is now available for Red Hat Enterprise Linux 7. (BZ#1390661)