Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

Chapter 15. Security

New packages: tang, clevis, jose, luksmeta

Network Bound Disk Encryption (NBDE) allows the user to encrypt root volumes of the hard drives on physical and virtual machines without requiring to manually enter password when systems are rebooted.
  • Tang is a server for binding data to network presence. It includes a daemon which provides cryptographic operations for binding to a remote service. The tang package provides the server side of the NBDE project.
  • Clevis is a pluggable framework for automated decryption. It can be used to provide automated decryption of data or even automated unlocking of LUKS volumes. The clevis package provides the client side of the NBDE project.
  • José is a C-language implementation of the Javascript Object Signing and Encryption standards. The jose package is a dependency of the clevis and tang packages.
  • LUKSMeta is a simple library for storing metadata in the LUKSv1 header. The luksmeta package is a dependency of the clevis and tang packages.
Note that the tang-nagios and clevis-udisk2 subpackages are available only as a Technology Preview. (BZ#1300697, BZ#1300696, BZ#1399228, BZ#1399229)

New package: usbguard

The USBGuard software framework provides system protection against intrusive USB devices by implementing basic whitelisting and blacklisting capabilities based on device attributes. To enforce a user-defined policy, USBGuard uses the Linux kernel USB device authorization feature. The USBGuard framework provides the following components:
  • The daemon component with an inter-process communication (IPC) interface for dynamic interaction and policy enforcement
  • The command-line interface to interact with a running USBGuard instance
  • The rule language for writing USB device authorization policies
  • The C++ API for interacting with the daemon component implemented in a shared library (BZ#1395615)

openssh rebased to version 7.4

The openssh package has been updated to upstream version 7.4, which provides a number of enhancements, new features, and bug fixes, including:
  • Added support for the resumption of interrupted uploads in SFTP.
  • Added the extended log format for the authentication failure messages.
  • Added a new fingerprint type that uses the SHA-256 algorithm.
  • Added support for using PKCS#11 devices with external PIN entry devices.
  • Removed support for the SSH-1 protocol from the OpenSSH server.
  • Removed support for the legacy v00 cert format.
  • Added the PubkeyAcceptedKeyTypes and HostKeyAlgorithms configuration options for the ssh utility and the sshd daemon to allow disabling key types selectively.
  • Added the AddKeysToAgent option for the OpenSSH client.
  • Added the ProxyJump ssh option and the corresponding -J command-line flag.
  • Added support for key exchange methods for the Diffie-Hellman 2K, 4K, and 8K groups.
  • Added the Include directive for the ssh_config file.
  • Removed support for the UseLogin option.
  • Removed support for the pre-authentication compression in the server.
  • The seccomp filter is now used for the pre-authentication process. (BZ#1341754)

audit rebased to version 2.7.6

The audit packages have been updated to upstream version 2.7.6, which provides a number of enhancements, new features, and bug fixes, including:
  • The auditd service now automatically adjusts logging directory permissions when it starts up. This helps keep directory permissions correct after performing a package upgrade.
  • The ausearch utility has a new --format output option. The --format text option presents an event as an English sentence describing what is happening. The --format csv option normalizes logs into a subject, object, action, results, and how it occurred in addition to some metadata fields which is output in the Comma Separated Value (CSV) format. This is suitable for pushing event information into a database, spreadsheet, or other analytic programs to view, chart, or analyze audit events.
  • The auditctl utility can now reset the lost event counter in the kernel through the --reset-lost command-line option. This makes checking for lost events easier since you can reset the value to zero daily.
  • ausearch and aureport now have a boot option for the --start command-line option to find events since the system booted.
  • ausearch and aureport provide a new --escape command-line option to better control what kind of escaping is done to audit fields. It currently supports raw, tty, shell, and shell_quote escaping.
  • auditctl no longer allows rules with the entry filter. This filter has not been supported since Red Hat Enterprise Linux 5. Prior to this release, on Red Hat Enterprise Linux 6 and 7, auditctl moved any entry rule to the exit filter and displayed a warning that the entry filter is deprecated. (BZ#1381601)

opensc rebased to version 0.16.0

The OpenSC set of libraries and utilities provides support for working with smart cards. OpenSC focuses on cards that support cryptographic operations and enables their use for authentication, mail encryption, or digital signatures.
Notable enhancements in Red Hat Enterprise Linux 7.4 include:
  • OpenSC adds support for Common Access Card (CAC) cards.
  • OpenSC implements the PKCS#11 API and now provides also the CoolKey applet functionality. The opensc packages replace the coolkey packages.
Note that the coolkey packages will remain supported for the lifetime of Red Hat Enterprise Linux 7, but new hardware enablement will be provided through the opensc packages. (BZ#1081088, BZ#1373164)

openssl rebased to version 1.0.2k

The openssl package has been updated to upstream version 1.0.2k, which provides a number of enhancements, new features, and bug fixes, including:
  • Added support for the Datagram Transport Layer Security TLS (DTLS) protocol version 1.2.
  • Added support for the automatic elliptic curve selection for the ECDHE key exchange in TLS.
  • Added support for the Application-Layer Protocol Negotiation (ALPN).
  • Added Cryptographic Message Syntax (CMS) support for the following schemes: RSA-PSS, RSA-OAEP, ECDH, and X9.42 DH.
Note that this version is compatible with the API and ABI in the OpenSSL library version in previous releases of Red Hat Enterprise Linux 7. (BZ#1276310)

openssl-ibmca rebased to version 1.3.0

The openssl-ibmca package has been updated to upstream version 1.3.0, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
  • Added support for SHA-512.
  • Cryptographic methods are dynamically loaded when the ibmca engine starts. This enables ibmca to direct cryptographic methods if they are supported in hardware through the libica library.
  • Fixed a bug in block-size handling with stream cipher modes. (BZ#1274385)

OpenSCAP 1.2 is NIST-certified

OpenSCAP 1.2, the Security Content Automation Protocol (SCAP) scanner, has been certified by the National Institute of Standards and Technology (NIST) as a U. S. government-evaluated configuration and vulnerability scanner for Red Hat Enterprise Linux 6 and 7. OpenSCAP analyzes and evaluates security automation content correctly and it provides the functionality and documentation required by NIST to run in sensitive, security-conscious environments. Additionally, OpenSCAP is the first NIST-certified configuration scanner for evaluating Linux containers. Use cases include evaluating the configuration of Red Hat Enterprise Linux 7 hosts for PCI and DoD Security Technical Implementation Guide (STIG) compliance, as well as performing known vulnerability scans using Red Hat Common Vulnerabilities and Exposures (CVE) data. (BZ#1363826)

libreswan rebased to version 3.20

The libreswan packages have been upgraded to upstream version 3.20, which provides a number of bug fixes and enhancements over the previous version. Notable enhancements include:
  • Added support for Opportunistic IPsec (Mesh Encryption), which enables IPsec deployments that cover a large number of hosts using a single simple configuration on all hosts.
  • FIPS further tightened.
  • Added support for routed-based VPN using Virtual Tunnel Interface (VTI).
  • Improved support for non-root configurations.
  • Improved Online Certificate Status Protocol (OCSP) and Certificate Revocation Lists (CRL) support.
  • Added new whack command options: --fipsstatus, --fetchcrls, --globalstatus, and --shuntstatus.
  • Added support for the NAT Opportunistic Encryption (OE) Client Address Translation: leftcat=yes.
  • Added support for the Traffic Flow Confidentiality mechanism: tfc=.
  • Updated cipher preferences as per RFC 4307bis and RFC 7321bis.
  • Added support for Extended Sequence Numbers (ESN): esn=yes.
  • Added support for disabling and increasing the replay window: replay-window=. (BZ#1399883)

Audit now supports filtering based on session ID

With this update, the Linux Audit system supports user rules to filter audit messages based on the sessionid value. (BZ#1382504)

libseccomp now supports IBM Power architectures

With this update, the libseccomp library supports the IBM Power, 64-bit IBM Power, and 64-bit little-endian IBM Power architectures, which enables the GNOME rebase. (BZ#1425007)

AUDIT_KERN_MODULE now records module loading

The AUDIT_KERN_MODULE auxiliary record has been added to AUDIT_SYSCALL records for the init_module(), finit_module(), and delete_module() functions. This information is stored in the audit_context structure. (BZ#1382500)

OpenSSH now uses SHA-2 for public key signatures

Previously, OpenSSH used the SHA-1 hash algorithm for public key signatures using RSA and DSA keys. SHA-1 is no longer considered secure, and new SSH protocol extension allows to use SHA-2. With this update, SHA-2 is the default algorithm for public key signatures. SHA-1 is available only for backward compatibility purposes. (BZ#1322911)

firewalld now supports additional IP sets

With this update of the firewalld service daemon, support for the following ipset types has been added:
  • hash:ip,port
  • hash:ip,port,ip
  • hash:ip,port,net
  • hash:ip,mark
  • hash:net,net
  • hash:net,port
  • hash:net,port,net
  • hash:net,iface
The following ipset types that provide a combination of sources and destinations at the same time are not supported as sources in firewalld. IP sets using these types are created by firewalld, but their usage is limited to direct rules:
  • hash:ip,port,ip
  • hash:ip,port,net
  • hash:net,net
  • hash:net,port,net
The ipset packages have been rebased to upstream version 6.29, and the following ipset types are now additionally supported:
  • hash:mac
  • hash:net,port,net
  • hash:net,net
  • hash:ip,mark (BZ#1419058)

firewalld now supports actions on ICMP types in rich rules

With this update, the firewalld service daemon allows using Internet Control Message Protocol (ICMP) types in rich rules with the accept, log and mark actions. (BZ#1409544)

firewalld now supports disabled automatic helper assignment

This update of the firewalld service daemon introduces support for the disabled automatic helper assignment feature. firewalld helpers can be now used without adding additional rules also if automatic helper assignment is turned off. (BZ#1006225)

nss and nss-util now use SHA-256 by default

With this update, the default configuration of the NSS library has been changed to use a stronger hash algorithm when creating digital signatures. With RSA, EC, and 2048-bit (or longer) DSA keys, the SHA-256 algorithm is now used.
Note that also the NSS utilities, such as certutil, crlutil, and cmsutil, now use SHA-256 in their default configurations. (BZ#1309781)

Audit filter exclude rules now contain additional fields

The exclude filter has been enhanced, and it now contains not only the msgtype field, but also the pid, uid, gid, auid, sessionID, and SELinux types. (BZ#1382508)

PROCTITLE now provides the full command in Audit events

This update introduces the PROCTITLE record addition to Audit events. PROCTITLE provides the full command being executed. The PROCTITLE value is encoded so it is not able to circumvent the Audit event parser. Note that the PROCTITLE value is still not trusted since it is manipulable by the user-space date. (BZ#1299527)

nss-softokn rebased to version 3.28.3

The nss-softokn packages have been upgraded to upstream version 3.28.3, which provides a number of bug fixes and enhancements over the previous version:
  • Added support for the ChaCha20-Poly1305 (RFC 7539) algorithm used by TLS (RFC 7905), the Internet Key Exchange Protocol (IKE), and IPsec (RFC 7634).
  • For key exchange purposes, added support for the Curve25519/X25519 curve.
  • Added support for the Extended Master Secret (RFC 7627) extension. (BZ#1369055)

libica rebased to version 3.0.2

The libica package has been upgraded to upstream version 3.0.2, which provides a number of fixes over the previous version. Notable additions include
  • support for Federal Information Processing Standards (FIPS) mode
  • support for generating pseudorandom numbers, including enhanced support for Deterministic Random Bit Generator compliant with the updated security specification NIST SP 800-90A. (BZ#1391558)

opencryptoki rebased to version 3.6.2

The opencryptoki packages have been upgraded to upstream version 3.6.2, which provides a number of bug fixes and enhancements over the previous version:
  • Added support for OpenSSL 1.1
  • Replaced deprecated OpenSSL interfaces.
  • Replaced deprecated libica interfaces.
  • Improved performance for IBM Crypto Accelerator (ICA).
  • Added support for the rc=8, reasoncode=2028 error message in the icsf token. (BZ#1391559)

AUDIT_NETFILTER_PKT events are now normalized

The AUDIT_NETFILTER_PKT audit events are now simplified and message fields are now displayed in a consistent manner. (BZ#1382494)

p11tool now supports writing objects by specifying a stored ID

With this update, the p11tool GnuTLS PKCS#11 tool supports the new --id option to write objects by specifying a stored ID. This allows the written object to be addressable by more applications than p11tool. (BZ#1399232)

new package: nss-pem

This update introduces the nss-pem package, which previously was part of the nss packages, as a separate package. The nss-pem package provides the PEM file reader for Network Security Services (NSS) implemented as a PKCS#11 module. (BZ#1316546)

pmrfc3164 replaces pmrfc3164sd in rsyslog

With the update of the rsyslog packages, the pmrfc3164sd module, which is used for parsing logs in the BSD syslog protocol format (RFC 3164), has been replaced by the official pmrfc3164 module. The official module does not fully cover the pmrfc3164sd functionality, and thus it is still available in rsyslog. However, it is recommended to use new pmrfc3164 module wherever possible. The pmrfc3164sd module is not supported anymore. (BZ#1431616)

libreswan now supports right=%opportunisticgroup

With this update, the %opportunisticgroup value for the right option in the conn part of Libreswan configuration is supported. This allows the opportunistic IPsec with X.509 authentication, which significantly reduces the administrative overhead in large environments. (BZ#1324458)

ca-certificates now meet Mozilla Firefox 52.2 ESR requirements

The Network Security Services (NSS) code and Certificate Authority (CA) list have been updated to meet the recommendations as published with the latest Mozilla Firefox Extended Support Release (ESR). The updated CA list improves compatibility with the certificates that are used in the Internet Public Key Infrastructure (PKI). To avoid certificate validation refusals, Red Hat recommends installing the updated CA list on June 12, 2017. (BZ#1444413)

nss now meets Mozilla Firefox 52.2 ESR requirements for certificates

The Certificate Authority (CA) list have been updated to meet the recommendations as published with the latest Mozilla Firefox Extended Support Release (ESR). The updated CA list improves compatibility with the certificates that are used in the Internet Public Key Infrastructure (PKI). To avoid certificate validation refusals, Red Hat recommends installing the updated CA list on June 12, 2017. (BZ#1444414)

scap-security-guide rebased to version 0.1.33

The scap-security-guide packages have been upgraded to upstream version 0.1.33, which provides a number of bug fixes and enhancements over the previous version. In particular, this new version enhances existing compliance profiles and expands the scope of coverage to include two new configuration baselines:
  • Extended support for PCI-DSS v3 Control Baseline
  • Extended support for United States Government Commercial Cloud Services (C2S).
  • Extended support for Red Hat Corporate Profile for Certified Cloud Providers.
  • Added support for the Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 7 profile, aligning to the DISA STIG for Red Hat Enterprise Linux V1R1 profile.
  • Added support for the Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) profile configures Red Hat Enterprise Linux 7 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI).
  • Added support for the United States Government Configuration Baseline (USGCB/STIG) profile, developed in partnership with the U. S. National Institute of Standards and Technology (NIST), U. S. Department of Defense, the National Security Agency, and Red Hat.
The USGCB/STIG profile implements configuration requirements from the following documents:
  • Committee on National Security Systems Instruction No. 1253 (CNSSI 1253)
  • NIST Controlled Unclassified Information (NIST 800-171)
  • NIST 800-53 control selections for moderate impact systems (NIST 800-53)
  • U. S. Government Configuration Baseline (USGCB)
  • NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0)
  • DISA Operating System Security Requirements Guide (OS SRG)
Note that several previously-contained profiles have been removed or merged. (BZ#1410914)