New packages: tang, clevis, jose, luksmeta
Network Bound Disk Encryption (NBDE) allows the user to encrypt root volumes of the hard drives on physical and virtual machines without requiring to manually enter password when systems are rebooted.
Tang is a server for binding data to network presence. It includes a daemon which provides cryptographic operations for binding to a remote service. The tang package provides the server side of the NBDE project.
Clevis is a pluggable framework for automated decryption. It can be used to provide automated decryption of data or even automated unlocking of LUKS volumes. The clevis package provides the client side of the NBDE project.
LUKSMeta is a simple library for storing metadata in the LUKSv1 header. The luksmeta package is a dependency of the clevis and tang packages.
Note that the tang-nagios
subpackages are available only as a Technology Preview. (BZ#1300697
, BZ#1300696, BZ#1399228, BZ#1399229)
New package: usbguard
USBGuard software framework provides system protection against intrusive USB devices by implementing basic whitelisting and blacklisting capabilities based on device attributes. To enforce a user-defined policy,
USBGuard uses the Linux kernel USB device authorization feature. The
USBGuard framework provides the following components:
The daemon component with an inter-process communication (IPC) interface for dynamic interaction and policy enforcement
The command-line interface to interact with a running USBGuard instance
The rule language for writing USB device authorization policies
The C++ API for interacting with the daemon component implemented in a shared library (BZ#1395615)
openssh rebased to version 7.4
The openssh package has been updated to upstream version 7.4, which provides a number of enhancements, new features, and bug fixes, including:
Added support for the resumption of interrupted uploads in
Added the extended log format for the authentication failure messages.
Added a new fingerprint type that uses the SHA-256 algorithm.
Added support for using PKCS#11 devices with external PIN entry devices.
Removed support for the SSH-1 protocol from the
Removed support for the legacy
v00 cert format.
HostKeyAlgorithms configuration options for the
ssh utility and the
sshd daemon to allow disabling key types selectively.
AddKeysToAgent option for the
ProxyJump ssh option and the corresponding
-J command-line flag.
Added support for key exchange methods for the Diffie-Hellman 2K, 4K, and 8K groups.
Include directive for the
Removed support for the
Removed support for the pre-authentication compression in the server.
The seccomp filter is now used for the pre-authentication process. (BZ#1341754)
audit rebased to version 2.7.6
The audit packages have been updated to upstream version 2.7.6, which provides a number of enhancements, new features, and bug fixes, including:
auditd service now automatically adjusts logging directory permissions when it starts up. This helps keep directory permissions correct after performing a package upgrade.
ausearch utility has a new
--format output option. The
--format text option presents an event as an English sentence describing what is happening. The
--format csv option normalizes logs into a subject, object, action, results, and how it occurred in addition to some metadata fields which is output in the Comma Separated Value (CSV) format. This is suitable for pushing event information into a database, spreadsheet, or other analytic programs to view, chart, or analyze audit events.
auditctl utility can now reset the lost event counter in the kernel through the
--reset-lost command-line option. This makes checking for lost events easier since you can reset the value to zero daily.
aureport now have a
boot option for the
--start command-line option to find events since the system booted.
aureport provide a new
--escape command-line option to better control what kind of escaping is done to audit fields. It currently supports
no longer allows rules with the entry filter. This filter has not been supported since Red Hat Enterprise Linux 5. Prior to this release, on Red Hat Enterprise Linux 6 and 7,
moved any entry rule to the exit filter and displayed a warning that the entry filter is deprecated. (BZ#1381601
opensc rebased to version 0.16.0
OpenSC set of libraries and utilities provides support for working with smart cards.
OpenSC focuses on cards that support cryptographic operations and enables their use for authentication, mail encryption, or digital signatures.
Notable enhancements in Red Hat Enterprise Linux 7.4 include:
Note that the coolkey
packages will remain supported for the lifetime of Red Hat Enterprise Linux 7, but new hardware enablement will be provided through the opensc
openssl rebased to version 1.0.2k
The openssl package has been updated to upstream version 1.0.2k, which provides a number of enhancements, new features, and bug fixes, including:
Added support for the Datagram Transport Layer Security TLS (DTLS) protocol version 1.2.
Added support for the automatic elliptic curve selection for the ECDHE key exchange in TLS.
Added support for the Application-Layer Protocol Negotiation (ALPN).
Added Cryptographic Message Syntax (CMS) support for the following schemes: RSA-PSS, RSA-OAEP, ECDH, and X9.42 DH.
Note that this version is compatible with the API and ABI in the
library version in previous releases of Red Hat Enterprise Linux 7. (BZ#1276310
openssl-ibmca rebased to version 1.3.0
The openssl-ibmca package has been updated to upstream version 1.3.0, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
Added support for SHA-512.
Cryptographic methods are dynamically loaded when the
ibmca engine starts. This enables
ibmca to direct cryptographic methods if they are supported in hardware through the
Fixed a bug in block-size handling with stream cipher modes. (BZ#1274385)
OpenSCAP 1.2 is NIST-certified
OpenSCAP 1.2, the Security Content Automation Protocol (SCAP) scanner, has been certified by the National Institute of Standards and Technology (NIST) as a U. S. government-evaluated configuration and vulnerability scanner for Red Hat Enterprise Linux 6 and 7.
OpenSCAP analyzes and evaluates security automation content correctly and it provides the functionality and documentation required by NIST to run in sensitive, security-conscious environments. Additionally,
OpenSCAP is the first NIST-certified configuration scanner for evaluating Linux containers. Use cases include evaluating the configuration of Red Hat Enterprise Linux 7 hosts for PCI and DoD Security Technical Implementation Guide (STIG) compliance, as well as performing known vulnerability scans using Red Hat Common Vulnerabilities and Exposures (CVE) data. (BZ#1363826)
libreswan rebased to version 3.20
The libreswan packages have been upgraded to upstream version 3.20, which provides a number of bug fixes and enhancements over the previous version. Notable enhancements include:
Added support for Opportunistic IPsec (Mesh Encryption), which enables IPsec deployments that cover a large number of hosts using a single simple configuration on all hosts.
FIPS further tightened.
Added support for routed-based VPN using Virtual Tunnel Interface (VTI).
Improved support for non-root configurations.
Improved Online Certificate Status Protocol (OCSP) and Certificate Revocation Lists (CRL) support.
whack command options:
Added support for the NAT Opportunistic Encryption (OE) Client Address Translation:
Added support for the Traffic Flow Confidentiality mechanism:
Updated cipher preferences as per RFC 4307bis and RFC 7321bis.
Added support for Extended Sequence Numbers (ESN):
Added support for disabling and increasing the replay window:
Audit now supports filtering based on session ID
With this update, the Linux Audit system supports user rules to filter audit messages based on the
sessionid value. (BZ#1382504)
libseccomp now supports IBM Power architectures
With this update, the
library supports the IBM Power, 64-bit IBM Power, and 64-bit little-endian IBM Power architectures, which enables the GNOME rebase. (BZ#1425007
AUDIT_KERN_MODULE now records module loading
AUDIT_KERN_MODULE auxiliary record has been added to
AUDIT_SYSCALL records for the
delete_module() functions. This information is stored in the
audit_context structure. (BZ#1382500)
OpenSSH now uses SHA-2 for public key signatures
OpenSSH used the SHA-1 hash algorithm for public key signatures using RSA and DSA keys. SHA-1 is no longer considered secure, and new SSH protocol extension allows to use SHA-2. With this update, SHA-2 is the default algorithm for public key signatures. SHA-1 is available only for backward compatibility purposes. (BZ#1322911)
firewalld now supports additional IP sets
With this update of the
firewalld service daemon, support for the following
ipset types has been added:
ipset types that provide a combination of sources and destinations at the same time are not supported as sources in
firewalld. IP sets using these types are created by
firewalld, but their usage is limited to direct rules:
The ipset packages have been rebased to upstream version 6.29, and the following
ipset types are now additionally supported:
firewalld now supports actions on ICMP types in rich rules
With this update, the
service daemon allows using Internet Control Message Protocol (ICMP) types in rich rules with the accept, log and mark actions. (BZ#1409544
firewalld now supports disabled automatic helper assignment
This update of the
firewalld service daemon introduces support for the disabled automatic helper assignment feature.
firewalld helpers can be now used without adding additional rules also if automatic helper assignment is turned off. (BZ#1006225)
nss and nss-util now use SHA-256 by default
With this update, the default configuration of the NSS library has been changed to use a stronger hash algorithm when creating digital signatures. With RSA, EC, and 2048-bit (or longer) DSA keys, the SHA-256 algorithm is now used.
Note that also the NSS utilities, such as
, now use SHA-256 in their default configurations. (BZ#1309781
Audit filter exclude rules now contain additional fields
The exclude filter has been enhanced, and it now contains not only the
msgtype field, but also the
SELinux types. (BZ#1382508)
PROCTITLE now provides the full command in Audit events
This update introduces the
PROCTITLE record addition to Audit events.
PROCTITLE provides the full command being executed. The
PROCTITLE value is encoded so it is not able to circumvent the Audit event parser. Note that the
PROCTITLE value is still not trusted since it is manipulable by the user-space date. (BZ#1299527)
nss-softokn rebased to version 3.28.3
The nss-softokn packages have been upgraded to upstream version 3.28.3, which provides a number of bug fixes and enhancements over the previous version:
Added support for the ChaCha20-Poly1305 (RFC 7539) algorithm used by TLS (RFC 7905), the Internet Key Exchange Protocol (IKE), and IPsec (RFC 7634).
For key exchange purposes, added support for the Curve25519/X25519 curve.
Added support for the Extended Master Secret (RFC 7627) extension. (BZ#1369055
libica rebased to version 3.0.2
The libica package has been upgraded to upstream version 3.0.2, which provides a number of fixes over the previous version. Notable additions include
support for Federal Information Processing Standards (FIPS) mode
support for generating pseudorandom numbers, including enhanced support for Deterministic Random Bit Generator compliant with the updated security specification NIST SP 800-90A. (BZ#1391558)
opencryptoki rebased to version 3.6.2
The opencryptoki packages have been upgraded to upstream version 3.6.2, which provides a number of bug fixes and enhancements over the previous version:
Added support for
Replaced deprecated libica interfaces.
Improved performance for IBM Crypto Accelerator (ICA).
Added support for the
rc=8, reasoncode=2028 error message in the
icsf token. (BZ#1391559)
AUDIT_NETFILTER_PKT events are now normalized
AUDIT_NETFILTER_PKT audit events are now simplified and message fields are now displayed in a consistent manner. (BZ#1382494)
p11tool now supports writing objects by specifying a stored ID
With this update, the
GnuTLS PKCS#11 tool supports the new
option to write objects by specifying a stored ID. This allows the written object to be addressable by more applications than
new package: nss-pem
This update introduces the nss-pem package, which previously was part of the nss packages, as a separate package. The nss-pem package provides the PEM file reader for Network Security Services (NSS) implemented as a PKCS#11 module. (BZ#1316546)
pmrfc3164sd in rsyslog
With the update of the rsyslog packages, the
pmrfc3164sd module, which is used for parsing logs in the BSD
syslog protocol format (RFC 3164), has been replaced by the official
pmrfc3164 module. The official module does not fully cover the
pmrfc3164sd functionality, and thus it is still available in rsyslog. However, it is recommended to use new
pmrfc3164 module wherever possible. The
pmrfc3164sd module is not supported anymore. (BZ#1431616)
libreswan now supports
With this update, the
%opportunisticgroup value for the
right option in the
conn part of Libreswan configuration is supported. This allows the opportunistic IPsec with X.509 authentication, which significantly reduces the administrative overhead in large environments. (BZ#1324458)
ca-certificates now meet Mozilla Firefox 52.2 ESR requirements
The Network Security Services (NSS) code and Certificate Authority (CA) list have been updated to meet the recommendations as published with the latest Mozilla Firefox Extended Support Release (ESR). The updated CA list improves compatibility with the certificates that are used in the Internet Public Key Infrastructure (PKI). To avoid certificate validation refusals, Red Hat recommends installing the updated CA list on June 12, 2017. (BZ#1444413)
nss now meets Mozilla Firefox 52.2 ESR requirements for certificates
The Certificate Authority (CA) list have been updated to meet the recommendations as published with the latest Mozilla Firefox Extended Support Release (ESR). The updated CA list improves compatibility with the certificates that are used in the Internet Public Key Infrastructure (PKI). To avoid certificate validation refusals, Red Hat recommends installing the updated CA list on June 12, 2017. (BZ#1444414)
scap-security-guide rebased to version 0.1.33
The scap-security-guide packages have been upgraded to upstream version 0.1.33, which provides a number of bug fixes and enhancements over the previous version. In particular, this new version enhances existing compliance profiles and expands the scope of coverage to include two new configuration baselines:
Extended support for PCI-DSS v3 Control Baseline
Extended support for United States Government Commercial Cloud Services (C2S).
Extended support for Red Hat Corporate Profile for Certified Cloud Providers.
Added support for the Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 7 profile, aligning to the DISA STIG for Red Hat Enterprise Linux V1R1 profile.
Added support for the Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) profile configures Red Hat Enterprise Linux 7 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI).
Added support for the United States Government Configuration Baseline (USGCB/STIG) profile, developed in partnership with the U. S. National Institute of Standards and Technology (NIST), U. S. Department of Defense, the National Security Agency, and Red Hat.
The USGCB/STIG profile implements configuration requirements from the following documents:
Committee on National Security Systems Instruction No. 1253 (CNSSI 1253)
NIST Controlled Unclassified Information (NIST 800-171)
NIST 800-53 control selections for moderate impact systems (NIST 800-53)
U. S. Government Configuration Baseline (USGCB)
NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0)
DISA Operating System Security Requirements Guide (OS SRG)
Note that several previously-contained profiles have been removed or merged. (BZ#1410914