Chapter 15. Security
New packages: tang, clevis, jose, luksmeta
Network Bound Disk Encryption (NBDE) allows the user to encrypt root volumes of the hard drives on physical and virtual machines without requiring to manually enter password when systems are rebooted.
- Tang is a server for binding data to network presence. It includes a daemon which provides cryptographic operations for binding to a remote service. The tang package provides the server side of the NBDE project.
- Clevis is a pluggable framework for automated decryption. It can be used to provide automated decryption of data or even automated unlocking of LUKS volumes. The clevis package provides the client side of the NBDE project.
- LUKSMeta is a simple library for storing metadata in the LUKSv1 header. The luksmeta package is a dependency of the clevis and tang packages.
Note that the tang-nagios and clevis-udisk2 subpackages are available only as a Technology Preview. (BZ#1300697, BZ#1300696, BZ#1399228, BZ#1399229)
New package: usbguard
USBGuardsoftware framework provides system protection against intrusive USB devices by implementing basic whitelisting and blacklisting capabilities based on device attributes. To enforce a user-defined policy,
USBGuarduses the Linux kernel USB device authorization feature. The
USBGuardframework provides the following components:
- The daemon component with an inter-process communication (IPC) interface for dynamic interaction and policy enforcement
- The command-line interface to interact with a running USBGuard instance
- The rule language for writing USB device authorization policies
- The C++ API for interacting with the daemon component implemented in a shared library (BZ#1395615)
openssh rebased to version 7.4
The openssh package has been updated to upstream version 7.4, which provides a number of enhancements, new features, and bug fixes, including:
- Added support for the resumption of interrupted uploads in
- Added the extended log format for the authentication failure messages.
- Added a new fingerprint type that uses the SHA-256 algorithm.
- Added support for using PKCS#11 devices with external PIN entry devices.
- Removed support for the SSH-1 protocol from the
- Removed support for the legacy
- Added the
HostKeyAlgorithmsconfiguration options for the
sshutility and the
sshddaemon to allow disabling key types selectively.
- Added the
AddKeysToAgentoption for the
- Added the
ProxyJump sshoption and the corresponding
- Added support for key exchange methods for the Diffie-Hellman 2K, 4K, and 8K groups.
- Added the
Includedirective for the
- Removed support for the
- Removed support for the pre-authentication compression in the server.
- The seccomp filter is now used for the pre-authentication process. (BZ#1341754)
audit rebased to version 2.7.6
The audit packages have been updated to upstream version 2.7.6, which provides a number of enhancements, new features, and bug fixes, including:
auditdservice now automatically adjusts logging directory permissions when it starts up. This helps keep directory permissions correct after performing a package upgrade.
ausearchutility has a new
--formatoutput option. The
--format textoption presents an event as an English sentence describing what is happening. The
--format csvoption normalizes logs into a subject, object, action, results, and how it occurred in addition to some metadata fields which is output in the Comma Separated Value (CSV) format. This is suitable for pushing event information into a database, spreadsheet, or other analytic programs to view, chart, or analyze audit events.
auditctlutility can now reset the lost event counter in the kernel through the
--reset-lostcommand-line option. This makes checking for lost events easier since you can reset the value to zero daily.
aureportnow have a
bootoption for the
--startcommand-line option to find events since the system booted.
aureportprovide a new
--escapecommand-line option to better control what kind of escaping is done to audit fields. It currently supports
auditctlno longer allows rules with the entry filter. This filter has not been supported since Red Hat Enterprise Linux 5. Prior to this release, on Red Hat Enterprise Linux 6 and 7,
auditctlmoved any entry rule to the exit filter and displayed a warning that the entry filter is deprecated. (BZ#1381601)
opensc rebased to version 0.16.0
OpenSCset of libraries and utilities provides support for working with smart cards.
OpenSCfocuses on cards that support cryptographic operations and enables their use for authentication, mail encryption, or digital signatures.
Notable enhancements in Red Hat Enterprise Linux 7.4 include:
OpenSCadds support for Common Access Card (CAC) cards.
PKCS#11API and now provides also the
CoolKeyapplet functionality. The opensc packages replace the coolkey packages.
Note that the coolkey packages will remain supported for the lifetime of Red Hat Enterprise Linux 7, but new hardware enablement will be provided through the opensc packages. (BZ#1081088, BZ#1373164)
openssl rebased to version 1.0.2k
The openssl package has been updated to upstream version 1.0.2k, which provides a number of enhancements, new features, and bug fixes, including:
- Added support for the Datagram Transport Layer Security TLS (DTLS) protocol version 1.2.
- Added support for the automatic elliptic curve selection for the ECDHE key exchange in TLS.
- Added support for the Application-Layer Protocol Negotiation (ALPN).
- Added Cryptographic Message Syntax (CMS) support for the following schemes: RSA-PSS, RSA-OAEP, ECDH, and X9.42 DH.
Note that this version is compatible with the API and ABI in the
OpenSSLlibrary version in previous releases of Red Hat Enterprise Linux 7. (BZ#1276310)
openssl-ibmca rebased to version 1.3.0
The openssl-ibmca package has been updated to upstream version 1.3.0, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
- Added support for SHA-512.
- Cryptographic methods are dynamically loaded when the
ibmcaengine starts. This enables
ibmcato direct cryptographic methods if they are supported in hardware through the
- Fixed a bug in block-size handling with stream cipher modes. (BZ#1274385)
OpenSCAP 1.2 is NIST-certified
OpenSCAP1.2, the Security Content Automation Protocol (SCAP) scanner, has been certified by the National Institute of Standards and Technology (NIST) as a U. S. government-evaluated configuration and vulnerability scanner for Red Hat Enterprise Linux 6 and 7.
OpenSCAPanalyzes and evaluates security automation content correctly and it provides the functionality and documentation required by NIST to run in sensitive, security-conscious environments. Additionally,
OpenSCAPis the first NIST-certified configuration scanner for evaluating Linux containers. Use cases include evaluating the configuration of Red Hat Enterprise Linux 7 hosts for PCI and DoD Security Technical Implementation Guide (STIG) compliance, as well as performing known vulnerability scans using Red Hat Common Vulnerabilities and Exposures (CVE) data. (BZ#1363826)
libreswan rebased to version 3.20
The libreswan packages have been upgraded to upstream version 3.20, which provides a number of bug fixes and enhancements over the previous version. Notable enhancements include:
- Added support for Opportunistic IPsec (Mesh Encryption), which enables IPsec deployments that cover a large number of hosts using a single simple configuration on all hosts.
- FIPS further tightened.
- Added support for routed-based VPN using Virtual Tunnel Interface (VTI).
- Improved support for non-root configurations.
- Improved Online Certificate Status Protocol (OCSP) and Certificate Revocation Lists (CRL) support.
- Added new
- Added support for the NAT Opportunistic Encryption (OE) Client Address Translation:
- Added support for the Traffic Flow Confidentiality mechanism:
- Updated cipher preferences as per RFC 4307bis and RFC 7321bis.
- Added support for Extended Sequence Numbers (ESN):
- Added support for disabling and increasing the replay window:
Audit now supports filtering based on session ID
With this update, the Linux Audit system supports user rules to filter audit messages based on the
libseccomp now supports IBM Power architectures
With this update, the
libseccomplibrary supports the IBM Power, 64-bit IBM Power, and 64-bit little-endian IBM Power architectures, which enables the GNOME rebase. (BZ#1425007)
AUDIT_KERN_MODULE now records module loading
AUDIT_KERN_MODULEauxiliary record has been added to
AUDIT_SYSCALLrecords for the
delete_module()functions. This information is stored in the
OpenSSH now uses SHA-2 for public key signatures
OpenSSHused the SHA-1 hash algorithm for public key signatures using RSA and DSA keys. SHA-1 is no longer considered secure, and new SSH protocol extension allows to use SHA-2. With this update, SHA-2 is the default algorithm for public key signatures. SHA-1 is available only for backward compatibility purposes. (BZ#1322911)
firewalld now supports additional IP sets
With this update of the
firewalldservice daemon, support for the following
ipsettypes has been added:
ipsettypes that provide a combination of sources and destinations at the same time are not supported as sources in
firewalld. IP sets using these types are created by
firewalld, but their usage is limited to direct rules:
The ipset packages have been rebased to upstream version 6.29, and the following
ipsettypes are now additionally supported:
- hash:ip,mark (BZ#1419058)
firewalld now supports actions on ICMP types in rich rules
With this update, the
firewalldservice daemon allows using Internet Control Message Protocol (ICMP) types in rich rules with the accept, log and mark actions. (BZ#1409544)
firewalld now supports disabled automatic helper assignment
This update of the
firewalldservice daemon introduces support for the disabled automatic helper assignment feature.
firewalldhelpers can be now used without adding additional rules also if automatic helper assignment is turned off. (BZ#1006225)
nss and nss-util now use SHA-256 by default
With this update, the default configuration of the NSS library has been changed to use a stronger hash algorithm when creating digital signatures. With RSA, EC, and 2048-bit (or longer) DSA keys, the SHA-256 algorithm is now used.
Note that also the NSS utilities, such as
cmsutil, now use SHA-256 in their default configurations. (BZ#1309781)
Audit filter exclude rules now contain additional fields
The exclude filter has been enhanced, and it now contains not only the
msgtypefield, but also the
PROCTITLE now provides the full command in Audit events
This update introduces the
PROCTITLErecord addition to Audit events.
PROCTITLEprovides the full command being executed. The
PROCTITLEvalue is encoded so it is not able to circumvent the Audit event parser. Note that the
PROCTITLEvalue is still not trusted since it is manipulable by the user-space date. (BZ#1299527)
nss-softokn rebased to version 3.28.3
The nss-softokn packages have been upgraded to upstream version 3.28.3, which provides a number of bug fixes and enhancements over the previous version:
- Added support for the ChaCha20-Poly1305 (RFC 7539) algorithm used by TLS (RFC 7905), the Internet Key Exchange Protocol (IKE), and IPsec (RFC 7634).
- For key exchange purposes, added support for the Curve25519/X25519 curve.
- Added support for the Extended Master Secret (RFC 7627) extension. (BZ#1369055)
libica rebased to version 3.0.2
The libica package has been upgraded to upstream version 3.0.2, which provides a number of fixes over the previous version. Notable additions include
- support for Federal Information Processing Standards (FIPS) mode
- support for generating pseudorandom numbers, including enhanced support for Deterministic Random Bit Generator compliant with the updated security specification NIST SP 800-90A. (BZ#1391558)
opencryptoki rebased to version 3.6.2
The opencryptoki packages have been upgraded to upstream version 3.6.2, which provides a number of bug fixes and enhancements over the previous version:
- Added support for
- Replaced deprecated
- Replaced deprecated libica interfaces.
- Improved performance for IBM Crypto Accelerator (ICA).
- Added support for the
rc=8, reasoncode=2028error message in the
AUDIT_NETFILTER_PKT events are now normalized
AUDIT_NETFILTER_PKTaudit events are now simplified and message fields are now displayed in a consistent manner. (BZ#1382494)
p11tool now supports writing objects by specifying a stored ID
With this update, the
p11toolGnuTLS PKCS#11 tool supports the new
--idoption to write objects by specifying a stored ID. This allows the written object to be addressable by more applications than
new package: nss-pem
This update introduces the nss-pem package, which previously was part of the nss packages, as a separate package. The nss-pem package provides the PEM file reader for Network Security Services (NSS) implemented as a PKCS#11 module. (BZ#1316546)
pmrfc3164sd in rsyslog
With the update of the rsyslog packages, the
pmrfc3164sdmodule, which is used for parsing logs in the BSD
syslogprotocol format (RFC 3164), has been replaced by the official
pmrfc3164module. The official module does not fully cover the
pmrfc3164sdfunctionality, and thus it is still available in rsyslog. However, it is recommended to use new
pmrfc3164module wherever possible. The
pmrfc3164sdmodule is not supported anymore. (BZ#1431616)
libreswan now supports
With this update, the
%opportunisticgroupvalue for the
rightoption in the
connpart of Libreswan configuration is supported. This allows the opportunistic IPsec with X.509 authentication, which significantly reduces the administrative overhead in large environments. (BZ#1324458)
ca-certificates now meet Mozilla Firefox 52.2 ESR requirements
The Network Security Services (NSS) code and Certificate Authority (CA) list have been updated to meet the recommendations as published with the latest Mozilla Firefox Extended Support Release (ESR). The updated CA list improves compatibility with the certificates that are used in the Internet Public Key Infrastructure (PKI). To avoid certificate validation refusals, Red Hat recommends installing the updated CA list on June 12, 2017. (BZ#1444413)
nss now meets Mozilla Firefox 52.2 ESR requirements for certificates
The Certificate Authority (CA) list have been updated to meet the recommendations as published with the latest Mozilla Firefox Extended Support Release (ESR). The updated CA list improves compatibility with the certificates that are used in the Internet Public Key Infrastructure (PKI). To avoid certificate validation refusals, Red Hat recommends installing the updated CA list on June 12, 2017. (BZ#1444414)
scap-security-guide rebased to version 0.1.33
The scap-security-guide packages have been upgraded to upstream version 0.1.33, which provides a number of bug fixes and enhancements over the previous version. In particular, this new version enhances existing compliance profiles and expands the scope of coverage to include two new configuration baselines:
- Extended support for PCI-DSS v3 Control Baseline
- Extended support for United States Government Commercial Cloud Services (C2S).
- Extended support for Red Hat Corporate Profile for Certified Cloud Providers.
- Added support for the Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 7 profile, aligning to the DISA STIG for Red Hat Enterprise Linux V1R1 profile.
- Added support for the Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) profile configures Red Hat Enterprise Linux 7 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI).
- Added support for the United States Government Configuration Baseline (USGCB/STIG) profile, developed in partnership with the U. S. National Institute of Standards and Technology (NIST), U. S. Department of Defense, the National Security Agency, and Red Hat.
The USGCB/STIG profile implements configuration requirements from the following documents:
- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253)
- NIST Controlled Unclassified Information (NIST 800-171)
- NIST 800-53 control selections for moderate impact systems (NIST 800-53)
- U. S. Government Configuration Baseline (USGCB)
- NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0)
- DISA Operating System Security Requirements Guide (OS SRG)
Note that several previously-contained profiles have been removed or merged. (BZ#1410914)