Chapter 14. Security

LUKS-encrypted removable storage devices can be now automatically unlocked using NBDE

With this update, the clevis package and the clevis_udisks2 subpackage enable users to bind removable volumes to a Network-Bound Disk Encryption (NBDE) policy. To automatically unlock a LUKS-encrypted removable storage device, such as a USB drive, use the clevis luks bind and clevis luks unlock commands. (BZ#1475408)

new package: clevis-systemd

This update of the Clevis pluggable framework introduces the clevis-systemd subpackage, which enables administrators to set automated unlocking of LUKS-encrypted non-root volumes at boot time. (BZ#1475406)

OpenSCAP can be now integrated into Ansible workflows

With this update, the OpenSCAP scanner can generate remediation scripts in the form of Ansible Playbooks, either based on profiles or based on scan results. Playbooks based on SCAP Security Guide Profiles contain fixes for all rules, and playbooks based on scan results contain only fixes for rules that fail during an evaluation. The user can also generate a playbook from a tailored Profile, or customize it directly by editing the values in the playbook. Tags, such as Rule ID, strategy, complexity, disruption, or references, used as metadata for tasks in playbooks serve to filter, which tasks to apply. (BZ#1404429)

SECCOMP_FILTER_FLAG_TSYNC enables synchronization of calling process threads

This update introduces the SECCOMP_FILTER_FLAG_TSYNC flag. When adding a new filter, this flag synchronizes all other threads of the calling process to the same seccomp filter tree. See the seccomp(2) man page for more information.
Note that if an application installs multiple libseccomp or seccomp-bpf filters, the seccomp() syscall should be added to the list of allowed system calls. (BZ#1458278)

nss rebased to version 3.34

The nss packages have been upgraded to upstream version 3.34, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
  • TLS compression is no longer supported.
  • The TLS server code now supports session ticket without an RSA key.
  • Certificates can be specified using a PKCS#11 URI.
  • The RSA-PSS cryptographic signature scheme is now allowed for signing and verification of certificate signatures. (BZ#1457789)

SSLv3 disabled in mod_ssl

To improve the security of SSL/TLS connections, the default configuration of the httpd mod_ssl module has been changed to disable support for the SSLv3 protocol, and to restrict the use of certain cryptographic cipher suites. This change will affect only fresh installations of the mod_ssl package, so existing users should manually change the SSL configuration as required.
Any SSL clients attempting to establish connections using SSLv3, or using a cipher suite based on DES or RC4, will be denied in the new default configuration. To allow such insecure connections, modify the SSLProtocol and SSLCipherSuite directives in the /etc/httpd/conf.d/ssl.conf file. (BZ#1274890)

Libreswan now supports split-DNS configuration for IKEv2

This update of the libreswan packages introduces support for split-DNS configuration for the Internet Key Exchange version 2 (IKEv2) protocol through the leftmodecfgdns= and leftcfgdomains= options. This enables the user to reconfigure a locally running DNS server with DNS forwarding for specific private domains. (BZ#1300763)

libreswan now supports AES-GMAC for ESP

With this update, support for Advanced Encryption Standard (AES) Galois Message Authentication Code (GMAC) within IPsec Encapsulating Security Payload (ESP) through the phase2alg=null_auth_aes_gmac option has been added to the libreswan packages. (BZ#1475434)

openssl-ibmca rebased to 1.4.0

The openssl-ibmca packages have been upgraded to upstream version 1.4.0, which provides a number of bug fixes and enhancements over the previous version:
  • Added Advanced Encryption Standard Galois/Counter Mode (AES-GCM) support.
  • Fixes for OpenSSL operating in FIPS mode incorporated. (BZ#1456516)

opencryptoki rebased to 3.7.0

The opencryptoki packages have been upgraded to upstream version 3.7.0, which provides a number of bug fixes and enhancements over the previous version:
  • Upgraded the license to Common Public License Version 1.0 (CPL).
  • Added ECDSA with SHA-2 support for Enterprise PKCS #11 (EP11) and Common Cryptographic Architecture (CCA).
  • Improved performance by moving from mutex locks to Transactional Memory (TM). (BZ#1456520)

atomic scan with configuration_compliance enables creating security-compliant container images at build time

The rhel7/openscap container image now provides the configuration_compliance scan type. When used as an argument for the atomic scan command, this new scan type enables users to:
  • scan Red Hat Enterprise Linux-based container images and containers against any profile provided by the SCAP Security Guide (SSG)
  • remediate Red Hat Enterprise Linux-based container images to be compliant with any profile provided by the SSG
  • generate an HTML report from a scan or a remediation.
The remediation results in a container image with an altered configuration that is added as a new layer on top of the original container image.
Note that the original container image remains unchanged and only a new layer is created on top of it. The remediation process builds a new container image that contains all the configuration improvements. The content of this layer is defined by the security policy of scanning. This also means that the remediated container image is no longer signed by Red Hat, which is expected, since it differs from the original container image by containing the remediated layer. (BZ#1472499)

tang-nagios enables Nagios to monitor Tang

The tang-nagios subpackage provides the Nagios plugin for Tang. The plugin enables the Nagios program to monitor a Tang server. The subpackage is available in the Optional channel. See the tang-nagios(1) man page for more information. (BZ#1478895)

clevis now logs privileged operations

With this update, the clevis-udisks2 subpackage logs all attempted key recoveries to the Audit log, and the privileged operations can be now tracked using the Linux Audit system. (BZ#1478888)

PK11_CreateManagedGenericObject() has been added to NSS to prevent memory leaks in applications

The PK11_DestroyGenericObject() function does not destroy objects allocated by PK11_CreateGenericObject() properly, but some applications depend on a function for creating objects that persist after the use of the object. For this reason, the Network Security Services (NSS) libraries now include the PK11_CreateManagedGenericObject() function. If you create objects with PK11_CreateManagedGenericObject(), the PK11_DestroyGenericObject() function also properly destroys underlying associated objects. Applications, such as the curl utility, can now use PK11_CreateManagedGenericObject() to prevent memory leaks. (BZ#1395803)

OpenSSH now supports openssl-ibmca and openssl-ibmpkcs11 HSMs

With this update, the OpenSSH suite enables hardware security modules (HSM) handled by the openssl-ibmca and openssl-ibmpkcs11 packages. Prior to this, the OpenSSH seccomp filter prevented these cards working with the OpenSSH privilege separation. The seccomp filter has been updated to allow system calls needed by the cryptographic cards on IBM z Systems. (BZ#1478035)

cgroup_seclabel enables fine-grained access control on cgroups

This update introduces the cgroup_seclabel policy capability that enables users to set labels on control group (cgroup) files. Prior to this addition, labeling of the cgroup file system was not possible, and to run the systemd service manager in a container, read and write permissions for any content on the cgroup file system had to be allowed. The cgroup_seclabel policy capability enables fine-grained access control on the cgroup file system. (BZ#1494179)

The boot process can now unlock encrypted devices connected by network

Previously, the boot process attempted to unlock block devices connected by network before starting network services. Because the network was not activated, it was not possible to connect and decrypt these devices.
With this update, the unit and other patches have been added to systemd packages. As a result, it is now possible to unlock encrypted block devices that are connected by network during system boot and to mount file systems on such block devices.
To ensure correct ordering between services during system boot, you must mark the network device with the _netdev option in the /etc/crypttab configuration file.
A common use case for this feature is together with network-bound disk encryption. For more information on network-bound disk encryption, see the following chapter in the Red Hat Enterprise Linux Security Guide:

SELinux now supports InfiniBand object labeling

This release introduces SELinux support for InfiniBand end port and P_Key labeling, including enhancements to the kernel, policy, and the semanage tool. To manage InfiniBand-related labels, use the following commands:
  • semanage ibendport
  • semanage ibpkey (BZ#1471809, BZ#1464484, BZ#1464478)

libica rebased to 3.2.0

The libica packages have been upgraded to upstream version 3.2.0, which most notably adds support for the Enhanced SIMD instructions set. (BZ#1376836)

SELinux now supports systemd No New Privileges

This update introduces the nnp_nosuid_transition policy capability that enables SELinux domain transitions under No New Privileges (NNP) or nosuid if nnp_nosuid_transition is allowed between the old and new contexts. The selinux-policy packages now contain a policy for systemd services that use the NNP security feature.
The following rule describes allowing this capability for a service:
allow source_domain  target_type:process2 { nnp_transition nosuid_transition };
For example:
allow init_t fprintd_t:process2 { nnp_transition nosuid_transition };
The distribution policy now also contains the m4 macro interface, which can be used in SELinux security policies for services that use the init_nnp_daemon_domain() function. (BZ#1480518)

Libreswan rebased to version 3.23

The libreswan packages have been upgraded to upstream version 3.23, which provides a number of bug fixes, speed improvements, and enhancements over the previous version. Notable changes include:
  • Support for the extended DNS Security Extensions (DNSSEC) suite through the dnssec-enable=yes|no, dnssec-rootkey-file=, and dnssec-anchors= options.
  • Experimental support for Postquantum Preshared Keys (PPK) through the ppk=yes|no|insist option.
  • Support for Signature Authentication (RFC 7427) for RSA-SHA.
  • The new logip= option with the default value yes can be used to disable logging of incoming IP addresses. This is useful for large-scale service providers concerned for privacy.
  • Unbound DNS server ipsecmod module support for Opportunistic IPsec using IPSECKEY records in DNS.
  • Support for the Differentiated Services Code Point (DSCP) architecture through the decap-dscp=yes option. DSCP was formerly known as Terms Of Service (TOS).
  • Support for disabling Path MTU Discovery (PMTUD) through the nopmtudisc=yes option.
  • Support for the IDr (Identification - Responder) payload for improved multi-domain deployments.
  • Resending IKE packets on extremely busy servers that return the EAGAIN error message.
  • Various improvements to the updown scripts for customizations.
  • Updated preferences of crypto algorithms as per RFC 8221 and RFC 8247.
  • Added the %none and /dev/null values to the leftupdown= option for disabling the updown script.
  • Improved support for rekeying using the CREATE_CHILD_SA exchange.
  • IKEv1 XAUTH thread race conditions resolved.
  • Significant performance increase due to optimized pthread locking.
See the ipsec.conf man page for more information. (BZ#1457904)

libreswan now supports IKEv2 MOBIKE

This update introduces support for the IKEv2 Mobility and Multihoming (MOBIKE) protocol (RFC 4555) using the XFRM_MIGRATE mechanism through the mobike=yes|no option. MOBIKE enables seamless switching of networks, for example, Wi-Fi, LTE, and so on, without disturbing the IPsec tunnel. (BZ#1471763)

scap-workbench rebased to version 1.1.6

The scap-workbench packages have been upgraded to version 1.1.6, which provides a number of bug fixes and enhancements over the previous version. Notable changes are:
  • Added support for generating Bash and Ansible remediation roles from profiles and for scanning results. The generated remediations can be saved to a file for later use.
  • Added support for opening tailoring files directly from the command line.
  • Fixed a short integer overflow when using SSH port numbers higher than 32,768. (BZ#1479036)

OpenSCAP is now able to generate results for DISA STIG Viewer

The OpenSCAP suite is now able to generate results in the format compatible with the DISA STIG Viewer tool. This enables the user to scan a local system for Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) compliance and open results in DISA STIG Viewer. (BZ#1505517)

selinux-policy no longer contains permissive domains

As a security hardening measure, the SELinux policy now does not set the following domains to permissive mode by default:
  • blkmapd_t
  • hsqldb_t
  • ipmievd_t
  • sanlk_resetd_t
  • systemd_hwdb_t
  • targetd_t
The default mode for these domains is now set to enforcing. (BZ#1494172)

audit rebased to version 2.8.1

The audit packages have been upgraded to upstream version 2.8.1, which provides a number of bug fixes and enhancements over the previous version. Notable changes are:
  • Added support for ambient capability fields.
  • The Audit daemon now works also on IPv6.
  • Added the default port to the auditd.conf file.
  • Fixed the auvirt tool to report Access Vector Cache (AVC) messages. (BZ#1476406)