Clevis now supports TPM 2.0
With this update, the
Clevis pluggable framework for Policy-Based Decryption (PBD) supports also clients that encrypt using a Trusted Platform Module 2.0 (TPM 2.0) chip. For more information and the list of possible configuration properties, see the
clevis-encrypt-tpm2(1) man page.
Note that this feature is available only on systems with the 64-bit Intel or 64-bit AMD architecture. (BZ#1472435)
gnutls rebased to 3.3.29
The GNU Transport Layer Security (GnuTLS) library has been upgraded to upstream version 3.3.29, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
Improved the PKCS#11 cryptographic token interface for hardware security modules (HSMs): added DSA support in
p11tool and fixed key import in certain Atos HSMs.
Improved counter-measures for the TLS Cipher Block Chaining (CBC) record padding. The previous counter-measures had certain issues and were insufficient when the attacker had access to the CPU cache and performed a chosen-plaintext attack (CPA).
Disabled the legacy
cipher suites by default. (BZ#1561481
AES-GCM operations with
OpenSSL are now faster on IBM z14
This update introduces support for additional acceleration of cryptographical operations with new CP Assist for Cryptographic Functions (CPACF) instructions available on IBM z14 systems. As a result,
AES-GCM operations with the
OpenSSL library are now executed faster on IBM z14 and later hardware. (BZ#1519396)
sudo rebased to version 1.8.23
The sudo packages have been upgraded to upstream version 1.8.23, which provides a number of bug fixes and enhancements over the previous version:
cvtsudoers utility replaces both the
sudoers2ldif script and the
visudo -x functionality. It can read a file in either sudoers or LDIF format and produce JSON, LDIF, or sudoers output. It is also possible to filter the generated output file by user, group, or host name.
always_query_group_plugin option is now set explicitly in the default
/etc/sudoers file. Users who upgrade from previous versions and want to retain the old group-querying behavior should ensure that this setting is in place after the upgrade.
PAM account management modules are now run even when no password is required.
case_insensitive_group sudoers options enable to control whether
sudo does case-sensitive matching of users and groups in
sudoers. Case-insensitive matching is now the default.
It is now an error to specify the
runas user as an empty string on the command line. Previously, an empty
runas user was treated the same as an unspecified
I/O log files are now created with group
ID 0 by default unless the
iolog_group options are set in
It is now possible to preserve bash shell functions in the environment where the
sudoers setting is disabled by removing the
*=()* pattern from the
env_delete list. (BZ#1547974)
usbguard rebased to version 0.7.4
The usbguard packages have been rebased to upstream version 0.7.4. This version provides a number of bug fixes and enhancements over the previous version, most notably:
usbguard-daemon now exits with an error if it fails to open a logging file or an audit event file.
The present device enumeration algorithm is now more reliable. Enumeration timeouts no longer cause the
usbguard-daemon process to exit.
command now includes the
option to run an executable for every received event. The event data is passed to the executable through environment variables. (BZ#1508878
audit rebased to 2.8.4
The audit packages have been upgraded to upstream version 2.8.4, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
Added support for dumping internal state. You can now run the
service auditd state command to see information about the
Added support for the
SOFTWARE_UPDATE event generated by the
Allowed unlimited retries during a remote logging startup. This helps to start even if the aggregating server is not running when a client is booted.
Improved IPv6 remote logging. (BZ#1559032
RPM now provides audit events
With this update, the
RPM Package Manager (RPM) provides audit events. The information that a software package is installed or updated is important for system analysis with the Linux
RPM now creates a
SOFTWARE_UPDATE audit event whenever a package is installed or upgraded by the
root user. (BZ#1555326)
SELinux now supports
This update introduces the
policy capability that enables a number of new SELinux object classes to support all of the known network socket address families. It also enables the use of separate security classes for Internet Control Message Protocol (ICMP) and Stream Control Transmission Protocol (SCTP) sockets, which were previously mapped to the
selinux-policy now checks file permissions when
mmap() is used
This release introduces a new permission check on the
mmap() system call. The purpose of a separate map permission check on
mmap() is to permit policy to prohibit memory mapping of specific files for which you need to ensure that every access is revalidated. This is useful for scenarios where you expect the files to be relabeled at run-time to reflect state changes, for example, in a cross-domain solution or an assured pipeline without data copying.
This functionality is enabled by default. Also, a new SELinux boolean,
domain_can_mmap_files, has been added. If
domain_can_mmap_files is enabled, every domain can use
mmap() in every file, a character device or a block device. If
domain_can_mmap_files is disabled, the list of domains that can use
mmap() is limited. (BZ#1460322)
The RHEL7 DISA STIG profile now matches STIG Version 1, Release 4
With this update of the
SCAP Security Guide
project, the RHEL7 Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) profile is aligned with STIG Version 1, Release 4. Note that certain rules do not contain an automated check or fix. (BZ#1443551
Libreswan now supports PKCS #7-formatted X.509 certificates
With this update, the
Virtual Private Network application supports also PKCS #7-formatted X.509 certificates. This enables interoperability with systems running Microsoft Windows. (BZ#1536404
libreswan rebased to version 3.25
The libreswan packages have been upgraded to upstream version 3.25, which provides a number of bug fixes and enhancements over the previous version.
Note that previously, an incorrect configuration forbidding Perfect Forward Secrecy with the
option and setting an ESP/AH PFS
group (for example,
) would load and ignore the
setting. With this update, these connections fail to load with the
ESP DH algorithm MODP2048 is invalid as PFS policy is disabled
error message. (BZ#1591817
openssl-ibmca rebased to version 2.0.0
The openssl-ibmca packages have been upgraded to upstream version 2.0.0, which provides a number of bug fixes and enhancements over the previous version:
Note that to use the ECC functionality with a shared CEX4C adapter in the z/VM 6.4 system, the Authorized Program Analysis Report (APAR) VM65942 is required. (BZ#1519395)
sudo now runs PAM stack even when no authentication is required
With this update, the
utility runs Pluggable Authentication Module (PAM) account management modules even when the
option is configured in the policy. This enables checking for restrictions imposed by PAM modules outside of the authentication phase. As a result, PAM modules, such as
, now work properly in the described scenario. (BZ#1533964
cvtsudoers converts between different
utility enables the administrator to convert rules between different
security policy file formats. See the
man page for the list of available options and examples of usage. (BZ#1548380
SCAP Security Guide now supports OSPP v4.2
This update of the scap-security-guide
packages introduces a new profile defining the core requirements of OSPP (General-Purpose Operating System Protection Profile) v4.2. The new profile ID is
, and the previously released profile USGCB (United States Government Configuration Baseline) OSPP v4.0 is available with ID
selinux-policy now contains five additional
This update of the selinux-policy packages introduces the following SELinux booleans:
keepalived_connect_any - allows the
keepalived service to connect to arbitrary ports.
tomcat_use_execmem - allows the
Tomcat server to make its stack executable.
tomcat_can_network_connect_db - allows
Tomcat to connect to the
redis_enable_notify - allows the
redis-sentinel service to run notification scripts.