Chapter 16. Security

Clevis now supports TPM 2.0

With this update, the Clevis pluggable framework for Policy-Based Decryption (PBD) supports also clients that encrypt using a Trusted Platform Module 2.0 (TPM 2.0) chip. For more information and the list of possible configuration properties, see the clevis-encrypt-tpm2(1) man page.
Note that this feature is available only on systems with the 64-bit Intel or 64-bit AMD architecture. (BZ#1472435)

gnutls rebased to 3.3.29

The GNU Transport Layer Security (GnuTLS) library has been upgraded to upstream version 3.3.29, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
  • Improved the PKCS#11 cryptographic token interface for hardware security modules (HSMs): added DSA support in p11tool and fixed key import in certain Atos HSMs.
  • Improved counter-measures for the TLS Cipher Block Chaining (CBC) record padding. The previous counter-measures had certain issues and were insufficient when the attacker had access to the CPU cache and performed a chosen-plaintext attack (CPA).
  • Disabled the legacy HMAC-SHA384 cipher suites by default. (BZ#1561481)

AES-GCM operations with OpenSSL are now faster on IBM z14

This update introduces support for additional acceleration of cryptographical operations with new CP Assist for Cryptographic Functions (CPACF) instructions available on IBM z14 systems. As a result, AES-GCM operations with the OpenSSL library are now executed faster on IBM z14 and later hardware. (BZ#1519396)

sudo rebased to version 1.8.23

The sudo packages have been upgraded to upstream version 1.8.23, which provides a number of bug fixes and enhancements over the previous version:
  • The new cvtsudoers utility replaces both the sudoers2ldif script and the visudo -x functionality. It can read a file in either sudoers or LDIF format and produce JSON, LDIF, or sudoers output. It is also possible to filter the generated output file by user, group, or host name.
  • The always_query_group_plugin option is now set explicitly in the default /etc/sudoers file. Users who upgrade from previous versions and want to retain the old group-querying behavior should ensure that this setting is in place after the upgrade.
  • PAM account management modules are now run even when no password is required.
  • The new case_insensitive_user and case_insensitive_group sudoers options enable to control whether sudo does case-sensitive matching of users and groups in sudoers. Case-insensitive matching is now the default.
  • It is now an error to specify the runas user as an empty string on the command line. Previously, an empty runas user was treated the same as an unspecified runas user.
  • I/O log files are now created with group ID 0 by default unless the iolog_user or iolog_group options are set in sudoers.
  • It is now possible to preserve bash shell functions in the environment where the env_reset sudoers setting is disabled by removing the *=()* pattern from the env_delete list. (BZ#1547974)

usbguard rebased to version 0.7.4

The usbguard packages have been rebased to upstream version 0.7.4. This version provides a number of bug fixes and enhancements over the previous version, most notably:
  • The usbguard-daemon now exits with an error if it fails to open a logging file or an audit event file.
  • The present device enumeration algorithm is now more reliable. Enumeration timeouts no longer cause the usbguard-daemon process to exit.
  • The usbguard watch command now includes the -e option to run an executable for every received event. The event data is passed to the executable through environment variables. (BZ#1508878)

audit rebased to 2.8.4

The audit packages have been upgraded to upstream version 2.8.4, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
  • Added support for dumping internal state. You can now run the service auditd state command to see information about the Audit daemon.
  • Added support for the SOFTWARE_UPDATE event generated by the rpm and yum tools.
  • Allowed unlimited retries during a remote logging startup. This helps to start even if the aggregating server is not running when a client is booted.
  • Improved IPv6 remote logging. (BZ#1559032)

RPM now provides audit events

With this update, the RPM Package Manager (RPM) provides audit events. The information that a software package is installed or updated is important for system analysis with the Linux Audit system. RPM now creates a SOFTWARE_UPDATE audit event whenever a package is installed or upgraded by the root user. (BZ#1555326)

SELinux now supports extended_socket_class

This update introduces the extended_socket_class policy capability that enables a number of new SELinux object classes to support all of the known network socket address families. It also enables the use of separate security classes for Internet Control Message Protocol (ICMP) and Stream Control Transmission Protocol (SCTP) sockets, which were previously mapped to the rawip_socket class. (BZ#1564775, BZ#1427553)

selinux-policy now checks file permissions when mmap() is used

This release introduces a new permission check on the mmap() system call. The purpose of a separate map permission check on mmap() is to permit policy to prohibit memory mapping of specific files for which you need to ensure that every access is revalidated. This is useful for scenarios where you expect the files to be relabeled at run-time to reflect state changes, for example, in a cross-domain solution or an assured pipeline without data copying.
This functionality is enabled by default. Also, a new SELinux boolean, domain_can_mmap_files, has been added. If domain_can_mmap_files is enabled, every domain can use mmap() in every file, a character device or a block device. If domain_can_mmap_files is disabled, the list of domains that can use mmap() is limited. (BZ#1460322)

The RHEL7 DISA STIG profile now matches STIG Version 1, Release 4

With this update of the SCAP Security Guide project, the RHEL7 Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) profile is aligned with STIG Version 1, Release 4. Note that certain rules do not contain an automated check or fix. (BZ#1443551)

Libreswan now supports PKCS #7-formatted X.509 certificates

With this update, the Libreswan Virtual Private Network application supports also PKCS #7-formatted X.509 certificates. This enables interoperability with systems running Microsoft Windows. (BZ#1536404)

libreswan rebased to version 3.25

The libreswan packages have been upgraded to upstream version 3.25, which provides a number of bug fixes and enhancements over the previous version.
Note that previously, an incorrect configuration forbidding Perfect Forward Secrecy with the pfs=no option and setting an ESP/AH PFS modp group (for example, esp=aes-sha2;modp2048) would load and ignore the modp setting. With this update, these connections fail to load with the ESP DH algorithm MODP2048 is invalid as PFS policy is disabled error message. (BZ#1591817)

openssl-ibmca rebased to version 2.0.0

The openssl-ibmca packages have been upgraded to upstream version 2.0.0, which provides a number of bug fixes and enhancements over the previous version:
  • The Elliptic-Curve Cryptography (ECC) functionality is now supported.
  • Compatibility with various OpenSSL versions has been increased.
Note that to use the ECC functionality with a shared CEX4C adapter in the z/VM 6.4 system, the Authorized Program Analysis Report (APAR) VM65942 is required. (BZ#1519395)

sudo now runs PAM stack even when no authentication is required

With this update, the sudo utility runs Pluggable Authentication Module (PAM) account management modules even when the NOPASSWD option is configured in the policy. This enables checking for restrictions imposed by PAM modules outside of the authentication phase. As a result, PAM modules, such as pam_time, now work properly in the described scenario. (BZ#1533964)

cvtsudoers converts between different sudoers formats

The new cvtsudoers utility enables the administrator to convert rules between different sudoers security policy file formats. See the cvtsudoers(1) man page for the list of available options and examples of usage. (BZ#1548380)

SCAP Security Guide now supports OSPP v4.2

This update of the scap-security-guide packages introduces a new profile defining the core requirements of OSPP (General-Purpose Operating System Protection Profile) v4.2. The new profile ID is ospp42, and the previously released profile USGCB (United States Government Configuration Baseline) OSPP v4.0 is available with ID ospp. (BZ#1619689)

selinux-policy now contains five additional SELinux booleans

This update of the selinux-policy packages introduces the following SELinux booleans:
  • keepalived_connect_any - allows the keepalived service to connect to arbitrary ports.
  • tomcat_use_execmem - allows the Tomcat server to make its stack executable.
  • tomcat_can_network_connect_db - allows Tomcat to connect to the PosgtreSQL port.
  • redis_enable_notify - allows the redis-sentinel service to run notification scripts.
  • zabbix_run_sudo - allows the zabbix_agent service to run the sudo utility. (BZ#1443473, BZ#1565226, BZ#1477948, BZ#1421326, BZ#1347052)