Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
Chapter 16. Security
Clevis now supports TPM 2.0
With this update, the
Clevispluggable framework for Policy-Based Decryption (PBD) supports also clients that encrypt using a Trusted Platform Module 2.0 (TPM 2.0) chip. For more information and the list of possible configuration properties, see the
Note that this feature is available only on systems with the 64-bit Intel or 64-bit AMD architecture. (BZ#1472435)
gnutls rebased to 3.3.29
The GNU Transport Layer Security (GnuTLS) library has been upgraded to upstream version 3.3.29, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
- Improved the PKCS#11 cryptographic token interface for hardware security modules (HSMs): added DSA support in
p11tooland fixed key import in certain Atos HSMs.
- Improved counter-measures for the TLS Cipher Block Chaining (CBC) record padding. The previous counter-measures had certain issues and were insufficient when the attacker had access to the CPU cache and performed a chosen-plaintext attack (CPA).
- Disabled the legacy
HMAC-SHA384cipher suites by default. (BZ#1561481)
AES-GCM operations with
OpenSSL are now faster on IBM z14
This update introduces support for additional acceleration of cryptographical operations with new CP Assist for Cryptographic Functions (CPACF) instructions available on IBM z14 systems. As a result,
AES-GCMoperations with the
OpenSSLlibrary are now executed faster on IBM z14 and later hardware. (BZ#1519396)
sudo rebased to version 1.8.23
The sudo packages have been upgraded to upstream version 1.8.23, which provides a number of bug fixes and enhancements over the previous version:
- The new
cvtsudoersutility replaces both the
sudoers2ldifscript and the
visudo -xfunctionality. It can read a file in either sudoers or LDIF format and produce JSON, LDIF, or sudoers output. It is also possible to filter the generated output file by user, group, or host name.
always_query_group_pluginoption is now set explicitly in the default
/etc/sudoersfile. Users who upgrade from previous versions and want to retain the old group-querying behavior should ensure that this setting is in place after the upgrade.
- PAM account management modules are now run even when no password is required.
- The new
case_insensitive_groupsudoers options enable to control whether
sudodoes case-sensitive matching of users and groups in
sudoers. Case-insensitive matching is now the default.
- It is now an error to specify the
runasuser as an empty string on the command line. Previously, an empty
runasuser was treated the same as an unspecified
- I/O log files are now created with group
ID 0by default unless the
iolog_groupoptions are set in
- It is now possible to preserve bash shell functions in the environment where the
sudoerssetting is disabled by removing the
*=()*pattern from the
usbguard rebased to version 0.7.4
The usbguard packages have been rebased to upstream version 0.7.4. This version provides a number of bug fixes and enhancements over the previous version, most notably:
usbguard-daemonnow exits with an error if it fails to open a logging file or an audit event file.
- The present device enumeration algorithm is now more reliable. Enumeration timeouts no longer cause the
usbguard-daemonprocess to exit.
usbguard watchcommand now includes the
-eoption to run an executable for every received event. The event data is passed to the executable through environment variables. (BZ#1508878)
audit rebased to 2.8.4
The audit packages have been upgraded to upstream version 2.8.4, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
- Added support for dumping internal state. You can now run the
service auditd statecommand to see information about the
- Added support for the
SOFTWARE_UPDATEevent generated by the
- Allowed unlimited retries during a remote logging startup. This helps to start even if the aggregating server is not running when a client is booted.
- Improved IPv6 remote logging. (BZ#1559032)
RPM now provides audit events
With this update, the
RPM Package Manager(RPM) provides audit events. The information that a software package is installed or updated is important for system analysis with the Linux
RPMnow creates a
SOFTWARE_UPDATEaudit event whenever a package is installed or upgraded by the
SELinux now supports
This update introduces the
extended_socket_classpolicy capability that enables a number of new SELinux object classes to support all of the known network socket address families. It also enables the use of separate security classes for Internet Control Message Protocol (ICMP) and Stream Control Transmission Protocol (SCTP) sockets, which were previously mapped to the
rawip_socketclass. (BZ#1564775, BZ#1427553)
selinux-policy now checks file permissions when
mmap() is used
This release introduces a new permission check on the
mmap()system call. The purpose of a separate map permission check on
mmap()is to permit policy to prohibit memory mapping of specific files for which you need to ensure that every access is revalidated. This is useful for scenarios where you expect the files to be relabeled at run-time to reflect state changes, for example, in a cross-domain solution or an assured pipeline without data copying.
This functionality is enabled by default. Also, a new SELinux boolean,
domain_can_mmap_files, has been added. If
domain_can_mmap_filesis enabled, every domain can use
mmap()in every file, a character device or a block device. If
domain_can_mmap_filesis disabled, the list of domains that can use
mmap()is limited. (BZ#1460322)
The RHEL7 DISA STIG profile now matches STIG Version 1, Release 4
With this update of the
SCAP Security Guideproject, the RHEL7 Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) profile is aligned with STIG Version 1, Release 4. Note that certain rules do not contain an automated check or fix. (BZ#1443551)
Libreswan now supports PKCS #7-formatted X.509 certificates
With this update, the
LibreswanVirtual Private Network application supports also PKCS #7-formatted X.509 certificates. This enables interoperability with systems running Microsoft Windows. (BZ#1536404)
libreswan rebased to version 3.25
The libreswan packages have been upgraded to upstream version 3.25, which provides a number of bug fixes and enhancements over the previous version.
Note that previously, an incorrect configuration forbidding Perfect Forward Secrecy with the
pfs=nooption and setting an ESP/AH PFS
modpgroup (for example,
esp=aes-sha2;modp2048) would load and ignore the
modpsetting. With this update, these connections fail to load with the
ESP DH algorithm MODP2048 is invalid as PFS policy is disablederror message. (BZ#1591817)
openssl-ibmca rebased to version 2.0.0
The openssl-ibmca packages have been upgraded to upstream version 2.0.0, which provides a number of bug fixes and enhancements over the previous version:
- The Elliptic-Curve Cryptography (ECC) functionality is now supported.
- Compatibility with various
OpenSSLversions has been increased.
Note that to use the ECC functionality with a shared CEX4C adapter in the z/VM 6.4 system, the Authorized Program Analysis Report (APAR) VM65942 is required. (BZ#1519395)
sudo now runs PAM stack even when no authentication is required
With this update, the
sudoutility runs Pluggable Authentication Module (PAM) account management modules even when the
NOPASSWDoption is configured in the policy. This enables checking for restrictions imposed by PAM modules outside of the authentication phase. As a result, PAM modules, such as
pam_time, now work properly in the described scenario. (BZ#1533964)
cvtsudoers converts between different
cvtsudoersutility enables the administrator to convert rules between different
sudoerssecurity policy file formats. See the
cvtsudoers(1)man page for the list of available options and examples of usage. (BZ#1548380)
SCAP Security Guide now supports OSPP v4.2
This update of the scap-security-guide packages introduces a new profile defining the core requirements of OSPP (General-Purpose Operating System Protection Profile) v4.2. The new profile ID is
ospp42, and the previously released profile USGCB (United States Government Configuration Baseline) OSPP v4.0 is available with ID
selinux-policy now contains five additional
This update of the selinux-policy packages introduces the following SELinux booleans:
keepalived_connect_any- allows the
keepalivedservice to connect to arbitrary ports.
tomcat_use_execmem- allows the
Tomcatserver to make its stack executable.
Tomcatto connect to the
redis_enable_notify- allows the
redis-sentinelservice to run notification scripts.