Chapter 8. Applying security policies
During the in-place upgrade process, certain security policies must remain disabled. Furthermore, RHEL 8 introduces a new concept of system-wide cryptographic policies and also security profiles might contain changes between major releases. This section guides you when securing your upgraded RHEL systems.
8.1. Changing SELinux mode to enforcing
During the in-place upgrade process, the
Leapp utility sets SELinux mode to permissive. When the system is successfully upgraded, you have to manually change SELinux mode to enforcing.
- The system has been upgraded and you have performed the verification steps described in Verifying the post-upgrade state of the RHEL 8 system.
Ensure that there are no SELinux denials, for example, by using the
# ausearch -m AVC,USER_AVC -ts boot
Note that the previous step covers only the most common scenario. To check for all possible SELinux denials, see the Identifying SELinux denials section in the Using SELinux title, which provides a complete procedure.
/etc/selinux/configfile in a text editor of your choice, for example:
# vi /etc/selinux/config
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
Save the change, and restart the system:
After the system restarts, confirm that the
$ getenforce Enforcing
8.2. Setting system-wide cryptographic policies
The system-wide cryptographic policies is a system component that configures the core cryptographic subsystems, covering the TLS, IPSec, SSH, DNSSec, and Kerberos protocols.
After a successful installation or an in-place upgrade process, the system-wide cryptographic policy is automatically set to
DEFAULT system-wide cryptographic policy level offers secure settings for current threat models.
To view or change the current system-wide cryptographic policy, use the update-crypto-policies tool:
$ update-crypto-policies --show DEFAULT
For example, the following command switches the system-wide crypto policy level to
FUTURE, which should withstand any near-term future attacks:
# update-crypto-policies --set FUTURE Setting system policy to FUTURE
You can also customize system-wide cryptographic policies. For details, see the Customizing system-wide cryptographic policies with policy modifiers and Creating and setting a custom system-wide cryptographic policy sections.
- Using system-wide cryptographic policies
8.3. Upgrading the system hardened to a security baseline
To get a fully hardened system after a successful upgrade to RHEL 8, you can use automated remediation provided by the OpenSCAP suite. OpenSCAP remediations align your system with security baselines, such as PCI-DSS, OSPP, or ACSC Essential Eight. The configuration compliance recommendations differ among major versions of Red Hat Enterprise Linux due to the evolution of the security offering.
When upgrading a hardened RHEL 7 system, the
Leapp tool does not provide direct means to retain the full hardening. Depending on the changes in the component configuration, the system might diverge from the recommendations for the RHEL 8 during the upgrade.
You cannot use the same SCAP content for scanning RHEL 7 and RHEL 8. Update the management platforms if the compliance of the system is managed by the tools like Red Hat Satellite or Red Hat Insights.
As an alternative to automated remediations, you can make the changes manually by following an OpenSCAP-generated report. For information on generating a compliance report, see Scanning the system for security compliance and vulnerabilities.
Follow the procedure to automatically harden your system with the PCI-DSS profile.
Automated remediations support RHEL systems in the default configuration. Because the system upgrade has been altered after the installation, running remediation might not make it fully compliant with the required security profile. You might need to fix some requirements manually.
scap-security-guidepackage is installed on your RHEL 8 system.
Find the appropriate security compliance data stream
$ ls /usr/share/xml/scap/ssg/content/ ssg-firefox-cpe-dictionary.xml ssg-rhel6-ocil.xml ssg-firefox-cpe-oval.xml ssg-rhel6-oval.xml ... ssg-rhel6-ds-1.2.xml ssg-rhel8-oval.xml ssg-rhel8-ds.xml ssg-rhel8-xccdf.xml ...
For additional information, see section Viewing compliance profiles.
Remediate the system according to the selected profile from the appropriate data stream:
# oscap xccdf eval --profile pci-dss --remediate /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
You can replace the
pci-dssvalue in the
--profileargument with the ID of the profile according to which you want to harden your system. For a full list of profiles supported in RHEL 8, see SCAP security profiles supported in RHEL.Warning
If not used carefully, running the system evaluation with the Remediate option enabled might render the system non-functional. Red Hat does not provide any automated method to revert changes made by security-hardening remediations. Remediations are supported on RHEL systems in the default configuration. If your system has been altered after the installation, running remediation might not make it compliant with the required security profile.
Restart your system:
Verify that the system is compliant with the profile, and save the results in an HTML file:
$ oscap xccdf eval --report pcidss_report.html --profile pci-dss /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
- Scanning the system for security compliance and vulnerabilities
- Red Hat Insights Security Policy documentation chapter
- Red Hat Satellite Security Policy documentation