Red Hat SummitChapter 20. Security
The following chapters contain the most notable changes to security between RHEL 9 and RHEL 10.
20.1. Security compliance changes
- Installation hardening with OSCAP Anaconda Addon removed
-
The
oscap-anaconda-addonpackage has been removed. As a consequence, the RHEL 10 installer no longer provides the Security Policy spoke and installation hardening. RHEL 10 introduces a more flexible and customizable approach to hardening systems by using Anaconda and Kickstart in addition to the already existing Image Builder option. For more information, see Creating pre-hardened images with RHEL image builder OpenSCAP integration. - OpenSCAP
The new version 1.4.x of the OpenSCAP scanner is provided in RHEL 10. The most important changes are the following:
-
The
openscappackage no longer provides theopenscap-develsubpackage for thelibopenscaplibrary, which is now an internal library without public API and any guarantee for backward compatibility. Theopenscappackage is provided with no guarantee of ABI and API compatibility. The following
dssubmodules that provide data stream composing functions have been removed from theoscaptool:-
sds-compose -
sds-add -
sds-split -
rds-create -
rds-split
-
The following incomplete modules have been removed:
-
cve -
cvss -
cvrf
-
The following deprecated command-line options have been removed:
-
--template -
--oval-template -
--sce-template -
--skip-validis removed and is replaced by--skip-validation
-
- New Kickstart remediation type was added.
-
The
autotailortool now can produce XCCDF tailoring files based on JSON Tailoring.
-
The
- SCAP Workbench
-
The
scap-workbenchpackage with the SCAP Workbench GUI utility has been removed. As alternatives, you can use theoscapandautotailorcommand-line tools or Red Hat Lightspeed for both tailoring and scanning. For more information, see Managing SCAP security policies in the Red Hat Lightspeed compliance service. - SCAP Security Guide
The
scap-security-guidepackage does not contain the following profiles:- Protection Profile for General Purpose Operating Systems (OSPP)
- Centro Criptológico Nacional (CCN) - Basic
- Centro Criptológico Nacional (CCN) - Intermediate
For the complete list of profiles supported in RHEL 10, see SCAP security profiles supported in RHEL 10.
20.2. Changes to cryptographic components
ca-certificatestruststore moved-
The
/etc/pki/tls/certstruststore is converted to a different format better optimized for OpenSSL. As a consequence, if you use the files in/etc/pki/tls/certsdirectly, switch to the/etc/pki/ca-trust/extracteddirectory, where the same data is stored. For example, software that accesses the trust bundle at/etc/pki/tls/certs/ca-bundle.crtshould switch to using/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.peminstead. fips-mode-setupis removed-
The
fips-mode-setupcommand is removed from RHEL. To enable the cryptographic module self-checks mandated by the Federal Information Processing Standard (FIPS) 140, enable FIPS mode during the system installation. See the Switching RHEL to FIPS mode chapter in the Security hardening document for more information. /etc/system-fipsremoved-
Support for indicating FIPS mode through the
/etc/system-fipsfile has been removed from RHEL. To install RHEL in FIPS mode, add thefips=1parameter to the kernel command line during the system installation. You can check whether RHEL operates in FIPS mode by displaying the/proc/sys/crypto/fips_enabledfile. compat-openssl11is removed-
The compatibility library for OpenSSL 1.1,
compat-openssl11, has been removed from RHEL 10. OpenSSL 1.1 is no longer maintained upstream and applications that use the OpenSSL TLS toolkit should be migrated to version 3.x. pkcs11-providerreplacesopenssl-pkcs11-
As a part of the migration from OpenSSL engines to the Providers API, the
pkcs11-providerpackage replaces theopenssl-pkcs11package (engine_pkcs11). Theopenssl-pkcs11package is removed from RHEL 10. DEFAULTcryptographic policy rejects TLS ciphers with RSA key exchangeTLS ciphers that use the RSA key exchange are no longer accepted in the
DEFAULTsystem-wide cryptographic policy in RHEL 10. These ciphers do not provide perfect forward secrecy and are not considered as secure as ciphers that use other key exchanges, for example, the Elliptic-curve Diffie-Hellman (ECDH) key exchange.This change also reduces the exposure to side-channel attacks because the RSA key exchange uses PKCS #1 v1.5 encryption padding, which can cause vulnerability to timing side-channel attacks.
If you need the RSA key exchange for interoperability with legacy systems, you can re-enable it by using the LEGACY system-wide cryptographic policy or by applying a custom subpolicy.
- The
LEGACYcryptographic policy disallows SHA-1 signatures in TLS -
The
LEGACYsystem-wide cryptographic policy in RHEL 10 no longer allows creating or verifying signatures that use SHA-1 in TLS contexts. Therefore, libraries other than OpenSSL might no longer accept or create any signatures that use SHA-1 regardless of use case. OpenSSL continues to accept signatures that use SHA-1 when not used for TLS if the system is inLEGACYor this functionality is re-enabled with a custom subpolicy. SHA1subpolicy removed-
The
SHA1subpolicy that allowed to use the SHA-1 algorithm for creating and verifying signatures in theDEFAULTsystem-wide cryptographic policy after entering theupdate-crypto-policies --set DEFAULT:SHA1command is no longer available in RHEL 10. - OpenSSL no longer permits SHA-1 at
SECLEVEL=2in TLS -
OpenSSL does not accept the SHA-1 algorithm at
SECLEVEL=2in TLS in RHEL 10. If your scenario requires using TLS 1.0 or 1.1, you must explicitly setSECLEVEL=0and switch to the LEGACY system-wide cryptographic policy. In the LEGACY policy, applications that use SHA-1 in signatures outside of TLS will continue to work. - OpenSSL cipher suites no longer enable cipher suites with disabled hashes or MACs
-
Previously, applying custom cryptographic policies could leave certain TLS 1.3 cipher suites enabled even if their hashes or MACs were disabled, because the OpenSSL TLS 1.3-specific
Ciphersuitesoption values were controlled only by theciphersoption of the cryptographic policy. With this update,crypto-policiestakes more algorithms into account when deciding whether to enable a cipher suite. As a result, OpenSSL on systems with custom cryptographic policies might refuse to negotiate some of the previously enabled TLS 1.3 cipher suites in better accordance with the system configuration. - OpenSSL FIPS indicators are subject to change during the RHEL 10 lifetime
- Because RHEL introduced OpenSSL FIPS indicators before the OpenSSL upstream did, and both designs differ, the indicators may change in a future minor version of RHEL 10. After the potential adoption of the upstream API, the RHEL 10.0 indicators might return an error message "unsupported" instead of a result. See the OpenSSL FIPS Indicators GitHub document for details.
- OpenSSL 3.5 uses standard format for ML-KEM and ML-DSA
In RHEL 10.0, the
oqsproviderlibrary used a pre-standard format for the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) and the Module-Lattice-Based Digital Signature Algorithm (ML-DSA) private keys. With the rebase to OpenSSL 3.5, you must convert the ML-KEM and ML-DSA keys to the standard format by using the following command:openssl pkcs8 -in <old_private_key> -nocrypt -topk8 -out <standard_private_key>
# openssl pkcs8 -in <old_private_key> -nocrypt -topk8 -out <standard_private_key>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Replace
<old_private_key>with the path to the non-standard private key, and<standard_private_key>with the path where the standard key will be saved.- Switching to LEGACY policy does not enable support for SHA-1 in TLS connections
You can control support for SHA-1 signatures either by the
@SECLEVELsetting specified in the default cipher string or therh-allow-sha1-signaturesproperty. Support for SHA-1 in the TLS context is enabled by setting@SECLEVEL=0. However, this setting also allows other insecure algorithms.You can override the
SECLEVELsetting by specifying therh-allow-sha1-signaturesproperty in theevp_propertiessection. By default and when unspecified in the configuration file,evp_propertiesis set tono. The system-wide cryptographic policies set the property toyesafter you switch to theLEGACYpolicy.Therefore, to enable support for SHA-1 in contexts outside TLS, you can switch the system to the
LEGACYcryptographic policy. To enable SHA-1 in TLS, you must switch the system toLEGACYand use a cipher string that sets@SECLEVEL=0either by defining a custom cryptographic policy or setting this for your application in OpenSSL.- Stricter SSH host key permissions have been restored
-
The necessary host key permissions have been changed from the previous less strict value of
0640to0600, which is also the value used upstream. Thessh_keysgroup, which previously owned all SSH keys, has also been removed. Therefore, thessh-keysignutility uses the SUID bit instead of the SGID bit. crypto-policiesnow setallow-rsa-pkcs1-encrypt = falsefor GnuTLS-
In RHEL 10, the GnuTLS library blocks encryption and decryption with the RSA PKCS #1 v1.5 padding by default. Except for the LEGACY policy, the
allow-rsa-pkcs1-encrypt = falseoption is specified in all system-wide cryptographic policies (DEFAULT, FUTURE, and FIPS).
20.3. Changes to SELinux
- SELinux policy modules related to EPEL packages moved to
-extrasubpackages in the CRB repository In RHEL 10.0, the SELinux policy modules related only to packages contained in the Extra Packages for Enterprise Linux (EPEL) repository and not to any RHEL package were moved from the
selinux-policypackage to theselinux-policy-epelpackage. This reduced the size ofselinux-policy, allowing the system to perform operations such as rebuilding and loading the SELinux policy faster.In RHEL 10.1, the modules from
selinux-policy-epelare moved to the following-extrasubpackages in the RHEL CodeReady Linux Builder (CRB) repository:-
selinux-policy-targeted-extra -
selinux-policy-mls-extra
This change enables the automatic installation of
-extraSELinux policy modules when users enable the EPEL repository.-
rpm -qlreturns incorrect location of theselinux-policypackages on RHEL in image mode-
The
rpm -qlcommand lists non-existent locations of theselinux-policyandselinux-policy-targetedwhen used on RHEL in image mode. The policy modules are installed in the/etc/selinux/targetedinstead of/var/lib/selinux/targeteddirectory, as misleadingly reported byrpm. This discrepancy is expected because most file systems in image mode are read-only, and the RPM tool doesn’t have the actual location of installed packages.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}