Chapter 15. Security
The SELinux user space packages rebased to version 2.5
The SELinux user space packages have been upgraded to upstream version 2.5, which provides a number of enhancements, bug fixes, and performance improvements over the previous version. The most important new features in the SELinux userspace 2.5 include:
- The new SELinux module store supports priorities. The priority concept provides an ability to override a system module with a module of a higher priority.
- SELinux Common Intermediate Language (CIL) provides clear and simple syntax that is easy to read, parse, and to generate by high-level compilers, analysis tools, and policy generation tools.
- Time-consuming SELinux operations, such as policy installations or loading new policy modules, are now significantly faster.
Note: The default location of the SELinux modules remains in the
/etc/selinux/
directory in Red Hat Enterprise Linux 7, whereas the upstream version uses /var/lib/selinux/
. To change this location for migration, set the store-root=
option in the /etc/selinux/semanage.conf
file. (BZ#1297815)
scap-workbench rebased to version 1.1.2
The scap-workbench package has been rebased to version 1.1.2, which provides a new SCAP Security Guide integration dialog. The dialog helps the administrator choose a product that needs to be scanned instead of choosing content files. The new version also offers a number of performance and user-experience improvements, including improved rule-searching in the tailoring window, the possibility to fetch remote resources in SCAP content using the GUI, and the dry-run feature. The dry-run feature enables to user to get oscap command-line arguments to the diagnostics window instead of running the scan. (BZ#1202854)
openscap rebased to version 1.2.10
The OpenSCAP suite that enables integration of the Security Content Automation Protocol (SCAP) line of standards has been rebased to version 1.2.10, the latest upstream version. The openscap packages provide the OpenSCAP library and the
oscap
utility. Most notably, this update adds support for scanning containers using the atomic scan
command. In addition, this update provides the following enhancements:
oscap-vm
, a tool for offline scanning of virtual machinesoscap-chroot
, a tool for offline scanning of file systems mounted at arbitrary paths- Full support for Open Vulnerability and Assessment Language (OVAL) 5.11.1
- Native support for remote .xml.bz2 files
- Grouping HTML report results according to various criteria
- HTML report improvements
- Verbose mode for debugging OVAL evaluation (BZ#1278147)
firewalld rebased to version 0.4.3.2
The firewalld packages have been upgraded to upstream version 0.4.3.2 which provides a number of enhancements and bug fixes over the previous version. Notable changes include the following:
- Performance improvements:
firewalld
starts and restarts significantly faster thanks to the new transaction model which groups together rules that are applied simultaneously. This model uses theiptables
restore commands. Also, thefirewall-cmd
,firewall-offline-cmd
,firewall-config
, andfirewall-applet
tools have been improved with performance in mind. - The improved management of connections, interfaces and sources: The user can now control zone settings for connections in
NetworkManager
. In addition, zone settings for interfaces are also controlled byfirewalld
and in theifcfg
file. - Default logging option: With the new
LogDenied
setting, the user can easily debug and log denied packets. ipset
support:firewalld
now supports several IP sets as zone sources, within rich and direct rules. Note that in Red Hat Enterprise Linux 7.3,firewalld
supports only the followingipset
types:- hash:net
- hash:ip (BZ#1302802)
audit rebased to version 2.6.5
The audit packages contain the user space utilities for storing and searching the audit records which have been generated by the audit subsystem in the Linux kernel. The audit packages have been upgraded to upstream version 2.6.5, which provides a number of enhancements and bug fixes over the previous version. Notable changes include the following:
- The
audit
daemon now includes a new flush technique calledincremental_async
, which improves its performance approximately 90 times. - The
audit
system now has many more rules that can be composed into anaudit
policy. Some of these new rules include support for the Security Technical Implementation Guide (STIG), PCI Data Security Standard, and other capabilities such as auditing the occurrence of 32-bit syscalls, significant power usage, or module loading. - The
auditd.conf
configuration file and theauditctl
command now support many new options. - The
audit
system now supports a new log format calledenriched
, which resolves UID, GID, syscall, architecture, and network addresses. This will aid in log analysis on a machine that differs from where the log was generated. (BZ#1296204)
MACsec (IEEE 802.1AE) is now supported
With this update, the Media Access Control Security (MACsec) encryption over Ethernet is supported. MACsec encrypts and authenticates all traffic in LANs with the GCM-AES-128 algorithm. (BZ#1104151)
The rsyslog RELP module now binds to a specific rule set
With this update, the rsyslog Reliable Event-Logging Protocol (RELP) module is now capable of binding to specific rule set with each input instance. The
input()
instance rule set has higher priority than the module()
rule set. (BZ#1223566)
rsyslog imfile module now supports a wildcard file name
The rsyslog packages provide an enhanced, multi-threaded syslog daemon. With this update, the rsyslog imfile module supports using wildcards inside file names and adding the actual file name to the message's metadata. This is useful, when rsyslog needs to read logs under a directory and does not know the names of files in advance. (BZ#1303617)
Syscalls in audit.log
are now converted to text
With this update,
auditd
converts system call numbers to their names prior to forwarding them to syslog daemon through the audispd
event multiplexor. (BZ#1127343)
audit subsystem can now filter by process name
The user can now audit by executable name (with the
-F exe=<path-to-executable>
option), which allows expression of many new audit rules. You can use this functionality to detect events such as the bash shell opening a network connection. (BZ#1135562)
mod_security_crs rebased to version 2.2.9
The mod_security_crs package has been upgraded to upstream version 2.2.9, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
- A new PHP rule (958977) to detect PHP exploits.
- A
JS overrides
file to identify successful XSS probes. - New XSS detection rules.
- Fixed session-hijacking rules. (BZ#1150614)
opencryptoki rebased to version 3.5
The opencryptoki packages have been upgraded to version 3.5, which provides a number of bug fixes and enhancements over the previous version.
Notable changes include:
- The
openCryptoki
service automatically createslock/
andlog/
directories, if not present. - The
PKCS#11
API supports hash-based message authentication code (HMAC) with SHA hashes in all tokens. - The
openCryptoki
library provides dynamic tracing set by theOPENCRYPTOKI_TRACE_LEVEL
environment variable. (BZ#1185421)
gnutls now uses the central certificate store
The gnutls packages provide the GNU Transport Layer Security (GnuTLS) library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS. With this update, GnuTLS uses the central certificate store of Red Hat Enterprise Linux through the p11-kit packages. Certificate Authority (CA) updates, as well as certificate black lists, are now visible to applications at runtime. (BZ#1110750)
The firewall-cmd
command can now provide additional details
With this update, firewalld shows details of a service, zone, and
ICMP
type. Additionally, the user can list the full path to the source XML file. The new options for firewall-cmd
are:
- [--permanent] --info-zone=zone
- [--permanent] --info-service=service
- [--permanent] --info-icmptype=icmptype (BZ#1147500)
pam_faillock
can be now configured with unlock_time=never
The
pam_faillock
module now allows specifying using the unlock_time=never
option that the user authentication lock caused by multiple authentication failures should never expire. (BZ#1273373)
libica rebased to version 2.6.2
The libica packages have been updated to upstream version 2.6.2, which provides a number of bug fixes and enhancements over the previous version. Notably, this update adds support for generation of pseudo random numbers, including enhanced support for Deterministic Random Bit Generator (DRBG), according to updated security specification NIST SP 800-90A. (BZ#1274390)
New lastlog
options
The
lastlog
utility now has the new --clear
and --set
options, which allow the system administrator to reset a user's lastlog entry to the never logged in
value or to the current time. This means you can now re-enable user accounts previously locked due to inactivity. (BZ#1114081)
libreswan rebased to version 3.15
Libreswan
is an implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE) for Linux. The libreswan packages have been upgraded to upstream version 3.15, which provides a number of enhancements and bug fixes over the previous version. Notable changes include the following:
- The nonce size is increased to meet the RFC requirements when using the SHA2 algorithms.
Libreswan
now calls theNetworkManager
helper in case of a connection error.- All
CRLdistributionpoints
in a certificate are now processed. Libreswan
no longer tries to delete non-existing IPsec Security Associations (SAs).- The
pluto
IKE daemon now has theCAP_DAC_READ_SEARCH
capability. pluto
no longer crashes when on-demand tunnels are used.pam_acct_mgmt
is now properly set.- The regression was fixed so tunnels with
keyingtries=0
try to establish the tunnel indefinitely. - The delay before re-establishing the deleted tunnel that is configured to remain up is now less than one second. (BZ#1389316)
The SHA-3 implementation in nettle now conforms to FIPS 202
nettle is a cryptographic library that is designed to fit easily in almost any context. With this update, the Secure Hash Algorithm 3 (SHA-3) implementation has been updated to conform the final Federal Information Processing Standard (FIPS) 202 draft. (BZ#1252936)
scap-security-guide rebased to version 0.1.30
The scap-security-guide project provides a guide for configuration of the system from the final system's security point of view. The package has been upgraded to version 0.1.30. Notable improvements include:
- The NIST Committee on National Security Systems (CNSS) Instruction No. 1253 profile is now included and updated for Red Hat Enterprise Linux 7.
- The U.S. Government Commercial Cloud Services (C2S) profile inspired by the Center for Internet Security (CIS) benchmark is now provided.
- The
remediation
scripts are now included in benchmarks directly, and the external shell library is no longer necessary. - The Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) profile for Red Hat Enterprise Linux 7 has been updated to be equal to the DISA STIG profile for Red Hat Enterprise Linux 6.
- The draft of the Criminal Justice Information Services (CJIS) Security Policy profile is now available for Red Hat Enterprise Linux 7. (BZ#1390661)