Chapter 13. Security

With these updates, basic system tools, such as yum, stunnel, vsftpd, Git, or Postfix have been modified to support the 1.2 version of the TLS protocol. This is to ensure that the tools are not vulnerable to security exploits that exist for older versions of the protocol. (BZ#1253743)

In order to satisfy current best security practices, the Transport Layer Security (TLS) 1.2 protocol has been enabled by default in NSS. This means that it is no longer necessary to explicitly enable it in applications that use NSS library defaults.

If both sides of TLS connection enable TLS 1.2, this protocol version is now used automatically. (BZ#1272504)

With this update, pycurl has been enhanced to support options that make it possible to require the use of the 1.1 or 1.2 versions of the TLS protocol, which improves the security of communication. (BZ#1260406)

Support for the TLS protocol version 1.1 and 1.2, which was previously made available in the curl library, has been added to the PHP cURL extension. (BZ#1255920)

The openswan packages have been deprecated, and libreswan packages have been introduced as a direct replacement for openswan. libreswan is a more stable and secure VPN solution for Red Hat Enterprise Linux 6. libreswan is already available as the VPN endpoint solution for Red Hat Enterprise Linux 7. openswan will be replaced by libreswan during system upgrade. See https://access.redhat.com/articles/2089191 for instructions on how to migrate from openswan to libreswan.

Note that the openswan packages remain available in the repository. To install openswan instead of libreswan, use the -x option of yum to exclude libreswan: yum install openswan -x libreswan. (BZ#1266222)

With this update, the SELinux mandatory access control is provided for the glusterd (GlusterFS Management Service) and glusterfsd (NFS server) processes as a part of Red Hat Gluster Storage. (BZ#1241112)

The shadow-utils package, which provides utilities for managing user and group accounts, has been rebased to version 4.1.5.1. This is the same as the version of shadow-utils in Red Hat Enterprise Linux 7. Enhancements include improved auditing, which was corrected to provide a better record of system-administrator actions on the user-account database. The main new feature added to this package is the support for operation in chroot environments using the --root option of the respective tools. (BZ#1257643)

The audit package, which provides the user-space utilities for storing and searching the audit records generated by the audit subsystem in the Linux kernel, has been rebased to version 2.4.5. This update includes enhanced event interpretation facilities that provide more system-call names and arguments to make the understanding of events easier.

This update also has an important behavior change in the way that auditd records events to disk. If you are using either data or sync modes for the flush setting in auditd.conf, you will see a performance decrease in auditd's ability to log events. This is because it was previously not properly informing the kernel that full synchronous writes should be used. This was corrected, which has improved the reliability of the operation, but this has come at the expense of performance. If the performance drop is not tolerable, the flush setting should be changed to incremental and the freq setting will control how often auditd instructs the kernel to synchronize all records to disk. A freq setting of 100 should give good performance while making sure that new records are flushed to disk periodically. (BZ#1257650)

Certificate and host-name verification, which is disabled by default, has been implemented in the World Wide Web library for Perl (LWP, also called libwww-perl). This allows users of the LWP::UserAgent Perl module to verify the identity of HTTPS servers. To enable the verification, make sure the IO::Socket::SSL Perl module is installed and the PERL_LWP_SSL_VERIFY_HOSTNAME environment variable set to 1 or that the application is modified to set the ssl_opts option correctly. See LWP::UserAgent POD for more details. (BZ#745800)

Support for elliptic-curve parameters has been added to the Perl Net:SSLeay module, which contains bindings to the OpenSSL library. Namely, the EC_KEY_new_by_curve_name(), EC_KEY_free*(), SSL_CTX_set_tmp_ecdh(), and OBJ_txt2nid() subroutines have been ported from upstream. This is required for the support of the Elliptic Curve Diffie–Hellman Exchange (ECDHE) key exchange in the IO::Socket::SSL Perl module. (BZ#1044401)

Support for Elliptic Curve Diffie–Hellman Exchange (ECDHE) has been added to the IO::Socket::SSL Perl module. The new SSL_ecdh_curve option can be used for specifying a suitable curve by the Object Identifier (OID) or Name Identifier (NID). As a result, it is now possible to override the default elliptic curve parameters when implementing a TLS client using IO::Socket:SSL. (BZ#1078084)

OpenSCAP, a set of libraries providing a path for the integration of SCAP standards, has been rebased to 1.2.8, the latest upstream version. Notable enhancements include support for the OVAL-5.11 and OVAL-5.11.1 language versions, the introduction of a verbose mode, which helps to understand the details of running scans, two new commands, oscap-ssh and oscap-vm, for scanning over SSH and scanning of inactive virtual systems respectively, native support for bz2 archives, and a modern interface for HTML reports and guides. (BZ#1259037)

The scap-workbench package has been rebased to version 1.1.1, which provides a new SCAP Security Guide integration dialog. It can help the administrator choose a product that needs to be scanned instead of choosing content files. The new version also offers a number of performance and user-experience improvements, including improved rule searching in the tailoring window and the possibility to fetch remote resources in SCAP content using the GUI. (BZ#1269551)

The scap-security-guide package has been rebased to the latest upstream version (0.1.28), which offers a number of important fixes and enhancements. These include several improved or completely new profiles for both Red Hat Enterprise Linux 6 and 7, added automated checks and remediation scripts for many rules, human readable OVAL IDs that are consistent between releases, or HTML-formatted guides accompanying each profile. (BZ#1267509)

The use of the insecure SSLv3 protocol and RC4 algorithm has been disabled in luci, the web-based high availability administration application. By default, only TLSv1.0 and higher protocol versions are allowed, and the digest algorithm used for self-managed certificates has been updated to SHA256. It is possible to re-enable SSLv3 (by uncommenting the allow_insecure options in relevant sections of the /etc/sysconfig/luci configuration file), but that is only for unlikely and unpredictable cases and should be used with extreme caution.

This update also adds the possibility to adjust the most important SSL/TLS properties (in addition to the mentioned allow_insecure): the path to the certificate pair and the cipher list. These settings can be used either globally, or independently for both secure channels (HTTPS web UI access and connection with ricci instances). (BZ#1156167)