Chapter 14. Security
SCAP Security Guide
The scap-security-guide package has been included in Red Hat Enterprise Linux 7.1 to provide security guidance, baselines, and associated validation mechanisms. The guidance is specified in the Security Content Automation Protocol (SCAP), which constitutes a catalog of practical hardening advice. SCAP Security Guide contains the necessary data to perform system security compliance scans regarding prescribed security policy requirements; both a written description and an automated test (probe) are included. By automating the testing, SCAP Security Guide provides a convenient and reliable way to verify system compliance regularly.
The Red Hat Enterprise Linux 7.1 version of the SCAP Security Guide includes the Red Hat Corporate Profile for Certified Cloud Providers (RH CCP), which can be used for compliance scans of Red Hat Enterprise Linux Server 7.1 cloud systems.
Also, the Red Hat Enterprise Linux 7.1 scap-security-guide package contains SCAP datastream content format files for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7, so that remote compliance scanning of both of these products is possible.
The Red Hat Enterprise Linux 7.1 system administrator can use the
oscap
command line tool from the openscap-scanner package to verify that the system conforms to the provided guidelines. See the scap-security-guide(8) manual page for further information.
SELinux Policy
In Red Hat Enterprise Linux 7.1, the SELinux policy has been modified; services without their own SELinux policy that previously ran in the
init_t
domain now run in the newly-added unconfined_service_t
domain. See the Unconfined Processes chapter in the SELinux User's and Administrator's Guide for Red Hat Enterprise Linux 7.1.
New Features in OpenSSH
The OpenSSH set of tools has been updated to version 6.6.1p1, which adds several new features related to cryptography:
- Key exchange using elliptic-curve
Diffie-Hellman
in Daniel Bernstein'sCurve25519
is now supported. This method is now the default provided both the server and the client support it. - Support has been added for using the
Ed25519
elliptic-curve signature scheme as a public key type.Ed25519
, which can be used for both user and host keys, offers better security thanECDSA
andDSA
as well as good performance. - A new private-key format has been added that uses the
bcrypt
key-derivation function (KDF). By default, this format is used forEd25519
keys but may be requested for other types of keys as well. - A new transport cipher,
chacha20-poly1305@openssh.com
, has been added. It combines Daniel Bernstein'sChaCha20
stream cipher and thePoly1305
message authentication code (MAC).
New Features in Libreswan
The Libreswan implementation of IPsec VPN has been updated to version 3.12, which adds several new features and improvements:
- New ciphers have been added.
IKEv2
support has been improved.- Intermediary certificate chain support has been added in
IKEv1
andIKEv2
. - Connection handling has been improved.
- Interoperability has been improved with OpenBSD, Cisco, and Android systems.
- systemd support has been improved.
- Support has been added for hashed
CERTREQ
and traffic statistics.
New Features in TNC
The Trusted Network Connect (TNC) Architecture, provided by the strongimcv package, has been updated and is now based on strongSwan 5.2.0. The following new features and improvements have been added to the TNC:
- The
PT-EAP
transport protocol (RFC 7171) for Trusted Network Connect has been added. - The Attestation Integrity Measurement Collector (IMC)/Integrity Measurement Verifier (IMV) pair now supports the IMA-NG measurement format.
- The Attestation IMV support has been improved by implementing a new TPMRA work item.
- Support has been added for a JSON-based REST API with SWID IMV.
- The SWID IMC can now extract all installed packages from the dpkg, rpm, or pacman package managers using the swidGenerator, which generates SWID tags according to the new ISO/IEC 19770-2:2014 standard.
- The
libtls
TLS 1.2
implementation as used byEAP-(T)TLS
and other protocols has been extended by AEAD mode support, currently limited toAES-GCM
. - Improved (IMV) support for sharing access requestor ID, device ID, and product information of an access requestor via a common
imv_session
object. - Several bugs have been fixed in existing
IF-TNCCS
(PB-TNC
,IF-M
(PA-TNC
)) protocols, and in theOS IMC/IMV
pair.
New Features in GnuTLS
The GnuTLS implementation of the
SSL
, TLS
, and DTLS
protocols has been updated to version 3.3.8, which offers a number of new features and improvements:
- Support for
DTLS 1.2
has been added. - Support for Application Layer Protocol Negotiation (ALPN) has been added.
- The performance of elliptic-curve cipher suites has been improved.
- New cipher suites,
RSA-PSK
andCAMELLIA-GCM
, have been added. - Native support for the Trusted Platform Module (TPM) standard has been added.
- Support for
PKCS#11
smart cards and hardware security modules (HSM) has been improved in several ways. - Compliance with the FIPS 140 security standards (Federal Information Processing Standards) has been improved in several ways.