Red Hat SummitChapter 15. Security
New packages: tang, clevis, jose, luksmeta
Network Bound Disk Encryption (NBDE) allows the user to encrypt root volumes of the hard drives on physical and virtual machines without requiring to manually enter password when systems are rebooted.
- Tang is a server for binding data to network presence. It includes a daemon which provides cryptographic operations for binding to a remote service. The tang package provides the server side of the NBDE project.
- Clevis is a pluggable framework for automated decryption. It can be used to provide automated decryption of data or even automated unlocking of LUKS volumes. The clevis package provides the client side of the NBDE project.
- José is a C-language implementation of the Javascript Object Signing and Encryption standards. The jose package is a dependency of the clevis and tang packages.
- LUKSMeta is a simple library for storing metadata in the LUKSv1 header. The luksmeta package is a dependency of the clevis and tang packages.
Note that the tang-nagios and clevis-udisk2 subpackages are available only as a Technology Preview. (BZ#1300697, BZ#1300696, BZ#1399228, BZ#1399229)
New package: usbguard
The
USBGuard software framework provides system protection against intrusive USB devices by implementing basic whitelisting and blacklisting capabilities based on device attributes. To enforce a user-defined policy, USBGuard uses the Linux kernel USB device authorization feature. The USBGuard framework provides the following components:
- The daemon component with an inter-process communication (IPC) interface for dynamic interaction and policy enforcement
- The command-line interface to interact with a running USBGuard instance
- The rule language for writing USB device authorization policies
- The C++ API for interacting with the daemon component implemented in a shared library (BZ#1395615)
openssh rebased to version 7.4
The openssh package has been updated to upstream version 7.4, which provides a number of enhancements, new features, and bug fixes, including:
- Added support for the resumption of interrupted uploads in
SFTP. - Added the extended log format for the authentication failure messages.
- Added a new fingerprint type that uses the SHA-256 algorithm.
- Added support for using PKCS#11 devices with external PIN entry devices.
- Removed support for the SSH-1 protocol from the
OpenSSHserver. - Removed support for the legacy
v00 certformat. - Added the
PubkeyAcceptedKeyTypesandHostKeyAlgorithmsconfiguration options for thesshutility and thesshddaemon to allow disabling key types selectively. - Added the
AddKeysToAgentoption for theOpenSSHclient. - Added the
ProxyJump sshoption and the corresponding-Jcommand-line flag. - Added support for key exchange methods for the Diffie-Hellman 2K, 4K, and 8K groups.
- Added the
Includedirective for thessh_configfile. - Removed support for the
UseLoginoption. - Removed support for the pre-authentication compression in the server.
- The seccomp filter is now used for the pre-authentication process. (BZ#1341754)
audit rebased to version 2.7.6
The audit packages have been updated to upstream version 2.7.6, which provides a number of enhancements, new features, and bug fixes, including:
- The
auditdservice now automatically adjusts logging directory permissions when it starts up. This helps keep directory permissions correct after performing a package upgrade. - The
ausearchutility has a new--formatoutput option. The--format textoption presents an event as an English sentence describing what is happening. The--format csvoption normalizes logs into a subject, object, action, results, and how it occurred in addition to some metadata fields which is output in the Comma Separated Value (CSV) format. This is suitable for pushing event information into a database, spreadsheet, or other analytic programs to view, chart, or analyze audit events. - The
auditctlutility can now reset the lost event counter in the kernel through the--reset-lostcommand-line option. This makes checking for lost events easier since you can reset the value to zero daily. ausearchandaureportnow have abootoption for the--startcommand-line option to find events since the system booted.ausearchandaureportprovide a new--escapecommand-line option to better control what kind of escaping is done to audit fields. It currently supportsraw,tty,shell, andshell_quoteescaping.auditctlno longer allows rules with the entry filter. This filter has not been supported since Red Hat Enterprise Linux 5. Prior to this release, on Red Hat Enterprise Linux 6 and 7,auditctlmoved any entry rule to the exit filter and displayed a warning that the entry filter is deprecated. (BZ#1381601)
opensc rebased to version 0.16.0
The
OpenSC set of libraries and utilities provides support for working with smart cards. OpenSC focuses on cards that support cryptographic operations and enables their use for authentication, mail encryption, or digital signatures.
Notable enhancements in Red Hat Enterprise Linux 7.4 include:
OpenSCadds support for Common Access Card (CAC) cards.OpenSCimplements thePKCS#11API and now provides also theCoolKeyapplet functionality. The opensc packages replace the coolkey packages.
Note that the coolkey packages will remain supported for the lifetime of Red Hat Enterprise Linux 7, but new hardware enablement will be provided through the opensc packages. (BZ#1081088, BZ#1373164)
openssl rebased to version 1.0.2k
The openssl package has been updated to upstream version 1.0.2k, which provides a number of enhancements, new features, and bug fixes, including:
- Added support for the Datagram Transport Layer Security TLS (DTLS) protocol version 1.2.
- Added support for the automatic elliptic curve selection for the ECDHE key exchange in TLS.
- Added support for the Application-Layer Protocol Negotiation (ALPN).
- Added Cryptographic Message Syntax (CMS) support for the following schemes: RSA-PSS, RSA-OAEP, ECDH, and X9.42 DH.
Note that this version is compatible with the API and ABI in the
OpenSSL library version in previous releases of Red Hat Enterprise Linux 7. (BZ#1276310)
openssl-ibmca rebased to version 1.3.0
The openssl-ibmca package has been updated to upstream version 1.3.0, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
- Added support for SHA-512.
- Cryptographic methods are dynamically loaded when the
ibmcaengine starts. This enablesibmcato direct cryptographic methods if they are supported in hardware through thelibicalibrary. - Fixed a bug in block-size handling with stream cipher modes. (BZ#1274385)
OpenSCAP 1.2 is NIST-certified
OpenSCAP 1.2, the Security Content Automation Protocol (SCAP) scanner, has been certified by the National Institute of Standards and Technology (NIST) as a U. S. government-evaluated configuration and vulnerability scanner for Red Hat Enterprise Linux 6 and 7. OpenSCAP analyzes and evaluates security automation content correctly and it provides the functionality and documentation required by NIST to run in sensitive, security-conscious environments. Additionally, OpenSCAP is the first NIST-certified configuration scanner for evaluating Linux containers. Use cases include evaluating the configuration of Red Hat Enterprise Linux 7 hosts for PCI and DoD Security Technical Implementation Guide (STIG) compliance, as well as performing known vulnerability scans using Red Hat Common Vulnerabilities and Exposures (CVE) data. (BZ#1363826)
libreswan rebased to version 3.20
The libreswan packages have been upgraded to upstream version 3.20, which provides a number of bug fixes and enhancements over the previous version. Notable enhancements include:
- Added support for Opportunistic IPsec (Mesh Encryption), which enables IPsec deployments that cover a large number of hosts using a single simple configuration on all hosts.
- FIPS further tightened.
- Added support for routed-based VPN using Virtual Tunnel Interface (VTI).
- Improved support for non-root configurations.
- Improved Online Certificate Status Protocol (OCSP) and Certificate Revocation Lists (CRL) support.
- Added new
whackcommand options:--fipsstatus,--fetchcrls,--globalstatus, and--shuntstatus. - Added support for the NAT Opportunistic Encryption (OE) Client Address Translation:
leftcat=yes. - Added support for the Traffic Flow Confidentiality mechanism:
tfc=. - Updated cipher preferences as per RFC 4307bis and RFC 7321bis.
- Added support for Extended Sequence Numbers (ESN):
esn=yes. - Added support for disabling and increasing the replay window:
replay-window=. (BZ#1399883)
Audit now supports filtering based on session ID
With this update, the Linux Audit system supports user rules to filter audit messages based on the
sessionid value. (BZ#1382504)
libseccomp now supports IBM Power architectures
With this update, the
libseccomp library supports the IBM Power, 64-bit IBM Power, and 64-bit little-endian IBM Power architectures, which enables the GNOME rebase. (BZ#1425007)
AUDIT_KERN_MODULE now records module loading
The
AUDIT_KERN_MODULE auxiliary record has been added to AUDIT_SYSCALL records for the init_module(), finit_module(), and delete_module() functions. This information is stored in the audit_context structure. (BZ#1382500)
OpenSSH now uses SHA-2 for public key signatures
Previously,
OpenSSH used the SHA-1 hash algorithm for public key signatures using RSA and DSA keys. SHA-1 is no longer considered secure, and new SSH protocol extension allows to use SHA-2. With this update, SHA-2 is the default algorithm for public key signatures. SHA-1 is available only for backward compatibility purposes. (BZ#1322911)
firewalld now supports additional IP sets
With this update of the
firewalld service daemon, support for the following ipset types has been added:
- hash:ip,port
- hash:ip,port,ip
- hash:ip,port,net
- hash:ip,mark
- hash:net,net
- hash:net,port
- hash:net,port,net
- hash:net,iface
The following
ipset types that provide a combination of sources and destinations at the same time are not supported as sources in firewalld. IP sets using these types are created by firewalld, but their usage is limited to direct rules:
- hash:ip,port,ip
- hash:ip,port,net
- hash:net,net
- hash:net,port,net
The ipset packages have been rebased to upstream version 6.29, and the following
ipset types are now additionally supported:
- hash:mac
- hash:net,port,net
- hash:net,net
- hash:ip,mark (BZ#1419058)
firewalld now supports actions on ICMP types in rich rules
With this update, the
firewalld service daemon allows using Internet Control Message Protocol (ICMP) types in rich rules with the accept, log and mark actions. (BZ#1409544)
firewalld now supports disabled automatic helper assignment
This update of the
firewalld service daemon introduces support for the disabled automatic helper assignment feature. firewalld helpers can be now used without adding additional rules also if automatic helper assignment is turned off. (BZ#1006225)
nss and nss-util now use SHA-256 by default
With this update, the default configuration of the NSS library has been changed to use a stronger hash algorithm when creating digital signatures. With RSA, EC, and 2048-bit (or longer) DSA keys, the SHA-256 algorithm is now used.
Note that also the NSS utilities, such as
certutil, crlutil, and cmsutil, now use SHA-256 in their default configurations. (BZ#1309781)
Audit filter exclude rules now contain additional fields
The exclude filter has been enhanced, and it now contains not only the
msgtype field, but also the pid, uid, gid, auid, sessionID, and SELinux types. (BZ#1382508)
PROCTITLE now provides the full command in Audit events
This update introduces the
PROCTITLE record addition to Audit events. PROCTITLE provides the full command being executed. The PROCTITLE value is encoded so it is not able to circumvent the Audit event parser. Note that the PROCTITLE value is still not trusted since it is manipulable by the user-space date. (BZ#1299527)
nss-softokn rebased to version 3.28.3
The nss-softokn packages have been upgraded to upstream version 3.28.3, which provides a number of bug fixes and enhancements over the previous version:
- Added support for the ChaCha20-Poly1305 (RFC 7539) algorithm used by TLS (RFC 7905), the Internet Key Exchange Protocol (IKE), and IPsec (RFC 7634).
- For key exchange purposes, added support for the Curve25519/X25519 curve.
- Added support for the Extended Master Secret (RFC 7627) extension. (BZ#1369055)
libica rebased to version 3.0.2
The libica package has been upgraded to upstream version 3.0.2, which provides a number of fixes over the previous version. Notable additions include
- support for Federal Information Processing Standards (FIPS) mode
- support for generating pseudorandom numbers, including enhanced support for Deterministic Random Bit Generator compliant with the updated security specification NIST SP 800-90A. (BZ#1391558)
opencryptoki rebased to version 3.6.2
The opencryptoki packages have been upgraded to upstream version 3.6.2, which provides a number of bug fixes and enhancements over the previous version:
- Added support for
OpenSSL1.1 - Replaced deprecated
OpenSSLinterfaces. - Replaced deprecated libica interfaces.
- Improved performance for IBM Crypto Accelerator (ICA).
- Added support for the
rc=8, reasoncode=2028error message in theicsftoken. (BZ#1391559)
AUDIT_NETFILTER_PKT events are now normalized
The
AUDIT_NETFILTER_PKT audit events are now simplified and message fields are now displayed in a consistent manner. (BZ#1382494)
p11tool now supports writing objects by specifying a stored ID
With this update, the
p11tool GnuTLS PKCS#11 tool supports the new --id option to write objects by specifying a stored ID. This allows the written object to be addressable by more applications than p11tool. (BZ#1399232)
new package: nss-pem
This update introduces the nss-pem package, which previously was part of the nss packages, as a separate package. The nss-pem package provides the PEM file reader for Network Security Services (NSS) implemented as a PKCS#11 module. (BZ#1316546)
pmrfc3164 replaces pmrfc3164sd in rsyslog
With the update of the rsyslog packages, the
pmrfc3164sd module, which is used for parsing logs in the BSD syslog protocol format (RFC 3164), has been replaced by the official pmrfc3164 module. The official module does not fully cover the pmrfc3164sd functionality, and thus it is still available in rsyslog. However, it is recommended to use new pmrfc3164 module wherever possible. The pmrfc3164sd module is not supported anymore. (BZ#1431616)
libreswan now supports right=%opportunisticgroup
With this update, the
%opportunisticgroup value for the right option in the conn part of Libreswan configuration is supported. This allows the opportunistic IPsec with X.509 authentication, which significantly reduces the administrative overhead in large environments. (BZ#1324458)
ca-certificates now meet Mozilla Firefox 52.2 ESR requirements
The Network Security Services (NSS) code and Certificate Authority (CA) list have been updated to meet the recommendations as published with the latest Mozilla Firefox Extended Support Release (ESR). The updated CA list improves compatibility with the certificates that are used in the Internet Public Key Infrastructure (PKI). To avoid certificate validation refusals, Red Hat recommends installing the updated CA list on June 12, 2017. (BZ#1444413)
nss now meets Mozilla Firefox 52.2 ESR requirements for certificates
The Certificate Authority (CA) list have been updated to meet the recommendations as published with the latest Mozilla Firefox Extended Support Release (ESR). The updated CA list improves compatibility with the certificates that are used in the Internet Public Key Infrastructure (PKI). To avoid certificate validation refusals, Red Hat recommends installing the updated CA list on June 12, 2017. (BZ#1444414)
scap-security-guide rebased to version 0.1.33
The scap-security-guide packages have been upgraded to upstream version 0.1.33, which provides a number of bug fixes and enhancements over the previous version. In particular, this new version enhances existing compliance profiles and expands the scope of coverage to include two new configuration baselines:
- Extended support for PCI-DSS v3 Control Baseline
- Extended support for United States Government Commercial Cloud Services (C2S).
- Extended support for Red Hat Corporate Profile for Certified Cloud Providers.
- Added support for the Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 7 profile, aligning to the DISA STIG for Red Hat Enterprise Linux V1R1 profile.
- Added support for the Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) profile configures Red Hat Enterprise Linux 7 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI).
- Added support for the United States Government Configuration Baseline (USGCB/STIG) profile, developed in partnership with the U. S. National Institute of Standards and Technology (NIST), U. S. Department of Defense, the National Security Agency, and Red Hat.
The USGCB/STIG profile implements configuration requirements from the following documents:
- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253)
- NIST Controlled Unclassified Information (NIST 800-171)
- NIST 800-53 control selections for moderate impact systems (NIST 800-53)
- U. S. Government Configuration Baseline (USGCB)
- NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0)
- DISA Operating System Security Requirements Guide (OS SRG)
Note that several previously-contained profiles have been removed or merged. (BZ#1410914)
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}