Chapter 14. Security
LUKS-encrypted removable storage devices can be now automatically unlocked using NBDE
With this update, the clevis package and the clevis_udisks2 subpackage enable users to bind removable volumes to a Network-Bound Disk Encryption (NBDE) policy. To automatically unlock a LUKS-encrypted removable storage device, such as a USB drive, use the
clevis luks bind
and clevis luks unlock
commands. (BZ#1475408)
new package: clevis-systemd
This update of the
Clevis
pluggable framework introduces the clevis-systemd subpackage, which enables administrators to set automated unlocking of LUKS-encrypted non-root volumes at boot time. (BZ#1475406)
OpenSCAP
can be now integrated into Ansible workflows
With this update, the
OpenSCAP
scanner can generate remediation scripts in the form of Ansible Playbooks, either based on profiles or based on scan results. Playbooks based on SCAP Security Guide Profiles contain fixes for all rules, and playbooks based on scan results contain only fixes for rules that fail during an evaluation. The user can also generate a playbook from a tailored Profile, or customize it directly by editing the values in the playbook. Tags, such as Rule ID, strategy, complexity, disruption, or references, used as metadata for tasks in playbooks serve to filter, which tasks to apply. (BZ#1404429)
SECCOMP_FILTER_FLAG_TSYNC
enables synchronization of calling process threads
This update introduces the
SECCOMP_FILTER_FLAG_TSYNC
flag. When adding a new filter, this flag synchronizes all other threads of the calling process to the same seccomp
filter tree. See the seccomp(2)
man page for more information.
Note that if an application installs multiple
libseccomp
or seccomp-bpf
filters, the seccomp()
syscall should be added to the list of allowed system calls. (BZ#1458278)
nss rebased to version 3.34
The nss packages have been upgraded to upstream version 3.34, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
- TLS compression is no longer supported.
- The TLS server code now supports session ticket without an RSA key.
- Certificates can be specified using a PKCS#11 URI.
- The
RSA-PSS
cryptographic signature scheme is now allowed for signing and verification of certificate signatures. (BZ#1457789)
SSLv3
disabled in mod_ssl
To improve the security of SSL/TLS connections, the default configuration of the
httpd mod_ssl
module has been changed to disable support for the SSLv3
protocol, and to restrict the use of certain cryptographic cipher suites. This change will affect only fresh installations of the mod_ssl package, so existing users should manually change the SSL configuration as required.
Any SSL clients attempting to establish connections using
SSLv3
, or using a cipher suite based on DES
or RC4
, will be denied in the new default configuration. To allow such insecure connections, modify the SSLProtocol
and SSLCipherSuite
directives in the /etc/httpd/conf.d/ssl.conf
file. (BZ#1274890)
Libreswan
now supports split-DNS configuration for IKEv2
This update of the libreswan packages introduces support for split-DNS configuration for the Internet Key Exchange version 2 (IKEv2) protocol through the
leftmodecfgdns=
and leftcfgdomains=
options. This enables the user to reconfigure a locally running DNS server with DNS forwarding for specific private domains. (BZ#1300763)
libreswan now supports AES-GMAC for ESP
With this update, support for Advanced Encryption Standard (AES) Galois Message Authentication Code (GMAC) within IPsec Encapsulating Security Payload (ESP) through the
phase2alg=null_auth_aes_gmac
option has been added to the libreswan packages. (BZ#1475434)
openssl-ibmca rebased to 1.4.0
The openssl-ibmca packages have been upgraded to upstream version 1.4.0, which provides a number of bug fixes and enhancements over the previous version:
- Added Advanced Encryption Standard Galois/Counter Mode (AES-GCM) support.
- Fixes for
OpenSSL
operating in FIPS mode incorporated. (BZ#1456516)
opencryptoki rebased to 3.7.0
The opencryptoki packages have been upgraded to upstream version 3.7.0, which provides a number of bug fixes and enhancements over the previous version:
- Upgraded the license to Common Public License Version 1.0 (CPL).
- Added ECDSA with SHA-2 support for Enterprise PKCS #11 (EP11) and Common Cryptographic Architecture (CCA).
- Improved performance by moving from mutex locks to Transactional Memory (TM). (BZ#1456520)
atomic scan
with configuration_compliance
enables creating security-compliant container images at build time
The
rhel7/openscap
container image now provides the configuration_compliance
scan type. When used as an argument for the atomic scan
command, this new scan type enables users to:
- scan Red Hat Enterprise Linux-based container images and containers against any profile provided by the SCAP Security Guide (SSG)
- remediate Red Hat Enterprise Linux-based container images to be compliant with any profile provided by the SSG
- generate an HTML report from a scan or a remediation.
The remediation results in a container image with an altered configuration that is added as a new layer on top of the original container image.
Note that the original container image remains unchanged and only a new layer is created on top of it. The remediation process builds a new container image that contains all the configuration improvements. The content of this layer is defined by the security policy of scanning. This also means that the remediated container image is no longer signed by Red Hat, which is expected, since it differs from the original container image by containing the remediated layer. (BZ#1472499)
tang-nagios enables Nagios
to monitor Tang
The tang-nagios subpackage provides the
Nagios
plugin for Tang
. The plugin enables the Nagios
program to monitor a Tang
server. The subpackage is available in the Optional channel. See the tang-nagios(1)
man page for more information. (BZ#1478895)
clevis now logs privileged operations
With this update, the clevis-udisks2 subpackage logs all attempted key recoveries to the Audit log, and the privileged operations can be now tracked using the Linux Audit system. (BZ#1478888)
PK11_CreateManagedGenericObject()
has been added to NSS
to prevent memory leaks in applications
The
PK11_DestroyGenericObject()
function does not destroy objects allocated by PK11_CreateGenericObject()
properly, but some applications depend on a function for creating objects that persist after the use of the object. For this reason, the Network Security Services
(NSS) libraries now include the PK11_CreateManagedGenericObject()
function. If you create objects with PK11_CreateManagedGenericObject()
, the PK11_DestroyGenericObject()
function also properly destroys underlying associated objects. Applications, such as the curl
utility, can now use PK11_CreateManagedGenericObject()
to prevent memory leaks. (BZ#1395803)
OpenSSH
now supports openssl-ibmca and openssl-ibmpkcs11 HSMs
With this update, the
OpenSSH
suite enables hardware security modules (HSM) handled by the openssl-ibmca and openssl-ibmpkcs11 packages. Prior to this, the OpenSSH
seccomp filter prevented these cards working with the OpenSSH
privilege separation. The seccomp filter has been updated to allow system calls needed by the cryptographic cards on IBM Z. (BZ#1478035)
cgroup_seclabel
enables fine-grained access control on cgroups
This update introduces the
cgroup_seclabel
policy capability that enables users to set labels on control group (cgroup) files. Prior to this addition, labeling of the cgroup file system was not possible, and to run the systemd
service manager in a container, read and write permissions for any content on the cgroup file system had to be allowed. The cgroup_seclabel
policy capability enables fine-grained access control on the cgroup file system. (BZ#1494179)
The boot process can now unlock encrypted devices connected by network
Previously, the boot process attempted to unlock block devices connected by network before starting network services. Because the network was not activated, it was not possible to connect and decrypt these devices.
With this update, the
remote-cryptsetup.target
unit and other patches have been added to systemd
packages. As a result, it is now possible to unlock encrypted block devices that are connected by network during system boot and to mount file systems on such block devices.
To ensure correct ordering between services during system boot, you must mark the network device with the
_netdev
option in the /etc/crypttab
configuration file.
A common use case for this feature is together with network-bound disk encryption. For more information on network-bound disk encryption, see the following chapter in the Red Hat Enterprise Linux Security Guide:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-policy-based_decryption#sec-Using_Network-Bound_Disk_Encryption (BZ#1384014)
SELinux
now supports InfiniBand
object labeling
This release introduces
SELinux
support for InfiniBand
end port and P_Key labeling, including enhancements to the kernel, policy, and the semanage
tool. To manage InfiniBand
-related labels, use the following commands:
libica rebased to 3.2.0
The libica packages have been upgraded to upstream version 3.2.0, which most notably adds support for the Enhanced SIMD instructions set. (BZ#1376836)
SELinux now supports systemd
No New Privileges
This update introduces the
nnp_nosuid_transition
policy capability that enables SELinux domain transitions under No New Privileges
(NNP) or nosuid
if nnp_nosuid_transition
is allowed between the old and new contexts. The selinux-policy packages now contain a policy for systemd
services that use the NNP
security feature.
The following rule describes allowing this capability for a service:
allow source_domain target_type:process2 { nnp_transition nosuid_transition };
For example:
allow init_t fprintd_t:process2 { nnp_transition nosuid_transition };
The distribution policy now also contains the m4 macro interface, which can be used in SELinux security policies for services that use the
init_nnp_daemon_domain()
function. (BZ#1480518)
Libreswan rebased to version 3.23
The libreswan packages have been upgraded to upstream version 3.23, which provides a number of bug fixes, speed improvements, and enhancements over the previous version. Notable changes include:
- Support for the extended DNS Security Extensions (DNSSEC) suite through the
dnssec-enable=yes|no
,dnssec-rootkey-file=
, anddnssec-anchors=
options. - Experimental support for Postquantum Preshared Keys (PPK) through the
ppk=yes|no|insist
option. - Support for Signature Authentication (RFC 7427) for RSA-SHA.
- The new
logip=
option with the default valueyes
can be used to disable logging of incoming IP addresses. This is useful for large-scale service providers concerned for privacy. - Unbound DNS server
ipsecmod module
support for Opportunistic IPsec usingIPSECKEY
records in DNS. - Support for the Differentiated Services Code Point (DSCP) architecture through the
decap-dscp=yes
option. DSCP was formerly known as Terms Of Service (TOS). - Support for disabling Path MTU Discovery (PMTUD) through the
nopmtudisc=yes
option. - Support for the IDr (Identification - Responder) payload for improved multi-domain deployments.
- Resending IKE packets on extremely busy servers that return the
EAGAIN
error message. - Various improvements to the updown scripts for customizations.
- Updated preferences of crypto algorithms as per RFC 8221 and RFC 8247.
- Added the
%none
and/dev/null
values to theleftupdown=
option for disabling the updown script. - Improved support for rekeying using the CREATE_CHILD_SA exchange.
- IKEv1 XAUTH thread race conditions resolved.
- Significant performance increase due to optimized pthread locking.
See the
ipsec.conf
man page for more information. (BZ#1457904)
libreswan now supports IKEv2 MOBIKE
This update introduces support for the IKEv2 Mobility and Multihoming (MOBIKE) protocol (RFC 4555) using the XFRM_MIGRATE mechanism through the
mobike=yes|no
option. MOBIKE enables seamless switching of networks, for example, Wi-Fi, LTE, and so on, without disturbing the IPsec tunnel. (BZ#1471763)
scap-workbench rebased to version 1.1.6
The scap-workbench packages have been upgraded to version 1.1.6, which provides a number of bug fixes and enhancements over the previous version. Notable changes are:
- Added support for generating Bash and Ansible remediation roles from profiles and for scanning results. The generated remediations can be saved to a file for later use.
- Added support for opening tailoring files directly from the command line.
- Fixed a short integer overflow when using SSH port numbers higher than 32,768. (BZ#1479036)
OpenSCAP
is now able to generate results for DISA STIG Viewer
The
OpenSCAP
suite is now able to generate results in the format compatible with the DISA STIG Viewer
tool. This enables the user to scan a local system for Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) compliance and open results in DISA STIG Viewer
. (BZ#1505517)
selinux-policy no longer contains permissive domains
As a security hardening measure, the
SELinux
policy now does not set the following domains to permissive mode by default:
- blkmapd_t
- hsqldb_t
- ipmievd_t
- sanlk_resetd_t
- systemd_hwdb_t
- targetd_t
The default mode for these domains is now set to enforcing. (BZ#1494172)
audit rebased to version 2.8.1
The audit packages have been upgraded to upstream version 2.8.1, which provides a number of bug fixes and enhancements over the previous version. Notable changes are:
- Added support for ambient capability fields.
- The
Audit
daemon now works also on IPv6. - Added the default port to the
auditd.conf
file. - Fixed the
auvirt
tool to report Access Vector Cache (AVC) messages. (BZ#1476406)
OpenSC
now supports the SCE7.0 144KDI CAC Alt. tokens
This update adds support for the SCE7.0 144KDI Common Access Card (CAC) Alternate tokens. These new cards were not compliant with the previous U.S. Department of Defense (DoD) Implementation Guide for CAC PIV End-Point specification, and the
OpenSC
driver has been updated to reflect the updated specification. (BZ#1473418)