Chapter 16. Security
Clevis
now supports TPM 2.0
With this update, the
Clevis
pluggable framework for Policy-Based Decryption (PBD) supports also clients that encrypt using a Trusted Platform Module 2.0 (TPM 2.0) chip. For more information and the list of possible configuration properties, see the clevis-encrypt-tpm2(1)
man page.
Note that this feature is available only on systems with the 64-bit Intel or 64-bit AMD architecture. (BZ#1472435)
gnutls rebased to 3.3.29
The GNU Transport Layer Security (GnuTLS) library has been upgraded to upstream version 3.3.29, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
- Improved the PKCS#11 cryptographic token interface for hardware security modules (HSMs): added DSA support in
p11tool
and fixed key import in certain Atos HSMs. - Improved counter-measures for the TLS Cipher Block Chaining (CBC) record padding. The previous counter-measures had certain issues and were insufficient when the attacker had access to the CPU cache and performed a chosen-plaintext attack (CPA).
- Disabled the legacy
HMAC-SHA384
cipher suites by default. (BZ#1561481)
AES-GCM
operations with OpenSSL
are now faster on IBM z14
This update introduces support for additional acceleration of cryptographical operations with new CP Assist for Cryptographic Functions (CPACF) instructions available on IBM z14 systems. As a result,
AES-GCM
operations with the OpenSSL
library are now executed faster on IBM z14 and later hardware. (BZ#1519396)
sudo rebased to version 1.8.23
The sudo packages have been upgraded to upstream version 1.8.23, which provides a number of bug fixes and enhancements over the previous version:
- The new
cvtsudoers
utility replaces both thesudoers2ldif
script and thevisudo -x
functionality. It can read a file in either sudoers or LDIF format and produce JSON, LDIF, or sudoers output. It is also possible to filter the generated output file by user, group, or host name. - The
always_query_group_plugin
option is now set explicitly in the default/etc/sudoers
file. Users who upgrade from previous versions and want to retain the old group-querying behavior should ensure that this setting is in place after the upgrade. - PAM account management modules are now run even when no password is required.
- The new
case_insensitive_user
andcase_insensitive_group
sudoers options enable to control whethersudo
does case-sensitive matching of users and groups insudoers
. Case-insensitive matching is now the default. - It is now an error to specify the
runas
user as an empty string on the command line. Previously, an emptyrunas
user was treated the same as an unspecifiedrunas
user. - I/O log files are now created with group
ID 0
by default unless theiolog_user
oriolog_group
options are set insudoers
. - It is now possible to preserve bash shell functions in the environment where the
env_reset
sudoers
setting is disabled by removing the*=()*
pattern from theenv_delete
list. (BZ#1547974)
usbguard rebased to version 0.7.4
The usbguard packages have been rebased to upstream version 0.7.4. This version provides a number of bug fixes and enhancements over the previous version, most notably:
- The
usbguard-daemon
now exits with an error if it fails to open a logging file or an audit event file. - The present device enumeration algorithm is now more reliable. Enumeration timeouts no longer cause the
usbguard-daemon
process to exit. - The
usbguard watch
command now includes the-e
option to run an executable for every received event. The event data is passed to the executable through environment variables. (BZ#1508878)
audit rebased to 2.8.4
The audit packages have been upgraded to upstream version 2.8.4, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
- Added support for dumping internal state. You can now run the
service auditd state
command to see information about theAudit
daemon. - Added support for the
SOFTWARE_UPDATE
event generated by therpm
andyum
tools. - Allowed unlimited retries during a remote logging startup. This helps to start even if the aggregating server is not running when a client is booted.
- Improved IPv6 remote logging. (BZ#1559032)
RPM
now provides audit events
With this update, the
RPM Package Manager
(RPM) provides audit events. The information that a software package is installed or updated is important for system analysis with the Linux Audit
system. RPM
now creates a SOFTWARE_UPDATE
audit event whenever a package is installed or upgraded by the root
user. (BZ#1555326)
SELinux now supports extended_socket_class
This update introduces the
extended_socket_class
policy capability that enables a number of new SELinux object classes to support all of the known network socket address families. It also enables the use of separate security classes for Internet Control Message Protocol (ICMP) and Stream Control Transmission Protocol (SCTP) sockets, which were previously mapped to the rawip_socket
class. (BZ#1564775, BZ#1427553)
selinux-policy now checks file permissions when mmap()
is used
This release introduces a new permission check on the
mmap()
system call. The purpose of a separate map permission check on mmap()
is to permit policy to prohibit memory mapping of specific files for which you need to ensure that every access is revalidated. This is useful for scenarios where you expect the files to be relabeled at run-time to reflect state changes, for example, in a cross-domain solution or an assured pipeline without data copying.
This functionality is enabled by default. Also, a new SELinux boolean,
domain_can_mmap_files
, has been added. If domain_can_mmap_files
is enabled, every domain can use mmap()
in every file, a character device or a block device. If domain_can_mmap_files
is disabled, the list of domains that can use mmap()
is limited. (BZ#1460322)
The RHEL7 DISA STIG profile now matches STIG Version 1, Release 4
With this update of the
SCAP Security Guide
project, the RHEL7 Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) profile is aligned with STIG Version 1, Release 4. Note that certain rules do not contain an automated check or fix. (BZ#1443551)
Libreswan
now supports PKCS #7-formatted X.509 certificates
With this update, the
Libreswan
Virtual Private Network application supports also PKCS #7-formatted X.509 certificates. This enables interoperability with systems running Microsoft Windows. (BZ#1536404)
libreswan rebased to version 3.25
The libreswan packages have been upgraded to upstream version 3.25, which provides a number of bug fixes and enhancements over the previous version.
Note that previously, an incorrect configuration forbidding Perfect Forward Secrecy with the
pfs=no
option and setting an ESP/AH PFS modp
group (for example, esp=aes-sha2;modp2048
) would load and ignore the modp
setting. With this update, these connections fail to load with the ESP DH algorithm MODP2048 is invalid as PFS policy is disabled
error message. (BZ#1591817)
openssl-ibmca rebased to version 2.0.0
The openssl-ibmca packages have been upgraded to upstream version 2.0.0, which provides a number of bug fixes and enhancements over the previous version:
- The Elliptic-Curve Cryptography (ECC) functionality is now supported.
- Compatibility with various
OpenSSL
versions has been increased.
Note that to use the ECC functionality with a shared CEX4C adapter in the z/VM 6.4 system, the Authorized Program Analysis Report (APAR) VM65942 is required. (BZ#1519395)
sudo
now runs PAM stack even when no authentication is required
With this update, the
sudo
utility runs Pluggable Authentication Module (PAM) account management modules even when the NOPASSWD
option is configured in the policy. This enables checking for restrictions imposed by PAM modules outside of the authentication phase. As a result, PAM modules, such as pam_time
, now work properly in the described scenario. (BZ#1533964)
cvtsudoers
converts between different sudoers
formats
The new
cvtsudoers
utility enables the administrator to convert rules between different sudoers
security policy file formats. See the cvtsudoers(1)
man page for the list of available options and examples of usage. (BZ#1548380)
SCAP Security Guide now supports OSPP v4.2
This update of the scap-security-guide packages introduces a new profile defining the core requirements of OSPP (General-Purpose Operating System Protection Profile) v4.2. The new profile ID is
ospp42
, and the previously released profile USGCB (United States Government Configuration Baseline) OSPP v4.0 is available with ID ospp
. (BZ#1619689)
selinux-policy now contains five additional SELinux
booleans
This update of the selinux-policy packages introduces the following SELinux booleans:
keepalived_connect_any
- allows thekeepalived
service to connect to arbitrary ports.tomcat_use_execmem
- allows theTomcat
server to make its stack executable.tomcat_can_network_connect_db
- allowsTomcat
to connect to thePosgtreSQL
port.redis_enable_notify
- allows theredis-sentinel
service to run notification scripts.