Chapter 8. Security
8.1. Changes in core cryptographic components
8.1.1. System-wide cryptographic policies are applied by default
Crypto-policies is a component in Red Hat Enterprise Linux 8, which configures the core cryptographic subsystems, covering the TLS, IPsec, DNSSEC, Kerberos protocols, and the OpenSSH suite. It provides a small set of policies, which the administrator can select using the update-crypto-policies
command.
The DEFAULT
system-wide cryptographic policy offers secure settings for current threat models. It allows the TLS 1.2 and 1.3 protocols, as well as the IKEv2 and SSH2 protocols. The RSA keys and Diffie-Hellman parameters are accepted if larger than 2047 bits.
See the Consistent security by crypto policies in Red Hat Enterprise Linux 8 article on the Red Hat Blog and the update-crypto-policies(8)
man page for more information.
8.1.2. Strong crypto defaults by removing insecure cipher suites and protocols
The following list contains cipher suites and protocols removed from the core cryptographic libraries in RHEL 8. They are not present in the sources, or their support is disabled during the build, so applications cannot use them.
- DES (since RHEL 7)
- All export grade cipher suites (since RHEL 7)
- MD5 in signatures (since RHEL 7)
- SSLv2 (since RHEL 7)
- SSLv3 (since RHEL 8)
- All ECC curves < 224 bits (since RHEL 6)
- All binary field ECC curves (since RHEL 6)
8.1.3. Cipher suites and protocols disabled in all policy levels
The following cipher suites and protocols are disabled in all crypto policy levels. They can be enabled only by an explicit configuration of individual applications.
- DH with parameters < 1024 bits
- RSA with key size < 1024 bits
- Camellia
- ARIA
- SEED
- IDEA
- Integrity-only cipher suites
- TLS CBC mode cipher suites using SHA-384 HMAC
- AES-CCM8
- All ECC curves incompatible with TLS 1.3, including secp256k1
- IKEv1 (since RHEL 8)
8.1.4. Switching the system to FIPS mode
The system-wide cryptographic policies contain a policy level that enables cryptographic modules self-checks in accordance with the requirements by Federal Information Processing Standard (FIPS) Publication 140-2. The fips-mode-setup
tool that enables or disables FIPS mode internally uses the FIPS
system-wide cryptographic policy level.
To switch the system to FIPS mode in RHEL 8, enter the following command and restart your system:
# fips-mode-setup --enable
See the fips-mode-setup(8)
man page for more information.
8.1.5. TLS 1.0 and TLS 1.1 are deprecated
The TLS 1.0 and TLS 1.1 protocols are disabled in the DEFAULT
system-wide cryptographic policy level. If your scenario, for example, a video conferencing application in the Firefox web browser, requires using the deprecated protocols, switch the system-wide cryptographic policy to the LEGACY
level:
# update-crypto-policies --set LEGACY
For more information, see the Strong crypto defaults in RHEL 8 and deprecation of weak crypto algorithms Knowledgebase article on the Red Hat Customer Portal and the update-crypto-policies(8)
man page.
8.1.6. TLS 1.3 support in cryptographic libraries
This update enables Transport Layer Security (TLS) 1.3 by default in all major back-end crypto libraries. This enables low latency across the operating system communications layer and enhances privacy and security for applications by taking advantage of new algorithms, such as RSA-PSS or X25519.
8.1.7. DSA is deprecated in RHEL 8
The Digital Signature Algorithm (DSA) is considered deprecated in Red Hat Enterprise Linux 8. Authentication mechanisms that depend on DSA keys do not work in the default configuration. Note that OpenSSH
clients do not accept DSA host keys even in the LEGACY
system-wide cryptographic policy level.
8.1.8. SSL2
Client Hello
has been deprecated in NSS
The Transport Layer Security (TLS
) protocol version 1.2 and earlier allow to start a negotiation with a Client Hello
message formatted in a way that is backward compatible with the Secure Sockets Layer (SSL
) protocol version 2. Support for this feature in the Network Security Services (NSS
) library has been deprecated and it is disabled by default.
Applications that require support for this feature need to use the new SSL_ENABLE_V2_COMPATIBLE_HELLO
API to enable it. Support for this feature may be removed completely in future releases of Red Hat Enterprise Linux 8.
8.1.9. NSS now use SQL by default
The Network Security Services (NSS) libraries now use the SQL file format for the trust database by default. The DBM file format, which was used as a default database format in previous releases, does not support concurrent access to the same database by multiple processes and it has been deprecated in upstream. As a result, applications that use the NSS trust database to store keys, certificates, and revocation information now create databases in the SQL format by default. Attempts to create databases in the legacy DBM format fail. The existing DBM databases are opened in read-only mode, and they are automatically converted to the SQL format. Note that NSS support the SQL file format since Red Hat Enterprise Linux 6.
8.2. SSH
8.2.1. OpenSSH
rebased to version 7.8p1
The openssh
packages have been upgraded to upstream version 7.8p1. Notable changes include:
-
Removed support for the
SSH version 1
protocol. -
Removed support for the
hmac-ripemd160
message authentication code. -
Removed support for RC4 (
arcfour
) ciphers. -
Removed support for
Blowfish
ciphers. -
Removed support for
CAST
ciphers. -
Changed the default value of the
UseDNS
option tono
. -
Disabled
DSA
public key algorithms by default. -
Changed the minimal modulus size for
Diffie-Hellman
parameters to 2048 bits. -
Changed semantics of the
ExposeAuthInfo
configuration option. -
The
UsePrivilegeSeparation=sandbox
option is now mandatory and cannot be disabled. -
Set the minimal accepted
RSA
key size to 1024 bits.
8.2.2. libssh
implements SSH as a core cryptographic component
This change introduces libssh
as a core cryptographic component in Red Hat Enterprise Linux 8. The libssh
library implements the Secure SHell (SSH) protocol.
8.2.3. libssh2
is not available in RHEL 8
The deprecated libssh2
library misses features, such as support for elliptic curves or Generic Security Service Application Program Interface (GSSAPI), and it has been removed from RHEL 8 in favor of libssh
8.3. Rsyslog
8.3.1. The default rsyslog
configuration file format is now non-legacy
The configuration files in the rsyslog
packages now use the non-legacy format by default. The legacy format can be still used, although mixing current and legacy configuration statements has several constraints. Configurations carried from previous RHEL releases should be revised. See the rsyslog.conf(5)
man page for more information.
8.3.2. The imjournal
option and configuring system logging with minimized journald
usage
To avoid duplicate records that might appear when journald
rotated its files, the imjournal
option has been added. Note that use of this option can affect performance.
Note that the system with rsyslog
can be configured to provide better performance as described in the Configuring system logging without journald or with minimized journald usage Knowledgebase article.
8.3.3. Negative effects of the default logging setup on performance
The default logging environment setup might consume 4 GB of memory or even more and adjustments of rate-limit values are complex when systemd-journald
is running with rsyslog
.
See the Negative effects of the RHEL default logging setup on performance and their mitigations Knowledgebase article for more information.
8.4. OpenSCAP
8.4.1. OpenSCAP API consolidated
This update provides OpenSCAP shared library API that has been consolidated. 63 symbols have been removed, 14 added, and 4 have an updated signature. The removed symbols in OpenSCAP 1.3.0 include:
- symbols that were marked as deprecated in version 1.2.0
- SEAP protocol symbols
- internal helper functions
- unused library symbols
- unimplemented symbols
8.4.2. oscap-podman
replaces oscap-docker
for security and compliance scanning of containers
In RHEL 8.2, a new utility for security and compliance scanning of containers has been introduced. The oscap-podman
tool provides an equivalent of the oscap-docker
utility that serves for scanning container and container images in RHEL 7.
For more information, see the Scanning container and container images for vulnerabilities section.
8.5. Audit
8.5.1. Audit 3.0 replaces audispd
with auditd
With this update, functionality of audispd
has been moved to auditd
. As a result, audispd
configuration options are now part of auditd.conf
. In addition, the plugins.d
directory has been moved under /etc/audit
. The current status of auditd
and its plug-ins can now be checked by running the service auditd state
command.
8.6. SELinux
8.6.1. SELinux packages migrated to Python 3
-
The
policycoreutils-python
has been replaced by thepolicycoreutils-python-utils
andpython3-policycoreutils
packages. -
The functionality of the
libselinux-python
package is now provided by thepython3-libselinux
package. -
The functionality of the
setools-libs
package is now provided by thepython3-setools
package. -
The functionality of the
libsemanage-python
package is now provided by thepython3-libsemanage
package.
8.6.2. Changes in SELinux sub-packages
-
The
libselinux-static
,libsemanage-static
,libsepol-static
, andsetools-libs-tcl
has been removed. -
The
setools-gui
andsetools-console-analyses
are not available in RHEL 8.0 and 8.1. RHEL 8.2 is the first minor version of RHEL 8 that contains these sub-packages.
8.6.3. Changes in SELinux policy
The init_t
domain type is no longer unconfined on RHEL 8. This might cause problems for third-party applications that use a different SELinux labeling approach.
To overcome SELinux labeling problems in the non-standard locations, you can configure file context equivalency for such locations.
Configure file context equivalency for the
/my/apps
and/
directories:# semanage fcontext -a -e / /my/apps
Verify file context equivalency by listing local customizations of the SELinux policy:
# semanage fcontext -l -C SELinux Local fcontext Equivalence /my/apps = /
Restore the context of
/my/apps
to the default, which is now equivalent to the context of/
:# restorecon -Rv /my/apps restorecon reset /my/apps context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:root_t:s0 restorecon reset /my/apps/bin context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:bin_t:s0 restorecon reset /my/apps/bin/executable context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:bin_t:s0
This approach assigns correct labels to the majority of files and directories installed in the non-standard location, which also leads to correctly labeled processes started by some of the executable files.
To remove file context equivalency, use the following command:
# semanage fcontext -d -e / /my/apps
-
For additional information, see the
semanage-fcontext
man page.
8.6.4. Changes in SELinux booleans
8.6.4.1. New SELinux booleans
This update of the SELinux system policy introduces the following booleans:
-
colord_use_nfs
-
deny_bluetooth
-
httpd_use_opencryptoki
-
logrotate_use_fusefs
-
mysql_connect_http
-
pdns_can_network_connect_db
-
ssh_use_tcpd
-
sslh_can_bind_any_port
-
sslh_can_connect_any_port
-
tor_can_onion_services
-
unconfined_dyntrans_all
-
use_virtualbox
-
virt_sandbox_share_apache_content
-
virt_use_pcscd
8.6.4.2. Removed SELinux booleans
The RHEL 8 SELinux policy does not provide the following booleans that were available in the previous release:
-
container_can_connect_any
-
ganesha_use_fusefs
8.6.4.3. Changes of default values
In RHEL 8, the following SELinux booleans are set to a different default value than in the previous release:
-
domain_can_mmap_files
is nowoff
by default. -
httpd_graceful_shutdown
is nowoff
by default. -
mozilla_plugin_can_network_connect
is nowon
by default. -
named_write_master_zones
is nowon
by default.
Additionally, the descriptions of the antivirus_use_jit
and ssh_chroot_rw_homedirs
booleans have been changed.
To get a list of booleans including their meaning, and to find out if they are enabled or disabled, install the selinux-policy-devel
package and use:
# semanage boolean -l
8.6.5. Changes in SELinux port types
The RHEL 8 SELinux policy provides the following additional port types:
-
appswitch_emp_port_t
-
babel_port_t
-
bfd_control_port_t
-
conntrackd_port_t
-
firepower_port_t
-
nmea_port_t
-
nsca_port_t
-
openqa_port_t
-
openqa_websockets_port_t
-
priority_e_com_port_t
-
qpasa_agent_port_t
-
rkt_port_t
-
smntubootstrap_port_t
-
statsd_port_t
-
versa_tek_port_t
Furthermore, the definitions of the dns_port_t
and ephemeral_port_t
port types have been changed, and the gluster_port_t
port type has been removed.
8.6.6. Changes in sesearch
usage
-
The
sesearch
command no longer uses the-C
option, and it requires to include conditional expressions. The
-T
,--type
option has been changed to:-
-T
,--type_trans
- find type_transition rules. -
--type_member
- find type_member rules. -
--type_change
- find type_change rules.
-
8.7. Removed security functionality
8.7.1. shadow-utils
no longer allow all-numeric user and group names
The useradd
and groupadd
commands disallow user and group names consisting purely of numeric characters. The reason for not allowing such names is that this can confuse potentially many tools that work with user and group names and user and group ids (which are numbers). Please note that the all-numeric user and group names are deprecated in Red Hat Enterprise Linux 7 and their support is completely removed in Red Hat Enterprise Linux 8.
8.7.2. securetty
is now disabled by default
Because of the dynamic nature of tty
device files on modern Linux systems, the securetty
PAM module has been disabled by default and the /etc/securetty
configuration file is no longer included in RHEL. Since /etc/securetty
listed many possible devices so that the practical effect in most cases was to allow by default, this change has only a minor impact. However, if you use a more restrictive configuration, you need to add a line enabling the pam_securetty.so
module to the appropriate files in the /etc/pam.d
directory, and create a new /etc/securetty
file.
8.7.3. The Clevis
HTTP pin has been removed
The Clevis
HTTP pin has been removed from RHEL 8, and the clevis encrypt http
sub-command is no longer available.
8.7.3.1. Coolkey
has been removed
The Coolkey
driver for smart cards has been removed from RHEL 8, and OpenSC
now provides its functionality.
8.7.3.2. crypto-utils
have been removed
The crypto-utils
packages have been removed from RHEL 8. You can use tools provided by the openssl
, gnutls-utils
, and nss-tools
packages instead.
8.7.3.3. KLIPS has been removed from Libreswan
In Red Hat Enterprise Linux 8, support for Kernel IP Security (KLIPS) IPsec stack has been removed from Libreswan
.