Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 15. Security
New packages: tang, clevis, jose, luksmeta
Network Bound Disk Encryption (NBDE) allows the user to encrypt root volumes of the hard drives on physical and virtual machines without requiring to manually enter password when systems are rebooted.
- Tang is a server for binding data to network presence. It includes a daemon which provides cryptographic operations for binding to a remote service. The tang package provides the server side of the NBDE project.
- Clevis is a pluggable framework for automated decryption. It can be used to provide automated decryption of data or even automated unlocking of LUKS volumes. The clevis package provides the client side of the NBDE project.
- José is a C-language implementation of the Javascript Object Signing and Encryption standards. The jose package is a dependency of the clevis and tang packages.
- LUKSMeta is a simple library for storing metadata in the LUKSv1 header. The luksmeta package is a dependency of the clevis and tang packages.
Note that the tang-nagios and clevis-udisk2 subpackages are available only as a Technology Preview. (BZ#1300697, BZ#1300696, BZ#1399228, BZ#1399229)
New package: usbguard
The
USBGuard
software framework provides system protection against intrusive USB devices by implementing basic whitelisting and blacklisting capabilities based on device attributes. To enforce a user-defined policy, USBGuard
uses the Linux kernel USB device authorization feature. The USBGuard
framework provides the following components:
- The daemon component with an inter-process communication (IPC) interface for dynamic interaction and policy enforcement
- The command-line interface to interact with a running USBGuard instance
- The rule language for writing USB device authorization policies
- The C++ API for interacting with the daemon component implemented in a shared library (BZ#1395615)
openssh rebased to version 7.4
The openssh package has been updated to upstream version 7.4, which provides a number of enhancements, new features, and bug fixes, including:
- Added support for the resumption of interrupted uploads in
SFTP
. - Added the extended log format for the authentication failure messages.
- Added a new fingerprint type that uses the SHA-256 algorithm.
- Added support for using PKCS#11 devices with external PIN entry devices.
- Removed support for the SSH-1 protocol from the
OpenSSH
server. - Removed support for the legacy
v00 cert
format. - Added the
PubkeyAcceptedKeyTypes
andHostKeyAlgorithms
configuration options for thessh
utility and thesshd
daemon to allow disabling key types selectively. - Added the
AddKeysToAgent
option for theOpenSSH
client. - Added the
ProxyJump ssh
option and the corresponding-J
command-line flag. - Added support for key exchange methods for the Diffie-Hellman 2K, 4K, and 8K groups.
- Added the
Include
directive for thessh_config
file. - Removed support for the
UseLogin
option. - Removed support for the pre-authentication compression in the server.
- The seccomp filter is now used for the pre-authentication process. (BZ#1341754)
audit rebased to version 2.7.6
The audit packages have been updated to upstream version 2.7.6, which provides a number of enhancements, new features, and bug fixes, including:
- The
auditd
service now automatically adjusts logging directory permissions when it starts up. This helps keep directory permissions correct after performing a package upgrade. - The
ausearch
utility has a new--format
output option. The--format text
option presents an event as an English sentence describing what is happening. The--format csv
option normalizes logs into a subject, object, action, results, and how it occurred in addition to some metadata fields which is output in the Comma Separated Value (CSV) format. This is suitable for pushing event information into a database, spreadsheet, or other analytic programs to view, chart, or analyze audit events. - The
auditctl
utility can now reset the lost event counter in the kernel through the--reset-lost
command-line option. This makes checking for lost events easier since you can reset the value to zero daily. ausearch
andaureport
now have aboot
option for the--start
command-line option to find events since the system booted.ausearch
andaureport
provide a new--escape
command-line option to better control what kind of escaping is done to audit fields. It currently supportsraw
,tty
,shell
, andshell_quote
escaping.auditctl
no longer allows rules with the entry filter. This filter has not been supported since Red Hat Enterprise Linux 5. Prior to this release, on Red Hat Enterprise Linux 6 and 7,auditctl
moved any entry rule to the exit filter and displayed a warning that the entry filter is deprecated. (BZ#1381601)
opensc rebased to version 0.16.0
The
OpenSC
set of libraries and utilities provides support for working with smart cards. OpenSC
focuses on cards that support cryptographic operations and enables their use for authentication, mail encryption, or digital signatures.
Notable enhancements in Red Hat Enterprise Linux 7.4 include:
OpenSC
adds support for Common Access Card (CAC) cards.OpenSC
implements thePKCS#11
API and now provides also theCoolKey
applet functionality. The opensc packages replace the coolkey packages.
Note that the coolkey packages will remain supported for the lifetime of Red Hat Enterprise Linux 7, but new hardware enablement will be provided through the opensc packages. (BZ#1081088, BZ#1373164)
openssl rebased to version 1.0.2k
The openssl package has been updated to upstream version 1.0.2k, which provides a number of enhancements, new features, and bug fixes, including:
- Added support for the Datagram Transport Layer Security TLS (DTLS) protocol version 1.2.
- Added support for the automatic elliptic curve selection for the ECDHE key exchange in TLS.
- Added support for the Application-Layer Protocol Negotiation (ALPN).
- Added Cryptographic Message Syntax (CMS) support for the following schemes: RSA-PSS, RSA-OAEP, ECDH, and X9.42 DH.
Note that this version is compatible with the API and ABI in the
OpenSSL
library version in previous releases of Red Hat Enterprise Linux 7. (BZ#1276310)
openssl-ibmca rebased to version 1.3.0
The openssl-ibmca package has been updated to upstream version 1.3.0, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
- Added support for SHA-512.
- Cryptographic methods are dynamically loaded when the
ibmca
engine starts. This enablesibmca
to direct cryptographic methods if they are supported in hardware through thelibica
library. - Fixed a bug in block-size handling with stream cipher modes. (BZ#1274385)
OpenSCAP
1.2 is NIST-certified
OpenSCAP
1.2, the Security Content Automation Protocol (SCAP) scanner, has been certified by the National Institute of Standards and Technology (NIST) as a U. S. government-evaluated configuration and vulnerability scanner for Red Hat Enterprise Linux 6 and 7. OpenSCAP
analyzes and evaluates security automation content correctly and it provides the functionality and documentation required by NIST to run in sensitive, security-conscious environments. Additionally, OpenSCAP
is the first NIST-certified configuration scanner for evaluating Linux containers. Use cases include evaluating the configuration of Red Hat Enterprise Linux 7 hosts for PCI and DoD Security Technical Implementation Guide (STIG) compliance, as well as performing known vulnerability scans using Red Hat Common Vulnerabilities and Exposures (CVE) data. (BZ#1363826)
libreswan rebased to version 3.20
The libreswan packages have been upgraded to upstream version 3.20, which provides a number of bug fixes and enhancements over the previous version. Notable enhancements include:
- Added support for Opportunistic IPsec (Mesh Encryption), which enables IPsec deployments that cover a large number of hosts using a single simple configuration on all hosts.
- FIPS further tightened.
- Added support for routed-based VPN using Virtual Tunnel Interface (VTI).
- Improved support for non-root configurations.
- Improved Online Certificate Status Protocol (OCSP) and Certificate Revocation Lists (CRL) support.
- Added new
whack
command options:--fipsstatus
,--fetchcrls
,--globalstatus
, and--shuntstatus
. - Added support for the NAT Opportunistic Encryption (OE) Client Address Translation:
leftcat=yes
. - Added support for the Traffic Flow Confidentiality mechanism:
tfc=
. - Updated cipher preferences as per RFC 4307bis and RFC 7321bis.
- Added support for Extended Sequence Numbers (ESN):
esn=yes
. - Added support for disabling and increasing the replay window:
replay-window=
. (BZ#1399883)
Audit now supports filtering based on session ID
With this update, the Linux Audit system supports user rules to filter audit messages based on the
sessionid
value. (BZ#1382504)
libseccomp
now supports IBM Power architectures
With this update, the
libseccomp
library supports the IBM Power, 64-bit IBM Power, and 64-bit little-endian IBM Power architectures, which enables the GNOME rebase. (BZ#1425007)
AUDIT_KERN_MODULE
now records module loading
The
AUDIT_KERN_MODULE
auxiliary record has been added to AUDIT_SYSCALL
records for the init_module()
, finit_module()
, and delete_module()
functions. This information is stored in the audit_context
structure. (BZ#1382500)
OpenSSH
now uses SHA-2 for public key signatures
Previously,
OpenSSH
used the SHA-1 hash algorithm for public key signatures using RSA and DSA keys. SHA-1 is no longer considered secure, and new SSH protocol extension allows to use SHA-2. With this update, SHA-2 is the default algorithm for public key signatures. SHA-1 is available only for backward compatibility purposes. (BZ#1322911)
firewalld
now supports additional IP sets
With this update of the
firewalld
service daemon, support for the following ipset
types has been added:
- hash:ip,port
- hash:ip,port,ip
- hash:ip,port,net
- hash:ip,mark
- hash:net,net
- hash:net,port
- hash:net,port,net
- hash:net,iface
The following
ipset
types that provide a combination of sources and destinations at the same time are not supported as sources in firewalld
. IP sets using these types are created by firewalld
, but their usage is limited to direct rules:
- hash:ip,port,ip
- hash:ip,port,net
- hash:net,net
- hash:net,port,net
The ipset packages have been rebased to upstream version 6.29, and the following
ipset
types are now additionally supported:
- hash:mac
- hash:net,port,net
- hash:net,net
- hash:ip,mark (BZ#1419058)
firewalld
now supports actions on ICMP types in rich rules
With this update, the
firewalld
service daemon allows using Internet Control Message Protocol (ICMP) types in rich rules with the accept, log and mark actions. (BZ#1409544)
firewalld
now supports disabled automatic helper assignment
This update of the
firewalld
service daemon introduces support for the disabled automatic helper assignment feature. firewalld
helpers can be now used without adding additional rules also if automatic helper assignment is turned off. (BZ#1006225)
nss and nss-util now use SHA-256 by default
With this update, the default configuration of the NSS library has been changed to use a stronger hash algorithm when creating digital signatures. With RSA, EC, and 2048-bit (or longer) DSA keys, the SHA-256 algorithm is now used.
Note that also the NSS utilities, such as
certutil
, crlutil
, and cmsutil
, now use SHA-256 in their default configurations. (BZ#1309781)
Audit filter exclude rules now contain additional fields
The exclude filter has been enhanced, and it now contains not only the
msgtype
field, but also the pid
, uid
, gid
, auid
, sessionID
, and SELinux
types. (BZ#1382508)
PROCTITLE
now provides the full command in Audit events
This update introduces the
PROCTITLE
record addition to Audit events. PROCTITLE
provides the full command being executed. The PROCTITLE
value is encoded so it is not able to circumvent the Audit event parser. Note that the PROCTITLE
value is still not trusted since it is manipulable by the user-space date. (BZ#1299527)
nss-softokn rebased to version 3.28.3
The nss-softokn packages have been upgraded to upstream version 3.28.3, which provides a number of bug fixes and enhancements over the previous version:
- Added support for the ChaCha20-Poly1305 (RFC 7539) algorithm used by TLS (RFC 7905), the Internet Key Exchange Protocol (IKE), and IPsec (RFC 7634).
- For key exchange purposes, added support for the Curve25519/X25519 curve.
- Added support for the Extended Master Secret (RFC 7627) extension. (BZ#1369055)
libica rebased to version 3.0.2
The libica package has been upgraded to upstream version 3.0.2, which provides a number of fixes over the previous version. Notable additions include
- support for Federal Information Processing Standards (FIPS) mode
- support for generating pseudorandom numbers, including enhanced support for Deterministic Random Bit Generator compliant with the updated security specification NIST SP 800-90A. (BZ#1391558)
opencryptoki rebased to version 3.6.2
The opencryptoki packages have been upgraded to upstream version 3.6.2, which provides a number of bug fixes and enhancements over the previous version:
- Added support for
OpenSSL
1.1 - Replaced deprecated
OpenSSL
interfaces. - Replaced deprecated libica interfaces.
- Improved performance for IBM Crypto Accelerator (ICA).
- Added support for the
rc=8, reasoncode=2028
error message in theicsf
token. (BZ#1391559)
AUDIT_NETFILTER_PKT
events are now normalized
The
AUDIT_NETFILTER_PKT
audit events are now simplified and message fields are now displayed in a consistent manner. (BZ#1382494)
p11tool
now supports writing objects by specifying a stored ID
With this update, the
p11tool
GnuTLS PKCS#11 tool supports the new --id
option to write objects by specifying a stored ID. This allows the written object to be addressable by more applications than p11tool
. (BZ#1399232)
new package: nss-pem
This update introduces the nss-pem package, which previously was part of the nss packages, as a separate package. The nss-pem package provides the PEM file reader for Network Security Services (NSS) implemented as a PKCS#11 module. (BZ#1316546)
pmrfc3164
replaces pmrfc3164sd
in rsyslog
With the update of the rsyslog packages, the
pmrfc3164sd
module, which is used for parsing logs in the BSD syslog
protocol format (RFC 3164), has been replaced by the official pmrfc3164
module. The official module does not fully cover the pmrfc3164sd
functionality, and thus it is still available in rsyslog. However, it is recommended to use new pmrfc3164
module wherever possible. The pmrfc3164sd
module is not supported anymore. (BZ#1431616)
libreswan now supports right=%opportunisticgroup
With this update, the
%opportunisticgroup
value for the right
option in the conn
part of Libreswan configuration is supported. This allows the opportunistic IPsec with X.509 authentication, which significantly reduces the administrative overhead in large environments. (BZ#1324458)
ca-certificates now meet Mozilla Firefox 52.2 ESR requirements
The Network Security Services (NSS) code and Certificate Authority (CA) list have been updated to meet the recommendations as published with the latest Mozilla Firefox Extended Support Release (ESR). The updated CA list improves compatibility with the certificates that are used in the Internet Public Key Infrastructure (PKI). To avoid certificate validation refusals, Red Hat recommends installing the updated CA list on June 12, 2017. (BZ#1444413)
nss now meets Mozilla Firefox 52.2 ESR requirements for certificates
The Certificate Authority (CA) list have been updated to meet the recommendations as published with the latest Mozilla Firefox Extended Support Release (ESR). The updated CA list improves compatibility with the certificates that are used in the Internet Public Key Infrastructure (PKI). To avoid certificate validation refusals, Red Hat recommends installing the updated CA list on June 12, 2017. (BZ#1444414)
scap-security-guide rebased to version 0.1.33
The scap-security-guide packages have been upgraded to upstream version 0.1.33, which provides a number of bug fixes and enhancements over the previous version. In particular, this new version enhances existing compliance profiles and expands the scope of coverage to include two new configuration baselines:
- Extended support for PCI-DSS v3 Control Baseline
- Extended support for United States Government Commercial Cloud Services (C2S).
- Extended support for Red Hat Corporate Profile for Certified Cloud Providers.
- Added support for the Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 7 profile, aligning to the DISA STIG for Red Hat Enterprise Linux V1R1 profile.
- Added support for the Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) profile configures Red Hat Enterprise Linux 7 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI).
- Added support for the United States Government Configuration Baseline (USGCB/STIG) profile, developed in partnership with the U. S. National Institute of Standards and Technology (NIST), U. S. Department of Defense, the National Security Agency, and Red Hat.
The USGCB/STIG profile implements configuration requirements from the following documents:
- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253)
- NIST Controlled Unclassified Information (NIST 800-171)
- NIST 800-53 control selections for moderate impact systems (NIST 800-53)
- U. S. Government Configuration Baseline (USGCB)
- NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0)
- DISA Operating System Security Requirements Guide (OS SRG)
Note that several previously-contained profiles have been removed or merged. (BZ#1410914)