Este conteúdo não está disponível no idioma selecionado.
Chapter 11. Security
TLS
1.2 support added to all system components
With the addition of
TLS
1.2 support to the GnuTLS
component, Red Hat Enterprise Linux 6 offers complete support for TLS
1.2 in the shipped security libraries: OpenSSL
, NSS
, and GnuTLS
. Several modern standards such as PCI-DSS v3.1 recommend the latest TLS
protocol, which is currently TLS
1.2. This addition allows you to use Red Hat Enterprise Linux 6 with future revisions of security standards, which may require TLS
1.2 support.
For more information about the cryptographic changes in the Red Hat Enterprise Linux 6, see this article on the Red Hat Customer Portal: https://access.redhat.com/blogs/766093/posts/2787271. (BZ#1339222)
OpenSCAP
1.2.13 is NIST certified
OpenSCAP
1.2.13 has been certified by the National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP) 1.2 in the Authenticated Configuration Scanner category with the Common Vulnerabilities and Exposure (CVE) option. OpenSCAP
provides a library that can parse and evaluate each component of the SCAP standard. This makes creating new SCAP tools convenient. Also, OpenSCAP
offers a multi-purpose tool designed to format content into documents or scan a system based on this content. (BZ#1364207)
vsftpd now uses TLS
1.2 by default
Users of the Very Secure File Transfer Protocol (FTP) daemon (vsftpd) can select a specific version of
TLS
protocol up to 1.2. TLS
1.2 has been enabled by default to bring security of vsftpd to the same level as the same package in Red Hat Enterprise Linux 7. New default ciphers specific to TLS
1.2 has been added: ECDHE-RSA-AES256-GCM-SHA384
and ECDHE-ECDSA-AES256-GCM-SHA384
. These changes do not break existing configurations. (BZ#1350724)
auditd
now supports incremental_async
The
audit
daemon now supports a new flush technique called incremental_async
. This new mode significantly improves the audit
daemon's logging performance maintaining short flush intervals for security. (BZ#1369249)
scap-security-guide now supports ComputeNode
The scap-security-guide project now supports scanning of the ComputeNode variant of Red Hat Enterprise Linux and the scap-security-guide package is also distributed in the relevant channel. (BZ#1311491)
rsyslog7
now enables TLS
1.2
With this update, the
rsyslog7
multi-threaded syslog daemon explicitly enables TLS
1.2 in the GnuTLS
component. (BZ#1323199)