红帽全球峰会第 20 章 Security
The following chapters contain the most notable changes to security between RHEL 9 and RHEL 10.
20.1. Security compliance changes
Installation hardening with OSCAP Anaconda Addon removed
The oscap-anaconda-addon package has been removed. As a consequence, the RHEL 10 installer no longer provides the Security Policy spoke and installation hardening. RHEL 10 introduces a more flexible and customizable approach to hardening systems by using Anaconda and Kickstart in addition to the already existing Image Builder option. For more information, see Creating pre-hardened images with RHEL image builder OpenSCAP integration.
OpenSCAP
The new version 1.4.x of the OpenSCAP scanner is provided in RHEL 10. The most important changes are the following:
-
The
openscappackage no longer provides theopenscap-develsubpackage for thelibopenscaplibrary, which is now an internal library without public API and any guarantee for backward compatibility. Theopenscappackage is provided with no guarantee of ABI and API compatibility. The following
dssubmodules that provide data stream composing functions have been removed from theoscaptool:-
sds-compose -
sds-add -
sds-split -
rds-create -
rds-split
-
The following incomplete modules have been removed:
-
cve -
cvss -
cvrf
-
The following deprecated command-line options have been removed:
-
--template -
--oval-template -
--sce-template -
--skip-validis removed and is replaced by--skip-validation
-
- New Kickstart remediation type was added.
-
The
autotailortool now can produce XCCDF tailoring files based on JSON Tailoring.
SCAP Workbench
The scap-workbench package with the SCAP Workbench GUI utility has been removed. As alternatives, you can use the oscap and autotailor command-line tools or Red Hat Lightspeed for both tailoring and scanning. For more information, see Managing SCAP security policies in the Red Hat Lightspeed compliance service.
SCAP Security Guide
The scap-security-guide package does not contain the following profiles:
- Protection Profile for General Purpose Operating Systems (OSPP)
- Centro Criptológico Nacional (CCN) - Basic
- Centro Criptológico Nacional (CCN) - Intermediate
For the complete list of profiles supported in RHEL 10, see SCAP security profiles supported in RHEL 10.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}