3.14 Security

Oracle Linux 8 introduces the following security features, enhancements, and changes:

  • OpenSSH updated to version 7.8p1.  The openssh packages have been upgraded to upstream version 7.8p1. This version of OpenSSH includes the following changes:

    • UsePrivilegeSeparation=sandbox option is now mandatory and cannot be disabled.

    • Minimal accepted RSA key size is set to 1024 bits.

    • Modulus size for Diffie-Hellman parameters has been changed to 2048 bits.

    • Default value of the UseDNS option has been changed to no.

    • DSA public key algorithms are disabled by default.

    • Semantics of the ExposeAuthInfo configuration option has changed.

    • The following features are removed in OpenSSH 7.8p1:

      • SSH version 1 protocol

      • hmac-ripemd160 message authentication code

      • RC4 (arcfour), Blowfish, and CAST ciphers

  • LUKS2 replaces LUKS1.  The LUKS version 2 (LUKS2) format replaces the legacy LUKS (LUKS1) format in this release. Also, the dm-crypt subsystem and the cryptsetup tool now use LUKS2 as the default format for encrypted volumes.

  • Replacement of nfsnobody user and group pair with nobody user and group pair.  The nobody user and group pair, with the ID of 99, and the nfsnobody user and group pair, with the ID of 65534 (the default kernel overflow ID), have been merged into the nobody user and group pair. This change reduces confusion about the files that are owned by nobody and have nothing to do with NFS. The merged user and group pair use the 65534 ID. Note that the nfsnobody user and group pair are no longer created during a fresh installation.

  • GPG key length increased to 4096 bits.  Oracle Linux 8 RPM packages are now signed with a new 4096-bit GNU Privacy Guard (GPG) key for greater security. Previously, the GPG key length was 2048 bits.

  • RSA-PSS supported in OpenSC.  Oracle Linux 8 provides support for the RSA-PSS cryptographic signature scheme to the OpenSC smart card driver. The new scheme enables a secure cryptographic algorithm, which is required for the TLS 1.3 support in the client software.

  • rsyslog updated to version 8.37.0.  In Oracle Linux 8, the rsyslog packages have been upgraded to version 8.37.0. This version of rsyslog includes several bug fixes and improvements over previous versions.

  • New omkafka rsyslog module added.  You can use the omkafka module in the Oracle Linux 8 release to enable Kafka centralized data storage scenarios. You can also use this module to forward logs to the Kafka infrastructure.

  • libssh implements SSH as a core cryptographic component.  The libssh library, which implements the SSH protocol, is introduced as a core cryptographic component in Oracle Linux 8. Note that libssh does not comply with the system-wide cryptographic policy.

  • Consolidation of OpenSCAP API.  In Oracle Linux 8, the OpenSCAP shared library API has been consolidated. As a result, 63 symbols are removed, 14 symbols are added, and 4 symbols have an updated signature.

    The following symbols are removed in OpenSCAP 1.3.0:

    • Symbols marked as deprecated in version 1.2.0

    • SEAP protocol symbols

    • Internal helper functions

    • Unused library symbols

    • Unimplemented symbols

  • PKCS #11 support for smart cards and HSMs is now consistent.  In Oracle Linux 8, using smart cards and Hardware Security Modules (HSM) with the PKCS #11 cryptographic token interface is consistent, which means users and administrators can use the same syntax for all related tools in the system.

  • SELinux policy improvement to enable iscsiuio processes to work correctly.  Oracle Linux 8 adds missing rules to the SELinux policy to enable iscsiuio processes to access /dev/uio* devices by using the mmap system call. Previously, SELinux policy restricted this access, which caused the connection to the discovery portal to fail.

  • System-wide cryptographic policies applied by default.  In Oracle Linux 8, the crypto-policies component configures the core cryptographic subsystems and covers the TLS, IPSec, SSH, DNSSec, and Kerberos protocols. The component provides a small set of policies that can be selected by using the update-crypto-policies command.

    The DEFAULT system-wide cryptographic policy that provides secure settings for current threat models is also compatible with PCI-DSS requirements, as it allows the TLS 1.2 and 1.3 protocols, as well as the IKEv2 and SSH2 protocols. The RSA keys and Diffie-Hellman parameters are accepted, if they are larger than 2047 bits.

    See the update-crypto-policies(8) man page.

  • Support for OSPP 4.2 added to SCAP Security Guide.  The SCAP Security Guide includes a draft of the OSPP (Protection Profile for General Purpose Operating Systems) profile version 4.2 RHEL 8. This profile reflects the mandatory configuration controls that are identified in the NIAP Configuration Annex to the Protection Profile for General Purpose Operating Systems (Protection Profile Version 4.2). The SCAP Security Guide provides automated checks and scripts so that users can meet the requirements that are defined in the OSPP.

  • Improvements to the OpenSCAP command-line interface.  The verbose mode is now available in all oscap modules and submodules. In addition, improvements have been made to the tool output.

    Several options are deprecated and have been removed, including the following:

    • The --show option in the osccap xccdf generate report command is completely removed.

    • The --probe-root option in the oscap oval eval. As a replacement, you can set the environment variable, OSCAP_PROBE_ROOT.

    • The --sce-results option in the oscap xccdf eval command is replaced by the --check-engine-results option.

    • The validate-xml submodule validator has been dropped from the CPE, OVAL, and XCCDF modules. You can use validate submodules to validate SCAP content against XML schemas and XSD schematrons.

    • The oscap oval list-probes command. Instead, use the oscap command with the --version option to display this information.

    • Note

      OpenSCAP allows for evaluating all of the rules in a given XCCDF benchmark by using --profile '(all)', regardless of the profile.

  • Support for SELinux map permission code added.  Oracle Linux 8 provides support for the SELinux map permission feature. This support controls memory mapped access to files, directories, and sockets and enables SELinux policy to prevent direct memory access to various file system objects and also ensure that all such access is revalidated.

  • Support for systemd No New Privileges added to SELinux.  Oracle Linux 8 provides support for the nnp_nosuid_transition policy capability, which enables SELinux domain transitions under No New Privileges (NNP) or nosuid, if nnp_nosuid_transition is allowed between the old and new contexts. The selinux-policy packages now contain a policy for systemd services that use the NNP security feature.

    The following example shows the rule that defines how you would allow this capability for a service:

    allow source_domain  target_type:process2 { nnp_transition nosuid_transition };

    would be defined as follows for this service:

    allow init_t fprintd_t:process2 { nnp_transition nosuid_transition };

    Note that the distribution policy now also contains the m4 macro interface, which can be used in SELinux security policies for services that use the init_nnp_daemon_domain() function.

  • Support for getrlimit permission in the process class added to SELinux.  A new SELinux access control check, process:getrlimit, has been added to the prlimit() function. This change enables SELinux policy developers to control when one process attempts to read and then modify the resource limits of another process by using the process:setrlimit permission. Note that SELinux does not restrict a process from manipulating its own resource limits through prlimit(). See the prlimit(2) and getrlimit(2) man pages for details.

  • New SELinux booleans added.  Oracle Linux 8 includes the following new SELinux booleans:

    • colord_use_nfs

    • mysql_connect_http

    • pdns_can_network_connect_db

    • ssh_use_tcpd

    • sslh_can_bind_any_port

    • sslh_can_connect_any_port

    • virt_use_pcscd

    For more details, run the semanage boolean -l command.

  • TLS 1.3 in cryptographic libraries added.  This release enables support for Transport Layer Security (TLS) 1.3, by default, in all major back-end cryptographic libraries. This change enables low latency across the operating system communications layer and enhances privacy and security for applications by taking advantage of new algorithms such as RSA-PSS or X25519.

  • OpenSCAP updated to version 1.3.0.  In Oracle Linux 8, the OpenSCAP suite has been upgraded to version 1.3.0. This version of the OpenSCAP suite introduces many enhancements, including the consolidation of the API and the ABI, an enhanced command-line interface, and other notable improvements over the previous OpenSCAP version.

  • Replacement of audispd with auditd in Audit 3.0.  In this release, the functionality of audispd has been moved to auditd. As a result, audispd configuration options are now part of auditd.conf, and the plugins.d directory is now under /etc/audit. You can check the current status of auditd and its plugins by running the auditd state command.

  • imfile module added to rsyslog.  In Oracle Linux 8, the rsyslog imfile module has been enhanced for improved performance and the addition of more configuration options. This change enables you to use the module for more complicated file monitoring.