Security
The following features, enhancements, and changes related to security are introduced in this Oracle Linux 9 release.
libkcapi
Can Target File Names in Hash-Sum
Calculations
The libkcapi
packages includes a new -T
option that
specifies target file names in hash-sum calculations. This option must be used with the
-c
option that specifies the HMAC files and overrides the target file names
specified in the HMAC file. For example:
$ sha256hmac -c <hmac_file> -T <target_file>
Crypto-Policies Updated to Enable Message Authentication Codes in SSH
The system-wide cryptographic policies (crypto-policies
) can be configured
with options that control handling of message authentication codes (MACs) for the SSH
protocol. The crypto-policies
option ssh_etm
is now a
tri-state etm@SSH
option. The previous ssh_etm
option has
been deprecated.
You can set ssh_etm
to one of the following values:
ANY
: to allow bothencrypt-then-mac
andencrypt-and-mac
MACs.DISABLE_ETM
: to preventencrypt-then-mac
MACs.DISABLE_NON_ETM
: to prevent MACs that don't useencrypt-then-mac
.
Ciphers that use implicit MACs are always allowed because they use authenticated encryption.
semanage fcontext
Orders Local File Context Modifications
Correctly
The semanage fcontext -l -C
command is updated to display rules in the
file_contexts.local
file in the correct order, from oldest to newest, to
improve SELinux rule management when using the restorecon
command, which
processes entries by age.
SELinux Policy Updated for Services
Several new rules are added to the SELinux policy that confine the following
systemd
services:
-
nvme-stas
-
realmd
Services that are affected by this update no longer run with the
unconfined_service_t
SELinux label, and can run successfully in SELinux
enforcing mode.
SELinux Policy Updated for chronyd-restricted
Service
The SELinux policy includes rules to confine the chronyd-restricted
service. The service runs successfully in SELinux enforcing mode.
SELinux User Space Update to Version 3.6
The SELinux user-space component packages are updated to version 3.6. The following component packages are updated:
-
libsepol
-
libselinux
-
libsemanage
-
policycoreutils
-
checkpolicy
-
mcstrans
Notable changes include:
- Addition of
deny
rules in SELinux Common Intermediate Language (CIL) - Addition of
notself
andother
keywords in CIL. - New
getpolicyload
utility that prints the number of policy reloads.
GnuTLS Updated to Version 3.8.3
The gnutls
package is updated to version 3.8.3. Notable changes
include:
- The
gnutls_hkdf_expand
function only accepts arguments with lengths less than or equal to 255 times hash digest size, to comply with RFC 5869 2.3. - Length limit for
TLS PSK
usernames has been increased to 65535 characters. - The
gnutls_session_channel_binding
API function performs further checks whenGNUTLS_CB_TLS_EXPORTER
is requested according to RFC9622 4.2. - The
GNUTLS_NO_STATUS_REQUEST
flag and the%NO_STATUS_REQUEST
priority modifier are added so that thestatus_request
TLS extension can be disabled on the client side. - GnuTLS ensures that the contents of the Change Cipher Spec message is equal to 1 when the TLS version is older than 1.3.
- TLS extensions in ClientHello messages are shuffled to harden fingerprinting.
- GnuTLS can perform EdDSA key generation on PKCS #11 tokens.
nettle
Updated to Version 3.9.1
The nettle
package is updated to version 3.9.1. Notable changes
include:
- Includes Balloon password hashing.
- Includes SM4 block cipher.
- Includes SIV-GCM authenticated encryption mode.
- Includes OCB authenticated encryption mode.
- New exported functions
md5_compress
,sha1_compress
,sha256_compress
,sha512_compress
. - Improved performance of the SHA-256 hash function for x86_64 platforms.
- Improved performance of the Poly1305 hash function for x86_64 platforms.
Oracle Linux 9 OpenSSL FIPS Provider Available
OpenSSL uses the fips.so
shared library as a FIPS provider. With this
update, the latest version of fips.so
submitted to the National Institute of
Standards and Technology (NIST) for certification is shipped in a separate
openssl-fips-provider
package. This package ensures that future versions
of OpenSSL use certified code or code undergoing certification.
OpenSSL Drop-In Directory for Provider Configuration
The OpenSSL TLS toolkit provides more atomic integration with provider APIs for
installation and configuration of modules that provide cryptographic algorithms.
Provider-specific configuration can be defined in separate .conf
files
in the /etc/pki/tls/openssl.d
directory.
p11-kit
Updated to Version 0.25.3
The p11-kit
package is updated to version 0.25.3 and includes the
p11-kit
tool for managing PKCS#11 modules, the
trust
tool for operating on the trust policy store, and the
p11-kit
library. Notable changes include:
-
Added integration with PKCS#11 version 3.0
-
The
pkcs11.h
header file:-
Added ChaCha20/Salsa20, and Poly1305 mechanisms and attributes
-
Added AES-GCM mechanism parameters for message-based encryption
-
-
The
p11-kit
tool:-
Added commands to list and manage objects of a token (
list-tokens
,list-mechanisms
,list-objects
,import-object
,export-object
,delete-object
, andgenerate-keypair
) -
Added commands to manage PKCS#11 profiles of a token (
list-profiles
,add-profile
, anddelete-profile
) -
Added the
print-config
command for printing merged configuration
-
-
The
trust
tool:-
Added the
check-format
command to check the format of.p11-kit
files
-
libkcapi
Updated to Version 1.4.0
The libkcapi
library is updated to version 1.4.0. Notable changes
include:
-
Added the
sm3sum
andsm3hmac
tools. -
Added the
kcapi_md_sm3
andkcapi_md_hmac_sm3
APIs. -
Added SM4 convenience functions.
-
Added link-time optimization (LTO ) and LTO regression testing
-
Fixed support for AEAD encryption of an arbitrary size with
kcapi-enc
.
OpenSSH Uses the sysusers.d Format for Creating Users and Groups
OpenSSH now uses the sysusers.d
format to declare system users.
Previously, static useradd
scripts were used for this purpose.
OpenSSH Adds Authentication Delay Limits
OpenSSH artificially delays responses after login failure to prevent user enumeration attacks. An upper limit on artificial delays is applied when remote authentication takes too long, for example in privilege access management (PAM) processing.
stunnel
Updated to Version 5.71
The stunnel
TLS/SSL tunneling service is updated to version 5.71.
Notable changes include:
-
Integration with latest PostgreSQL clients.
- New
protocolHeader
service-level option to insert customconnect
protocol negotiation headers for software impersonation. -
New
protocolHost
option to control the client SMTP protocol negotiation HELO/EHLO value. -
New client-side
protocol = ldap
availability. -
New
sessionResume
service-level option to control whether a session can be resumed. -
Extended option to request client certificates in server mode with
CApath
orCAfile
. -
Improved file reading and logging performance.
-
Added a configurable delay for the
retry
option. -
OCSP stapling is requested and verified when
verifyChain
is set in client mode. -
OCSP stapling is always available in server mode.
-
Inconclusive OCSP verification breaks TLS negotiation. You can disable this by setting
OCSPrequire = no
.
audit
Updated to Version 3.1.2
The audit
package is updated to version 3.1.2. Notable changes include:
-
The
auparse
library now interprets unnamed and anonymous sockets. -
Added keyword,
this-hour
, to theausearch
andaureport
commandstart
andend
options. -
Added user friendly keywords for signals to the
auditctl
command. -
The
auparse
command is hardened to better handle corrupt logs. -
The
ProtectControlGroups
option is disabled by default in theauditd
service. -
Rule checking for the exclude filter is fixed.
-
OPENAT2
field interpretation is improved. -
The
audispd af_unix
plugin is moved to a standalone program. -
The Python binding is updated to disable setting Audit rules from the Python API to resolve an issue in the Simplified Wrapper and Interface Generator (SWIG).
- Added
io_uring
asynchronous I/O API capability.
rsyslog
Updated to Version 8.2310
Rsyslog is updated to version 8.2310. Notable changes include:
-
Customizable TLS/SSL encryption settings
Rsyslog includes features to configure unique TLS/SSL settings for each connection, including specifying different CA certificates, private keys, public keys, and CRL files for enhanced security and flexibility. For more information and usage, see documentation provided in the
rsyslog-doc
package. -
Improved capability dropping
Rsyslog includes new global options to define behavior when dropping capabilities:-
libcapng.default
: Defines how Rsyslog behaves when errors are returned while dropping capabilities. The default value ison
, which causes Rsyslog to exit if an error related tolibcapng
occurs. -
libcapng.enable
Controls whether Rsyslog drops capabilities during startup. If this option is disabled,libcapng.default
has no impact and capability dropping is disabled.
-
opencryptoki
Updated to Version 3.22.0
The opencryptoki
package is updated to version 3.22.0. Notable changes
include:
-
The
AES-XTS
key type can be used with theCPACF
protected keys. -
Certificate object management.
-
A
no-login
option to create public sessions. -
Authentication as the Security Officer (SO).
-
Capability to import and export the
Edwards
andMontgomery
keys. -
Capability to import
RSA-PSS
keys and certificates. -
Validation that the keys AES-XTS are different when they're created or imported.
SCAP Security Guide Updated to Version 0.1.72
Updates to the SCAP Security Guide include the following notable changes:
- Bash remediations are fixed to handle ISO9660 partitions in the fstab.
- The PCI DSS profile is aligned with the PCI DSS policy version 4.0.
- STIG profiles are aligned with the latest DISA STIG policies.