RHEL8 Security

Share this link

Main New Features

Compiler flags and static code analysis

  • Required by security certifications
  • Preventing security flaws (stack smashing, memory corruption, etc) before shipping

Consistent and strong crypto policy

  • Solves the problem of ensuring systemwide consistent cryptography settings for addressing compliance requirements
  • Easy to use and automate with 4 policies (LEGACY, DEFAULT, FIPS and FUTURE)
    • # update-crypto-policies –set FUTURE
    • # update-crypto-policies –show
  • Sets allowed key lengths, hashes, parameters, protocols, and algorithms
  • Allows disabling an algorithm system or site-wide without breaking the stack
  • Systemwide effects on libkrb5, BIND, OpenSSL, OpenJDK, GnuTLS, OpenSSH,   Libreswan, Python, NSS

FIPS mode made easy

  • # fips-mode-setup –enable
  • # reboot

Smart cards and Hardware Security Modules (HSMs)

  • PKCS#11 centralized configuration

TLS 1.3 systemwide

  • TLS 1.2 redesigned (4 years in the making)
  • Modern crypto primitives (RSA-PSS, Ed25519)
  • Less clutter, faster handshake / Performance: 1-RTT (0-RTT)
  • Better privacy against passive observers
  • Supported in OpenSSL 1.1.1, GnuTLS, and NSS
  • Subsystems enabled: Apache, GNOME, Perl, Python, Ruby, OpenJDK

Libssh: SSH communications

  • Applications need programmatic access to remote systems
  • SSH is the de facto remote access protocol
  • Libssh is FIPS 140-2 compliant and use the system-supplied crypto libraries
  • Libssh was previously in RHEL 7 extras and is now in core RHEL 8

Software identification (SWID) tags

  • Provide a means to consistently identify software, its origin, and manufacturer
  • Methods for executing only ‘white-listed’ utilities and application to reduce risk
  • Used by strongSwan, IBM BigFix, Microsoft, and others already
  • Works with any of packaging mechanisms (rpm, tar, zip, etc)
  • Defined in ISO/IEC 19770-2:2015 standard
  • XML file, digitally signed by Red Hat
  • Optional requirement for Common Criteria certification, required for SCAP 1.3 scanners
  • Highly recommended for whitelisting for federal governments

Fine-grained SELinux controls

  • SELinux provides mandatory access control and is enabled by default (containers require it)
  • Supports No New Privileges (NNP) in Systemd (nnp_nosuid_transition)
  • New control for preventing a process from changing the limits of another process (getrlimit)
  • Files have specific control now to prevent certain files from being memory mapped (file:map)
  • Ability to limit need to override access controls (dac_read_search)

Trusted Platform Module (TPM) usage

  • TPM 2.0 full support with TCG software stack
  • Measurements of kernel taken each boot and stored into TPM PCR
  • LUKS data-at-rest key can be stored in TPM now via Network-Bound Disk Encryption utility   (Clevis) for protecting against disk theft
  • Future work includes PKCS#11 API for TPM, virtual TPMs, and Red Hat OpenStack Platform

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

RHCSA7: Task of the day

Allowed time: 10 minutes.
Create a XFS file system of 100MB. Mount it under /mnt. Then, increase its size by 50MB.

RHCE7: Task of the day

Allowed time: 15 minutes.
Configure a httpd server with a password protected directory under the /var/www/html/private directory.

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...