RHEL8 Security

Main New Features

Compiler flags and static code analysis

• Required by security certifications
• Preventing security flaws (stack smashing, memory corruption, etc) before shipping

Consistent and strong crypto policy

• Solves the problem of ensuring systemwide consistent cryptography settings for addressing compliance requirements
• Easy to use and automate with 4 policies (LEGACY, DEFAULT, FIPS and FUTURE)
  • # update-crypto-policies –set FUTURE
  • # update-crypto-policies –show
• Sets allowed key lengths, hashes, parameters, protocols, and algorithms
• Allows disabling an algorithm system or site-wide without breaking the stack
• Systemwide effects on libkrb5, BIND, OpenSSL, OpenJDK, GnuTLS, OpenSSH,   Libreswan, Python, NSS

FIPS mode made easy

• # fips-mode-setup –enable
• # reboot

Smart cards and Hardware Security Modules (HSMs)

• PKCS#11 centralized configuration

TLS 1.3 systemwide

• TLS 1.2 redesigned (4 years in the making)
• Modern crypto primitives (RSA-PSS, Ed25519)
• Less clutter, faster handshake / Performance: 1-RTT (0-RTT)
• Better privacy against passive observers
• Supported in OpenSSL 1.1.1, GnuTLS, and NSS
• Subsystems enabled: Apache, GNOME, Perl, Python, Ruby, OpenJDK

Libssh: SSH communications

• Applications need programmatic access to remote systems
• SSH is the de facto remote access protocol
• Libssh is FIPS 140-2 compliant and use the system-supplied crypto libraries
• Libssh was previously in RHEL 7 extras and is now in core RHEL 8

Software identification (SWID) tags

• Provide a means to consistently identify software, its origin, and manufacturer
• Methods for executing only ‘white-listed’ utilities and application to reduce risk
• Used by strongSwan, IBM BigFix, Microsoft, and others already
• Works with any of packaging mechanisms (rpm, tar, zip, etc)
• Defined in ISO/IEC 19770-2:2015 standard
• XML file, digitally signed by Red Hat
• Optional requirement for Common Criteria certification, required for SCAP 1.3 scanners
• Highly recommended for whitelisting for federal governments

Fine-grained SELinux controls

• SELinux provides mandatory access control and is enabled by default (containers require it)
• Supports No New Privileges (NNP) in Systemd (nnp_nosuid_transition)
• New control for preventing a process from changing the limits of another process (getrlimit)
• Files have specific control now to prevent certain files from being memory mapped (file:map)
• Ability to limit need to override access controls (dac_read_search)

Trusted Platform Module (TPM) usage

• TPM 2.0 full support with TCG software stack
• Measurements of kernel taken each boot and stored into TPM PCR
• LUKS data-at-rest key can be stored in TPM now via Network-Bound Disk Encryption utility   (Clevis) for protecting against disk theft
• Future work includes PKCS#11 API for TPM, virtual TPMs, and Red Hat OpenStack Platform