Main New Features
Compiler flags and static code analysis
- Required by security certifications
- Preventing security flaws (stack smashing, memory corruption, etc) before shipping
Consistent and strong crypto policy
- Solves the problem of ensuring systemwide consistent cryptography settings for addressing compliance requirements
- Easy to use and automate with 4 policies (LEGACY, DEFAULT, FIPS and FUTURE)
- # update-crypto-policies –set FUTURE
- # update-crypto-policies –show
- Sets allowed key lengths, hashes, parameters, protocols, and algorithms
- Allows disabling an algorithm system or site-wide without breaking the stack
- Systemwide effects on libkrb5, BIND, OpenSSL, OpenJDK, GnuTLS, OpenSSH, Libreswan, Python, NSS
FIPS mode made easy
- # fips-mode-setup –enable
- # reboot
Smart cards and Hardware Security Modules (HSMs)
- PKCS#11 centralized configuration
TLS 1.3 systemwide
- TLS 1.2 redesigned (4 years in the making)
- Modern crypto primitives (RSA-PSS, Ed25519)
- Less clutter, faster handshake / Performance: 1-RTT (0-RTT)
- Better privacy against passive observers
- Supported in OpenSSL 1.1.1, GnuTLS, and NSS
- Subsystems enabled: Apache, GNOME, Perl, Python, Ruby, OpenJDK
Libssh: SSH communications
- Applications need programmatic access to remote systems
- SSH is the de facto remote access protocol
- Libssh is FIPS 140-2 compliant and use the system-supplied crypto libraries
- Libssh was previously in RHEL 7 extras and is now in core RHEL 8
Software identification (SWID) tags
- Provide a means to consistently identify software, its origin, and manufacturer
- Methods for executing only ‘white-listed’ utilities and application to reduce risk
- Used by strongSwan, IBM BigFix, Microsoft, and others already
- Works with any of packaging mechanisms (rpm, tar, zip, etc)
- Defined in ISO/IEC 19770-2:2015 standard
- XML file, digitally signed by Red Hat
- Optional requirement for Common Criteria certification, required for SCAP 1.3 scanners
- Highly recommended for whitelisting for federal governments
Fine-grained SELinux controls
- SELinux provides mandatory access control and is enabled by default (containers require it)
- Supports No New Privileges (NNP) in Systemd (nnp_nosuid_transition)
- New control for preventing a process from changing the limits of another process (getrlimit)
- Files have specific control now to prevent certain files from being memory mapped (file:map)
- Ability to limit need to override access controls (dac_read_search)
Trusted Platform Module (TPM) usage
- TPM 2.0 full support with TCG software stack
- Measurements of kernel taken each boot and stored into TPM PCR
- LUKS data-at-rest key can be stored in TPM now via Network-Bound Disk Encryption utility (Clevis) for protecting against disk theft
- Future work includes PKCS#11 API for TPM, virtual TPMs, and Red Hat OpenStack Platform
Recent Comments