RHEL8 Security

Share this link
Google+0
LinkedIn0

Main New Features

Compiler flags and static code analysis

  • Required by security certifications
  • Preventing security flaws (stack smashing, memory corruption, etc) before shipping

Consistent and strong crypto policy

  • Solves the problem of ensuring systemwide consistent cryptography settings for addressing compliance requirements
  • Easy to use and automate with 4 policies (LEGACY, DEFAULT, FIPS and FUTURE)
    • # update-crypto-policies –set FUTURE
    • # update-crypto-policies –show
  • Sets allowed key lengths, hashes, parameters, protocols, and algorithms
  • Allows disabling an algorithm system or site-wide without breaking the stack
  • Systemwide effects on libkrb5, BIND, OpenSSL, OpenJDK, GnuTLS, OpenSSH,   Libreswan, Python, NSS

FIPS mode made easy

  • # fips-mode-setup –enable
  • # reboot

Smart cards and Hardware Security Modules (HSMs)

  • PKCS#11 centralized configuration

TLS 1.3 systemwide

  • TLS 1.2 redesigned (4 years in the making)
  • Modern crypto primitives (RSA-PSS, Ed25519)
  • Less clutter, faster handshake / Performance: 1-RTT (0-RTT)
  • Better privacy against passive observers
  • Supported in OpenSSL 1.1.1, GnuTLS, and NSS
  • Subsystems enabled: Apache, GNOME, Perl, Python, Ruby, OpenJDK

Libssh: SSH communications

  • Applications need programmatic access to remote systems
  • SSH is the de facto remote access protocol
  • Libssh is FIPS 140-2 compliant and use the system-supplied crypto libraries
  • Libssh was previously in RHEL 7 extras and is now in core RHEL 8

Software identification (SWID) tags

  • Provide a means to consistently identify software, its origin, and manufacturer
  • Methods for executing only ‘white-listed’ utilities and application to reduce risk
  • Used by strongSwan, IBM BigFix, Microsoft, and others already
  • Works with any of packaging mechanisms (rpm, tar, zip, etc)
  • Defined in ISO/IEC 19770-2:2015 standard
  • XML file, digitally signed by Red Hat
  • Optional requirement for Common Criteria certification, required for SCAP 1.3 scanners
  • Highly recommended for whitelisting for federal governments

Fine-grained SELinux controls

  • SELinux provides mandatory access control and is enabled by default (containers require it)
  • Supports No New Privileges (NNP) in Systemd (nnp_nosuid_transition)
  • New control for preventing a process from changing the limits of another process (getrlimit)
  • Files have specific control now to prevent certain files from being memory mapped (file:map)
  • Ability to limit need to override access controls (dac_read_search)

Trusted Platform Module (TPM) usage

  • TPM 2.0 full support with TCG software stack
  • Measurements of kernel taken each boot and stored into TPM PCR
  • LUKS data-at-rest key can be stored in TPM now via Network-Bound Disk Encryption utility   (Clevis) for protecting against disk theft
  • Future work includes PKCS#11 API for TPM, virtual TPMs, and Red Hat OpenStack Platform

(No Ratings Yet)
Loading...

Upcoming Events (Local Time)

There are no events.

Follow me on Twitter

Archives

xhampster
vceplus-200-125    | boson-200-125    | training-cissp    | actualtests-cissp    | techexams-cissp    | gratisexams-300-075    | pearsonitcertification-210-260    | examsboost-210-260    | examsforall-210-260    | dumps4free-210-260    | reddit-210-260    | cisexams-352-001    | itexamfox-352-001    | passguaranteed-352-001    | passeasily-352-001    | freeccnastudyguide-200-120    | gocertify-200-120    | passcerty-200-120    | certifyguide-70-980    | dumpscollection-70-980    | examcollection-70-534    | cbtnuggets-210-065    | examfiles-400-051    | passitdump-400-051    | pearsonitcertification-70-462    | anderseide-70-347    | thomas-70-533    | research-1V0-605    | topix-102-400    | certdepot-EX200    | pearsonit-640-916    | itproguru-70-533    | reddit-100-105    | channel9-70-346    | anderseide-70-346    | theiia-IIA-CIA-PART3    | certificationHP-hp0-s41    | pearsonitcertification-640-916    | anderMicrosoft-70-534    | cathMicrosoft-70-462    | examcollection-cca-500    | techexams-gcih    | mslearn-70-346    | measureup-70-486    | pass4sure-hp0-s41    | iiba-640-916    | itsecurity-sscp    | cbtnuggets-300-320    | blogged-70-486    | pass4sure-IIA-CIA-PART1    | cbtnuggets-100-101    | developerhandbook-70-486    | lpicisco-101    | mylearn-1V0-605    | tomsitpro-cism    | gnosis-101    | channel9Mic-70-534    | ipass-IIA-CIA-PART1    | forcerts-70-417    | tests-sy0-401    | ipasstheciaexam-IIA-CIA-PART3    | mostcisco-300-135    | buildazure-70-533    | cloudera-cca-500    | pdf4cert-2v0-621    | f5cisco-101    | gocertify-1z0-062    | quora-640-916    | micrcosoft-70-480    | brain2pass-70-417    | examcompass-sy0-401    | global-EX200    | iassc-ICGB    | vceplus-300-115    | quizlet-810-403    | cbtnuggets-70-697    | educationOracle-1Z0-434    | channel9-70-534    | officialcerts-400-051    | examsboost-IIA-CIA-PART1    | networktut-300-135    | teststarter-300-206    | pluralsight-70-486    | coding-70-486    | freeccna-100-101    | digitaltut-300-101    | iiba-CBAP    | virtuallymikebrown-640-916    | isaca-cism    | whizlabs-pmp    | techexams-70-980    | ciscopress-300-115    | techtarget-cism    | pearsonitcertification-300-070    | testking-2v0-621    | isacaNew-cism    | simplilearn-pmi-rmp    | simplilearn-pmp    | educationOracle-1z0-809    | education-1z0-809    | teachertube-1Z0-434    | villanovau-CBAP    | quora-300-206    | certifyguide-300-208    | cbtnuggets-100-105    | flydumps-70-417    | gratisexams-1V0-605    | ituonline-1z0-062    | techexams-cas-002    | simplilearn-70-534    | pluralsight-70-697    | theiia-IIA-CIA-PART1    | itexamtips-400-051    | pearsonitcertification-EX200    | pluralsight-70-480    | learn-hp0-s42    | giac-gpen    | mindhub-102-400    | coursesmsu-CBAP    | examsforall-2v0-621    | developerhandbook-70-487    | root-EX200    | coderanch-1z0-809    | getfreedumps-1z0-062    | comptia-cas-002    | quora-1z0-809    | boson-300-135    | killtest-2v0-621    | learncia-IIA-CIA-PART3    | computer-gcih    | universitycloudera-cca-500    | itexamrun-70-410    | certificationHPv2-hp0-s41    | certskills-100-105    | skipitnow-70-417    | gocertify-sy0-401    | prep4sure-70-417    | simplilearn-cisa    |
http://www.pmsas.pr.gov.br/wp-content/    | http://www.pmsas.pr.gov.br/wp-content/    |