RHEL7 Security changes

RHEL7 Security changes, changes in RHEL7, security changes in rhel7, rhel7 changes, security changes rhel7, RHEL7 security changes, red hat 7 changes

RHEL7 Security changes

This post contains only security changes available in RHEL 7. I have tried to provide those changes in details.

FIREWALLD

After Ipfwadm (2.0.X kernels), Ipchains (2.2.X kernels) and Iptables (2.4.X/2.6.X kernels), there is now Firewalld which stands for “Dynamic Firewall”.
This new firewall evolution brings several advantages:

  1.     no connection cut during firewall reconfiguration,
  2.     use of temporary configuration disappearing after reload/restart,
  3.     services with their characteritics (ports, protocoles, modules) already recorded,
  4.     predefined zones with various levels of trust,
  5.     D-BUS applications support,
  6.     use of “rich rules”.

The configuration consists in putting the server network interfaces into zones with the firewall-cmd command or the firewall-config graphical application.
The built-in configuration is located under the /usr/lib/firewalld directory. The configuration that you can customize is under the /etc/firewalld directory.
It is not possible to use Firewalld and Iptables at the same time. But it is still possible to disable Firewalld and use Iptables as before.
Further information can be found on the Fedora Project website, explanations about “rich rules” included.

SELinux

Instead of putting all the system into SELinux permissive mode in order to debug a process, it is now possible to only put this process into SELinux permissive mode. SELinux instructions are available.
Also, the HTTPD SELinux policy (Apache and Nginx follow exactly the same SELinux policy) gets a slightly different behavior by default: the httpd_unified boolean that was previously enabled in RHEL 6 is now disabled by default in RHEL 7. A dedicated article about this HTTPD SELinux change is available.
FSS

FSS stands for Forward Secure Sealing. It’s a new mechanism invented by Lennart Poettering’s brother (Beltram Poettering) to secure systemd journal.
As FSS is disable by default, everything starts after running the following command:
# journalctl --setup-keys
This commands generates a key pair of “sealing key” and “verification key”. The verification key is only generated once, is not locally stored and must be recorded by you straight away. There will be no way to recreate it (a QR code is displayed to make the recording easier). Then, the sealing key will be used to sign all the messages written into the journal until a predefined delay is reached (15min by default). At this time, a new sealing key will be generated based on the previous one with no history kept.
An attacker will not be able to sign old messages, the messages showing when he broke into the system included, and will need to remove all of them. The removal of journal messages should make the discovery of any hack easier.
This mechanism doesn’t replace a centralized syslog server but offers minimal security when no such a server is available.

Identity Management

There is now a better integration with Active Directory through cross‑realm Kerberos trust. This domain federation on the Kerberos level allows RHEL servers to accept the users coming from Active Directory domains without loosing their native features in terms of POSIX attributes and SELinux capabilities.
changes RHEL7, security changes rhel7, rhel7 changes, RHEL7 security changes, security changes in rhel, ‎red hat 7, redhat enterprise linux 7 changes, linux changes, rhel7
May 06, 2015

Post a Comment

[disqus][facebook][blogger]

Contact Form

Name

Email *

Message *

Powered by Blogger.
Javascript DisablePlease Enable Javascript To See All Widget