Security

The following features, enhancements, and changes related to security are introduced in this Oracle Linux 9 release.

Enhanced pcscd Configuration with --disable-polkit

The pcscd service now includes the --disable-polkit option, enabling users to disable the PolicyKit authorization framework. With this enhancement you can accessing PKCS #11 devices in limited environments, such as the initial RAM disk, and you can automate the unlocking of LUKS-encrypted volumes at boot time using a PKCS #11 device.

Enhanced pkcs11-tool Output

The pkcs11-tool -L and pkcs11-tool -O commands now include the uri: field in their output, providing URI information that can be used when configuring the pkcs11 Clevis pin for automated unlocking of LUKS-encrypted drives with PKCS #11 devices.

CBC Ciphers in crypto-policies

The crypto-policies now uses the openssl -CBC CipherString directive, disabling CBC cipher suites in OpenSSL if none are enabled in crypto-policies.

nettle Library Updated to Version 3.10.1

The nettle library package has been updated to version 3.10.1.

This update includes several key enhancements and changes:

  • Performance improvements for certain cryptographic operations.
  • The addition of DRBG-CTR-AES256, a new deterministic random-bit generator.
  • The introduction of RSA-OAEP, an RSA encryption/decryption method that uses a new OAEP padding scheme.
  • The inclusion of SHAKE-128, an arbitrary-length hash function from the SHA-3 family.
  • A streaming API for SHAKE-128 and SHAKE-256.
  • The removal of the MD5 assembly, which might result in a slight performance impact.

For more information, see the upstream information on https://git.lysator.liu.se/nettle/nettle/-/blob/master/NEWS?ref_type=heads.

Rsyslog Updated to Version 8.2412.0

The rsyslog packages have been updated to version 8.2412.0.

This update provides various fixes and enhancements, such as the ability to bind a ruleset to the imjournal module, which reduces the load on the main message queue and minimizes resource usage.

OpenSCAP Updated to Version 1.3.11

OpenSCAP has been updated to version 1.3.11.

This updates includes a new script, oscap-im, used in Containerfiles to build hardened bootable container images to run as Image Mode OS.

The update includes several maintenance and bug fixes, including:

  • Fixing Python 3.13 compatibility
  • Fixing RPM database path in RPM probes
  • Ensuring xlink namespace exists, enabling OpenSCAP scans with DISA content using tailoring files
  • Stopping the printing of useless component reference information in "oscap info"

For more information, see the upstream release notes on https://github.com/OpenSCAP/openscap/releases/tag/1.3.11.

Clevis Updated to Version 21

The clevis packages have been updated to version 21.

This update adds support for PKCS #11 devices and providing various enhancements and bug fixes, including the clevis-pin-pkcs11 subpackage for unlocking LUKS-encrypted volumes using PKCS #11 devices, two checks to the clevis-udisks2 subpackage, and a fix that prevents the "Address in use" errors.

New Keylime Policy Management Tool

The new keylime-policy tool integrates all management tasks of Keylime runtime policies and measured boot policies, improving the performance of generating policies.

SELinux Type Assignment for /dev/hfi1_0

SELinux now assigns the hfi1_device_t type to the /dev/hfi1_0 device, enabling proper access control.

Enhanced SELinux Confinement for System Services

The SELinux policy has been strengthened with the addition of new rules that restrict the following systemd services:

  • iio-sensor-proxy
  • power-profiles-daemon
  • switcheroo-control
  • samba-bgqd

These services now operate under a confined SELinux context, rather than being labeled as unconfined_service_t, which was non-compliant with the CIS Server Level 2 benchmark rule "Ensure No Daemons are Unconfined by SELinux." By running in SELinux enforcing mode, these services contribute to a more secure and compliant system.

SCAP Security Guide Updated to 0.1.76

The SCAP Security Guide has been updated to version 0.1.76.

Notable changes include:
  • The Oracle Linux 9 STIG profile has been synchronized with the official DISA Oracle Linux 9 STIG, version 1, release 1.
  • The require_singleuser_auth rule now uses the systemd override mechanism for enhanced functionality.
  • The check for approved SSH ciphers has been updated to align with the latest STIG policy guidelines.

Keylime HTTPS Revocation Notifications

Keylime components have enhanced their revocation notification webhooks to use a more secure configuration for HTTPS connections. Before, the revocation notifier used only the system-installed CA certificates. Now, you can configure the CA certificate used for HTTPS connections by adding it to the trusted_server_ca configuration option or to the system trust store.

logrotate ignoreduplicates Option

The ignoreduplicates option is now available in the logrotate package. This option ignores any duplicate file paths in the logrotate configuration and is disabled by default.