Security
The following features, enhancements, and changes related to security are introduced in this Oracle Linux 9 release.
Enhanced pcscd Configuration with --disable-polkit
The pcscd
service now includes the --disable-polkit
option,
enabling users to disable the PolicyKit authorization framework. With this enhancement you can
accessing PKCS #11 devices in limited environments, such as the initial RAM disk, and you can
automate the unlocking of LUKS-encrypted volumes at boot time using a PKCS #11 device.
Enhanced pkcs11-tool
Output
The pkcs11-tool -L
and pkcs11-tool -O
commands now include the uri:
field in their output, providing URI information that can be used when configuring the pkcs11
Clevis pin for automated unlocking of LUKS-encrypted drives with PKCS #11 devices.
CBC Ciphers in crypto-policies
The crypto-policies
now uses the openssl -CBC
CipherString
directive, disabling CBC cipher suites in OpenSSL if none are
enabled in crypto-policies
.
nettle
Library Updated to Version 3.10.1
The nettle
library package has been updated to version 3.10.1.
This update includes several key enhancements and changes:
- Performance improvements for certain cryptographic operations.
- The addition of DRBG-CTR-AES256, a new deterministic random-bit generator.
- The introduction of RSA-OAEP, an RSA encryption/decryption method that uses a new OAEP padding scheme.
- The inclusion of SHAKE-128, an arbitrary-length hash function from the SHA-3 family.
- A streaming API for SHAKE-128 and SHAKE-256.
- The removal of the MD5 assembly, which might result in a slight performance impact.
For more information, see the upstream information on https://git.lysator.liu.se/nettle/nettle/-/blob/master/NEWS?ref_type=heads.
Rsyslog Updated to Version 8.2412.0
The rsyslog
packages have been updated to version 8.2412.0.
This update provides various fixes and enhancements, such as the ability to bind a
ruleset to the imjournal
module, which reduces the load on the main
message queue and minimizes resource usage.
OpenSCAP Updated to Version 1.3.11
OpenSCAP
has been updated to version 1.3.11.
This updates includes a new script, oscap-im
, used in Containerfiles to
build hardened bootable container images to run as Image Mode OS.
The update includes several maintenance and bug fixes, including:
- Fixing Python 3.13 compatibility
- Fixing RPM database path in RPM probes
- Ensuring xlink namespace exists, enabling OpenSCAP scans with DISA content using tailoring files
- Stopping the printing of useless component reference information in "oscap info"
For more information, see the upstream release notes on https://github.com/OpenSCAP/openscap/releases/tag/1.3.11.
Clevis Updated to Version 21
The clevis
packages have been updated to version 21.
This update adds support for PKCS #11 devices and providing various enhancements and bug
fixes, including the clevis-pin-pkcs11
subpackage for unlocking
LUKS-encrypted volumes using PKCS #11 devices, two checks to the
clevis-udisks2
subpackage, and a fix that prevents the "Address in
use" errors.
New Keylime Policy Management Tool
The new keylime-policy
tool integrates all management tasks of Keylime runtime policies and measured boot policies, improving the performance of generating policies.
SELinux Type Assignment for /dev/hfi1_0
SELinux now assigns the hfi1_device_t
type to the /dev/hfi1_0
device, enabling proper access control.
Enhanced SELinux Confinement for System Services
The SELinux policy has been strengthened with the addition of new rules that restrict the following systemd
services:
-
iio-sensor-proxy
-
power-profiles-daemon
-
switcheroo-control
-
samba-bgqd
These services now operate under a confined SELinux context, rather than being labeled as
unconfined_service_t
, which was non-compliant with the CIS Server
Level 2 benchmark rule "Ensure No Daemons are Unconfined by SELinux." By running in
SELinux enforcing mode, these services contribute to a more secure and compliant
system.
SCAP Security Guide Updated to 0.1.76
The SCAP Security Guide has been updated to version 0.1.76.
- The Oracle Linux 9 STIG profile has been synchronized with the official DISA Oracle Linux 9 STIG, version 1, release 1.
- The
require_singleuser_auth
rule now uses the systemd override mechanism for enhanced functionality. - The check for approved SSH ciphers has been updated to align with the latest STIG policy guidelines.
Keylime HTTPS Revocation Notifications
Keylime components have enhanced their revocation notification webhooks to use a more secure
configuration for HTTPS connections. Before, the revocation notifier used only the
system-installed CA certificates. Now, you can configure the CA certificate used for HTTPS
connections by adding it to the trusted_server_ca
configuration option or to
the system trust store.