CHAPTER 20. SECURITY
The following chapters contain the most notable changes to security between RHEL 8 and RHEL 9.
20.1. SECURITY COMPLIANCE
CIS and DISA STIG profiles provided as DRAFT
The profiles based on benchmarks from the Center for Internet Security (CIS) and Defence Industry
Security Association Security Technical Implementation Guides (DISA STIG) are provided as DRAFT
because the issuing authorities have not yet published an official benchmark for RHEL 9. In addition, the
OSSP profile is in DRAFT because it is being implemented.
For a complete list of profiles available in RHEL 9, see SCAP Security Guide profiles supported in RHEL
9.
OpenSCAP no longer supports SHA-1 and MD5
Due to removal of SHA-1 and MD5 hash functions in Red Hat Enterprise Linux 9, support for OVAL
filehash_test has been removed from OpenSCAP. Also, support for SHA-1 and MD5 hash functions has
been removed from OVAL filehash58_test implementation in OpenSCAP. As a result, OpenSCAP
evaluates rules in SCAP content that use the OVAL filehash_test as notchecked. In addition,
OpenSCAP returns notchecked also when evaluating OVAL filehash58_test with the hash_type
element within filehash58_object set to SHA-1 or MD5.
To update your OVAL content, rewrite the affected SCAP content so that it uses filehash58_test
instead of filehash_test and use one of SHA-224, SHA-256, SHA-384, SHA-512 in the hash_type
element within filehash58_object.
OpenSCAP uses the data stream file instead of the XCCDF file
The SCAP source data stream file (ssg-rhel9-ds.xml) contains all the data that in previous versions of
RHEL were contained in the XCCDF file (ssg-rhel9-xccdf.xml). The SCAP source data stream is a
container file that includes all the components (XCCDF, OVAL, CPE) needed to perform a compliance
scan. Using the SCAP source data stream instead of XCCDF has been recommended since RHEL 7. In
previous versions of RHEL, the data in the XCCDF file and SCAP source data stream was duplicated. In
RHEL 9, this duplication is removed to reduce the RPM package size. If your scenario requires using
separate files instead of the data stream, you can split the data stream file by using this command: #
oscap ds sds-split /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml output_directory.
20.2. CRYPTO-POLICIES, RHEL CORE CRYPTOGRAPHIC
COMPONENTS, AND PROTOCOLS
Continuing SHA-1 deprecation
In RHEL 9, SHA-1 usage for signatures is restricted in the DEFAULT system-wide cryptographic policy.
Except for HMAC, SHA-1 is no longer allowed in TLS, DTLS, SSH, IKEv2, DNSSEC, and Kerberos
protocols. Individual applications not controlled by the RHEL system-wide crypto policies are also
moving away from using SHA-1 hashes in RHEL 9.
If your scenario requires the use of SHA-1 for verifying existing or third-party cryptographic signatures,
you can enable it by entering the following command:
# update-crypto-policies --set DEFAULT:SHA1
Alternatively, you can switch the system-wide crypto policies to the LEGACY policy. Note that LEGACY