mark :: blog

30 Nov 2010: Vulnerability and threat mitigation features in Red Hat Enterprise Linux (Updated)

Two years ago I published a table of Vulnerability and threat mitigation features in Red Hat Enterprise Linux and Fedora. Now that we've released Red Hat Enterprise Linux 6, it's time to update the table. Thanks to Eugene Teo for collating this information.

Between releases there are lots of changes made to improve security and we've not listed everything; just a high-level overview of the things we think are most interesting that help mitigate security risk. We could go into much more detail, breaking out the number of daemons covered by the SELinux default policy, the number of binaries compiled PIE, and so on.

Note that this table is for the most common architectures, x86 and x86_64 only; other supported architectures may vary.

Features Red Hat Enterprise Linux
3456
2003 Oct2005 Feb2007 Mar2010 Nov
Firewall by default YY YY
Signed updates required by default YY YY
NX emulation using segment limits by default Y(since 9/2004)Y Y Y
Support for Position Independent Executables (PIE) Y(since 9/2004)YYY
Address Randomization (ASLR) for Stack/mmap by default Y (since 9/2004)YYY
ASLR for vDSO (if vDSO enabled) no vDSOYYY
Support for NULL pointer dereference protection Y(since 11/2009) Y(since 9/2009) Y(since 5/2008) Y
NX for supported processors/kernels by default Y(since 9/2004)YYY
Support for block module loading via cap-bound sysctl tunable
or /proc/sys/kernel/cap-bound
YY Y no cap-bound
Restricted access to kernel memory by default  YYY
Support for SELinux  YYY
SELinux enabled with targeted policy by default  YYY
glibc heap/memory checks by default  YYY
Support for FORTIFY_SOURCE, used on selected packages  YYY
Support for ELF Data Hardening  YYY
All packages compiled using FORTIFY_SOURCE   YY
All packages compiled with stack smashing protection   YY
SELinux Executable Memory Protection   YY
glibc pointer encryption by default   YY
Enabled NULL pointer dereference protection by default     Y(since 5/2008) Y
Enabled write-protection for kernel read-only data structures
by default
    Y Y
FORTIFY_SOURCE extensions including C++ coverage    Y
Support for block module loading via modules_disabled
sysctl tunable or /proc/sys/kernel/modules_disabled
      Y
Support for SELinux to restrict the loading of kernel modules
by unprivileged processes in confined domains
      Y
Enabled kernel -fstack-protector buffer overflow detection by default       Y
Support for sVirt labelling to provide security over guest instances
      Y
Support for SELinux to confine users' access on a system
      Y
Support for SELinux to test untrusted content via a sandbox
      Y
Support for SELinux X Access Control Extension (XACE)
      Y

Created: 30 Nov 2010
Tagged as: , , ,

Hi! I'm Mark Cox. This blog gives my thoughts on security work, open source, home automation, and other topics.