mark :: blog

04 Jan 2007: Security Features in Red Hat Enterprise Linux and Fedora Core

Late last year a reporter contacted me who was interested in the various security features and innovations in Red Hat Enterprise Linux and Fedora. She particularly wanted to know the dates when each first made it into a shipping product. In the end the article was published in a German magazine and was not publically available. It's a shame to waste the work as I don't think this has ever all been collected together into one place before, so here is the table. It's possible I've missed one or two of the features, and I've not broken down the big things like SELinux where we could talk about the number of default policies in each release or the number of binaries compiled PIE, but drop me a mail if you see any issues.

  Fedora Core Red Hat Enterprise Linux
123456 34
2003Nov2004May2004Nov2005Jun2006Mar2006Oct 2003Oct2005Feb
Default requires signed updates YYYYYY YY
NX emulation using segment limits by default YYYYYY since 2004SepY
Support for Position Independent Executables (PIE) YYYYYY since 2004SepY
ASLR for Stack/mmap by default YYYYYY since 2004SepY
ASLR for vDSO (if vDSO enabled) no vDSOYYYYY no vDSOY
Restricted access to kernel memory by default  YYYYY  Y
NX by default for supported processors/kernels  since 2004JunYYYY since 2004SepY
Support for SELinux  YYYYY  Y
SELinux default enabled with targetted policies   YYYY  Y
glibc heap/memory checks by default   YYYY  Y
Support for FORTIFY_SOURCE, used on selected packages   YYYY  Y
All packages compiled using FORTIFY_SOURCE    YYY   
Support for ELF Data Hardening    YYY  Y
All packages compiled with stack smashing protection     YY   
Pointer encryption      Y   
CVE compatible        YY
OVAL compatible        since 2006Maysince 2006May

New: Updated version from 7th January 2008

Created: 04 Jan 2007
Tagged as: , ,

Hi! I'm Mark Cox. This blog gives my thoughts on security work, open source, home automation, and other topics.