Between releases there are lots of changes made to improve security and I've not listed everything; just a high-level overview of the things I think are most interesting that help mitigate security risk. We could go into much more detail, breaking out the number of daemons covered by the SELinux default policy, the number of binaries compiled PIE, and so on.
Fedora Core | Fedora | Red Hat Enterprise Linux | |||||||||
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 3 | 4 | 5 | |
2003Nov | 2004May | 2004Nov | 2005Jun | 2006Mar | 2006Oct | 2007May | 2007Nov | 2003Oct | 2005Feb | 2007Mar | |
Firewall by default | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |
Signed updates required by default | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |
NX emulation using segment limits by default | Y | Y | Y | Y | Y | Y | Y | Y | Y2 | Y | Y |
Support for Position Independent Executables (PIE) | Y | Y | Y | Y | Y | Y | Y | Y | Y2 | Y | Y |
Address Randomization (ASLR) for Stack/mmap by default3 | Y | Y | Y | Y | Y | Y | Y | Y | Y2 | Y | Y |
ASLR for vDSO (if vDSO enabled)3 | no vDSO | Y | Y | Y | Y | Y | Y | Y | no vDSO | Y | Y |
Restricted access to kernel memory by default | Y | Y | Y | Y | Y | Y | Y | Y | Y | ||
NX for supported processors/kernels by default | Y1 | Y | Y | Y | Y | Y | Y | Y2 | Y | Y | |
Support for SELinux | Y | Y | Y | Y | Y | Y | Y | Y | Y | ||
SELinux enabled with targeted policy by default | Y | Y | Y | Y | Y | Y | Y | Y | |||
glibc heap/memory checks by default | Y | Y | Y | Y | Y | Y | Y | Y | |||
Support for FORTIFY_SOURCE, used on selected packages | Y | Y | Y | Y | Y | Y | Y | Y | |||
All packages compiled using FORTIFY_SOURCE | Y | Y | Y | Y | Y | Y | |||||
Support for ELF Data Hardening | Y | Y | Y | Y | Y | Y | Y | ||||
All packages compiled with stack smashing protection | Y | Y | Y | Y | Y | ||||||
SELinux Executable Memory Protection | Y | Y | Y | Y | |||||||
glibc pointer encryption by default | Y | Y | Y | Y | |||||||
FORTIFY_SOURCE extensions including C++ coverage | Y |
Created: 07 Jan 2008
Tagged as: fedora, red hat, security