mark :: blog
30 Nov 2010: Vulnerability and threat mitigation features in Red Hat Enterprise Linux (Updated)
Two years ago I published a table of Vulnerability and threat mitigation features in Red Hat Enterprise Linux and Fedora. Now that we've released Red Hat Enterprise Linux 6, it's time to update the table. Thanks to Eugene Teo for collating this information.Between releases there are lots of changes made to improve security and we've not listed everything; just a high-level overview of the things we think are most interesting that help mitigate security risk. We could go into much more detail, breaking out the number of daemons covered by the SELinux default policy, the number of binaries compiled PIE, and so on.
Note that this table is for the most common architectures, x86 and x86_64 only; other supported architectures may vary.
| Features | Red Hat Enterprise Linux | |||
| 3 | 4 | 5 | 6 | |
| 2003 Oct | 2005 Feb | 2007 Mar | 2010 Nov | |
| Firewall by default | Y | Y | Y | Y |
| Signed updates required by default | Y | Y | Y | Y |
| NX emulation using segment limits by default | Y(since 9/2004) | Y | Y | Y |
| Support for Position Independent Executables (PIE) | Y(since 9/2004) | Y | Y | Y |
| Address Randomization (ASLR) for Stack/mmap by default | Y (since 9/2004) | Y | Y | Y |
| ASLR for vDSO (if vDSO enabled) | no vDSO | Y | Y | Y |
| Support for NULL pointer dereference protection | Y(since 11/2009) | Y(since 9/2009) | Y(since 5/2008) | Y |
| NX for supported processors/kernels by default | Y(since 9/2004) | Y | Y | Y |
| Support for block module loading via cap-bound sysctl tunable or /proc/sys/kernel/cap-bound |
Y | Y | Y | no cap-bound |
| Restricted access to kernel memory by default | Y | Y | Y | |
| Support for SELinux | Y | Y | Y | |
| SELinux enabled with targeted policy by default | Y | Y | Y | |
| glibc heap/memory checks by default | Y | Y | Y | |
| Support for FORTIFY_SOURCE, used on selected packages | Y | Y | Y | |
| Support for ELF Data Hardening | Y | Y | Y | |
| All packages compiled using FORTIFY_SOURCE | Y | Y | ||
| All packages compiled with stack smashing protection | Y | Y | ||
| SELinux Executable Memory Protection | Y | Y | ||
| glibc pointer encryption by default | Y | Y | ||
| Enabled NULL pointer dereference protection by default | Y(since 5/2008) | Y | ||
| Enabled write-protection for kernel read-only data structures by default |
Y | Y | ||
| FORTIFY_SOURCE extensions including C++ coverage | Y | |||
| Support for block module loading via modules_disabled sysctl tunable or /proc/sys/kernel/modules_disabled |
Y | |||
| Support for SELinux to restrict the loading of kernel modules by unprivileged processes in confined domains |
Y | |||
| Enabled kernel -fstack-protector buffer overflow detection by default | Y | |||
| Support for sVirt labelling to provide security over guest instances | Y | |||
| Support for SELinux to confine users' access on a system | Y | |||
| Support for SELinux to test untrusted content via a sandbox | Y | |||
| Support for SELinux X Access Control Extension (XACE) | Y | |||
Created: 30 Nov 2010
Tagged as: fedora, metrics, red hat, security
