Red Hat Customer Portal

Skip to main content

Vulnerability and threat mitigation features in Red Hat Enterprise Linux

Updated -

Red Hat Enterprise Linux versions have included a number of vulnerability and threat mitigation features. This table gives a summary of the features and the versions they appear in.

Features Red Hat Enterprise Linux Version
3 4 5 6
2003 Oct 2005 Feb 2007 Mar 2010 Nov
Firewall by default Y Y Y Y
Signed updates required by default Y Y Y Y
NX emulation using segment limits by default Y(since 9/2004) Y Y Y
Support for Position Independent Executables (PIE) Y(since 9/2004) Y Y Y
Address Randomization (ASLR) for Stack/mmap by default Y (since 9/2004) Y Y Y
ASLR for vDSO (if vDSO enabled) no vDSO Y Y Y
Support for NULL pointer dereference protection Y(since 11/2009) Y(since 9/2009) Y(since 5/2008) Y
NX for supported processors/kernels by default Y(since 9/2004) Y Y Y
Support for block module loading via cap-bound sysctl tunable

or /proc/sys/kernel/cap-bound
Y Y Y no cap-bound
Restricted access to kernel memory by default
Y Y Y
Support for SELinux
Y Y Y
SELinux enabled with targeted policy by default
Y Y Y
glibc heap/memory checks by default
Y Y Y
Support for FORTIFY_SOURCE, used on selected packages
Y Y Y
Support for ELF Data Hardening
Y Y Y
All packages compiled using FORTIFY_SOURCE

Y Y
All packages compiled with stack smashing protection

Y Y
SELinux Executable Memory Protection

Y Y
glibc pointer encryption by default

Y Y
Enabled NULL pointer dereference protection by default

Y(since 5/2008) Y
Enabled write-protection for kernel read-only data structures by default

Y Y
FORTIFY_SOURCE extensions including C++ coverage


Y
Support for block module loading via modules_disabled sysctl tunable or /proc/sys/kernel/modules_disabled


Y
Support for SELinux to restrict the loading of kernel modules by unprivileged processes in confined domains


Y
Enabled kernel -fstack-protector buffer overflow detection by default


Y
Support for sVirt labelling to provide security over guest instances


Y
Support for SELinux to confine users' access on a system


Y
Support for SELinux to test untrusted content via a sandbox


Y
Support for SELinux X Access Control Extension (XACE)


Y

Please note this table is for the most common architectures, x86 and x86_64 only and feature support for other supported architectures may vary.

Was this helpful?

We appreciate your feedback. Leave a comment if you would like to provide more detail.
It looks like we have some work to do. Leave a comment to let us know how we could improve.