Vulnerability and threat mitigation features in Red Hat Enterprise Linux
Updated -
Red Hat Enterprise Linux versions have included a number of vulnerability and threat mitigation features. This table gives a summary of the features and the versions they appear in.
For additional information, please refer to the Fedora Security Features Matrix.
Features | Red Hat Enterprise Linux Version | ||||||
3 | 4 | 5 | 6 | 7 | 8 | 9 | |
2003 Oct | 2005 Feb | 2007 Mar | 2010 Nov | 2014 Jun | 2019 May | 2022 May | |
Firewall by default | Y | Y | Y | Y | Y | Y | Y |
Signed updates required by default | Y | Y | Y | Y | Y | Y | Y |
NX emulation using segment limits by default | Y (since 9/2004) | Y | Y | Y | Y | Y | Y |
Support for Position Independent Executables (PIE) | Y (since 9/2004) | Y | Y | Y | Y | Y | Y |
Address Randomization (ASLR) for Stack/mmap by default | Y (since 9/2004) | Y | Y | Y | Y | Y | Y |
ASLR for vDSO (if vDSO enabled) | no vDSO | Y | Y | Y | Y | Y | Y |
Support for NULL pointer dereference protection | Y (since 11/2009) | Y (since 9/2009) | Y (since 5/2008) | Y | Y | Y | Y |
NX for supported processors/kernels by default | Y (since 9/2004) | Y | Y | Y | Y | Y | Y |
Support for block module loading via cap-bound sysctl tunable or /proc/sys/kernel/cap-bound | Y | Y | Y | no cap-bound | no cap-bound | no cap-bound | no cap-bound |
Restricted access to kernel memory by default | Y | Y | Y | Y | Y | Y | |
Support for SELinux | Y | Y | Y | Y | Y | Y | |
SELinux enabled with targeted policy by default | Y | Y | Y | Y | Y | Y | |
glibc heap/memory checks by default | Y | Y | Y | Y | Y | Y | |
Support for FORTIFY_SOURCE, used on selected packages | Y | Y | Y | Y | Y | Y | |
Support for ELF Data Hardening | Y | Y | Y | Y | Y | Y | |
All packages compiled using FORTIFY_SOURCE | Y | Y | Y | Y | Y | ||
All packages compiled with stack smashing protection | Y | Y | Y | Y | Y | ||
SELinux Executable Memory Protection | Y | Y | Y | Y | Y | ||
glibc pointer encryption by default | Y | Y | Y | Y | Y | ||
Enabled NULL pointer dereference protection by default | Y (since 5/2008) | Y | Y | Y | Y | ||
Enabled write-protection for kernel read-only data structures by default | Y | Y | Y | Y | Y | ||
FORTIFY_SOURCE extensions including C++ coverage | Y | Y | Y | Y | |||
Support for block module loading via modules_disabled sysctl tunable or /proc/sys/kernel/modules_disabled | Y | Y | Y | Y | |||
Support for SELinux to restrict the loading of kernel modules by unprivileged processes in confined domains | Y | Y | Y | Y | |||
Enabled kernel -fstack-protector buffer overflow detection by default | Y | Y | Y | Y | |||
Support for sVirt labelling to provide security over guest instances | Y | Y | Y | Y | |||
Support for SELinux to confine users' access on a system | Y | Y | Y | Y | |||
Support for SELinux to test untrusted content via a sandbox | Y | Y | Y | Y | |||
Support for SELinux X Access Control Extension (XACE) | Y | Y | Y | Y | |||
Stronger stack smashing protection (-fstack-protector-strong) | Y | Y | Y | ||||
Available protection against USB security attacks | Y (since 7.4) | Y | Y | ||||
Only TLS 1.2 and above allowed in the default crypto policy | Y | Y | |||||
All packages compiled with stack clashing protection | Y | Y | |||||
Automatic annotation of system binaries and executables for examination of their security profile | Y | Y | |||||
Golang: FIPS compliance support | Y (since 8.2) | Y | |||||
Support for Network Time Security | Y (since 8.5) | Y | |||||
OpenSSH with U2F/FIDO security keys support | Y |
Please note this table is for the most common architectures, x86 and x86_64 only and feature support for other supported architectures may vary.
Comments