Chapter 3. New Features

This chapter documents new features and major enhancements introduced in Red Hat Enterprise Linux 7.9.

3.1. Authentication and Interoperability

The Certificate Profiles extension no longer has a maximum number of policies per certificate

Previously, administrators could not add more than 20 policies to a certificate because of a hardcoded limit within the Certificate Profiles extension. This update removes the restriction, so you can add an unlimited number of policies to a certificate. In addition, the extension requires at least one policy, otherwise the pkiconsole interface shows an error. If you modify the profile, the extension creates one empty policy. For example: 

Identifier: Certificate Policies: - 2.5.29.32
            Critical: no
            Certificate Policies:

(BZ#1768718)

SSSD rebased to version 1.16.5

The sssd packages have been upgraded to upstream version 1.16.5, which provides a number of bug fixes and enhancements over the previous version.

(BZ#1796352)

3.2. Clustering

pacemaker rebased to version 1.1.23

The Pacemaker cluster resource manager has been upgraded to upstream version 1.1.23, which provides a number of bug fixes.

(BZ#1792492)

3.3. Compiler and Tools

The per-thread metrics is now available for historical analysis

Optionally, enable logging of the per-thread and per-process performance metric values in the Performance Co-Pilot (PCP) using the pcp-zeroconf package and pmieconf utility. Previously, only the per-process metric values were logged by pmlogger through the pcp-zeroconf package, but some analysis situation also requires per-thread values. As a result, the per-thread metrics are now available for historical analysis, after executing the following command: 

# pmieconf -c enable zeroconf.all_threads

(BZ#1775373)

3.4. Desktop

FreeRDP has been updated to 2.1.1

This release updates the FreeRDP implementation of the Remote Desktop Protocol (RDP) from version 2.0.0 to 2.1.1. FreeRDP 2.1.1 supports new RDP options for the current Microsoft Windows terminal server version and fixes several security issues.

For detailed information about FreeRDP 2.1.1, see the upstream release notes: https://github.com/FreeRDP/FreeRDP/blob/2.1.1/ChangeLog.

(BZ#1834286)

3.5. Kernel

Kernel version in RHEL 7.9

Red Hat Enterprise Linux 7.9 is distributed with the kernel version 3.10.0-1160.

See also Important Changes to External Kernel Parameters and Device Drivers.

(BZ#1801759)

A new kernel parameter: page_owner

The page owner tracking is a new functionality, which enables users to observe the kernel memory consumption at the page allocator level. Users can employ this functionality to debug the kernel memory leaks, or to discover the kernel modules that consume excessive amounts of memory. To enable the feature, add the page_owner=on parameter to the kernel command-line. For more information on how to set the kernel command-line parameters, see the Configuring kernel command-line parameters on Customer Portal.

Warning

Regardless of the page_owner parameter setting (on or off) to the kernel command-line, usage of the page owner tracking adds approximately 2.14% additional memory requirement on RHEL 7.9 systems (impacts the kernel, VM, or cgroup). For further details on this topic, see the Why Kernel-3.10.0-1160.el7 consumes double amount of memory compared to kernel-3.10.0-1127.el7? Solution.

For more information about important changes to kernel parameters, see the New kernel parameters section.

(BZ#1781726)

EDAC driver support is now added to Intel ICX systems

This update adds the Error Detection and Correction (EDAC) driver to Intel ICX systems. As a result, memory errors can be detected on these systems and reported to the EDAC subsystem.

(BZ#1514705)

Intel® Omni-Path Architecture (OPA) Host Software

Intel® Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 7.9. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.

(BZ#1855010)

The Mellanox ConnectX-6 Dx network adapter is now fully supported

This enhancement adds the PCI IDs of the Mellanox ConnectX-6 Dx network adapter to the mlx5_core driver. On hosts that use this adapter, RHEL loads the mlx5_core driver automatically. This feature, previously available as a technology preview, is now fully supported in RHEL 7.9.

(BZ#1829777)

3.6. Real-Time Kernel

The kernel-rt source tree now matches the latest RHEL 7 tree

The kernel-rt sources have been updated to use the latest RHEL kernel source tree, which provides a number of bug fixes and enhancements over the previous version.

(BZ#1790643)

3.7. Networking

Configuring unbound to run inside chroot for systems without SELinux

For systems with SELinux enabled and in enforcing mode, SELinux provides significant protection and limits what the unbound service can access. If you cannot configure SELinux in enforcing mode, and you want to increase the protection of the unbound domain name server, use the chroot utility for jailing unbound into a limited chroot environment. Note that the protection by chroot is lower in comparison to SELinux enforcing mode.

For configuring unbound to run inside chroot, prepare your environment as described in the following support article Running unbound in chroot.

(BZ#2121623)

3.8. Red Hat Enterprise Linux System Roles

rhel-system-roles updated

The rhel-system-roles package has been updated to provide multiple bug fixes and enhancements. Notable changes include:

  • Support for 802.1X authentication with EAP-TLS was added for the network RHEL System Role when using the NetworkManager provider. As a result, now customers can configure their machines to use 802.1X authentication with EAP-TLS using the network RHEL System Role instead of having to use the nmcli command-line utility.
  • The network RHEL System Role tries to modify a link or network attributes without disrupting the connectivity, when possible.
  • The logging in network module logs has been fixed so that informative messages are no longer printed as warnings, but as debugging information.
  • The network RHEL System Role now uses NetworkManagers capability to revert changes, if an error occurs, when applying the configuration to avoid partial changes.

(BZ#1767177)

3.9. Security

SCAP Security Guide now provides a profile aligned with the CIS RHEL 7 Benchmark v2.2.0

With this update, the scap-security-guide packages provide a profile aligned with the CIS Red Hat Enterprise Linux 7 Benchmark v2.2.0. The profile enables you to harden the configuration of the system using the guidelines by the Center for Internet Security (CIS). As a result, you can configure and automate compliance of your RHEL 7 systems with CIS by using the CIS Ansible Playbook and the CIS SCAP profile.

Note that the rpm_verify_permissions rule in the CIS profile does not work correctly. See the known issue description rpm_verify_permissions fails in the CIS profile.

(BZ#1821633)

SCAP Security Guide now correctly disables services

With this update, the SCAP Security Guide (SSG) profiles correctly disable and mask services that should not be started. This guarantees that disabled services are not inadvertently started as a dependency of another service. Before this change, the SSG profiles such as the U.S. Government Commercial Cloud Services (C2S) profile only disabled the service. As a result, services disabled by an SSG profile cannot be started unless you unmask them first.

(BZ#1791583)

The RHEL 7 STIG security profile updated to version V3R1

With the RHBA-2020:5451 advisory, the DISA STIG for Red Hat Enterprise Linux 7 profile in the SCAP Security Guide has been updated to the latest version V3R1. This update adds more coverage and fixes reference problems. The profile is now also more stable and better aligns with the RHEL7 STIG benchmark provided by the Defense Information Systems Agency (DISA).

You should use only the current version of this profile because the older versions of this profile are no longer valid. The OVAL checks for several rules have changed, and scans using the V3R1 version will fail for systems that were hardened using older versions of SCAP Security Guide. You can fix the rules automatically by running the remediation with the new version of SCAP Security Guide.

Warning

Automatic remediation might render the system non-functional. Run the remediation in a test environment first.

The following rules have been changed:

CCE-80224-9
The default value of this SSHD configuration has changed from delayed to yes. You must now provide a value according to recommendations. Check the rule description for information about fixing this problem or run the remediation to fix it automatically.
CCE-80393-2
xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon
CCE-80394-0
xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon
CCE-80391-6
xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage
CCE-80660-4
xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles
CCE-80392-4
xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool
CCE-82362-5
xccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare
CCE-80398-1
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage
CCE-80404-7
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh
CCE-80410-4
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab
CCE-80397-3
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd
CCE-80403-9
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp
CCE-80411-2
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check
CCE-27437-3
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
CCE-80395-7
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd
CCE-80406-2
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop
CCE-80407-0
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue
CCE-80408-8
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign
CCE-80402-1
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit
CCE-80401-3
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo
CCE-80400-5
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su
CCE-80405-4
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount
CCE-80396-5
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd
CCE-80399-9
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper

(BZ#1665233)

Profiles for DISA STIG version v3r3

The Defense Information Systems Agency (DISA) has published an updated version of the Secure Technical Implementation Guide (STIG) for RHEL 7 version 3, release 3. The update available with the RHBA-2021:2803 advisory:

  • Aligns all rules within the existing xccdf_org.ssgproject.content_profile_stig profile with the latest STIG release.
  • Adds a new profile xccdf_org.ssgproject.content_profile_stig_gui for systems with a graphical user interface (GUI).

(BZ#1958789, BZ#1970131)

scap-security-guide now provides an ANSSI-BP-028 High hardening level profile

With the release of the RHBA-2021:2803 advisory, the scap-security-guide packages provide an updated profile for ANSSI-BP-028 at the High hardening level. This addition completes the availability of profiles for all ANSSI-BP-028 v1.2 hardening levels. Using the updated profile, you can configure the system to comply with the recommendations from the French National Security Agency (ANSSI) for GNU/Linux Systems at the High hardening level.

As a result, you can configure and automate compliance of your RHEL 7 systems according to your required ANSSI hardening level by using the ANSSI Ansible Playbooks and the ANSSI SCAP profiles. The Draft ANSSI High profile provided with the previous versions has been aligned to ANSSI DAT-NT-028. Although the profile names and versions have changed, the IDs of the ANSSI profiles such as xccdf_org.ssgproject.content_profile_anssi_nt28_high remain the same to ensure backward compatibility.

WARNING
Automatic remediation might render the system non-functional. Red Hat recommends running the remediation in a test environment first.

(BZ#1955180)

The RHEL 8 STIG profile is now better aligned with the DISA STIG content

The DISA STIG for Red Hat Enterprise Linux 7 profile (xccdf_org.ssgproject.content_profile_stig) available in the scap-security-guide (SSG) package can be used to evaluate systems according to the Security Technical Implementation Guides (STIG) by the Defense Information Systems Agency (DISA). You can remediate your systems by using the content in SSG, but you might need to evaluate them using DISA STIG automated content. With the release of the RHBA-2022:6576 advisory, the DISA STIG RHEL 7 profile is better aligned with DISA’s content. This leads to fewer findings against DISA content after SSG remediation.

Note that the evaluations of the following rules still diverge:

  • SV-204511r603261_rule - CCE-80539-0 (auditd_audispd_disk_full_action)
  • SV-204597r792834_rule - CCE-27485-2 (file_permissions_sshd_private_key)

Also, rule SV-204405r603261_rule from DISA’s RHEL 7 STIG is not covered in the SSG RHEL 7 STIG profiles.

(BZ#1967950)

A warning message to configure Audit log buffer for large systems added to SCAP rule audit_rules_for_ospp

The SCAP rule xccdf_org.ssgproject.content_rule_audit_rules_for_ospp now displays a performance warning on large systems where the Audit log buffer configured by this rule might be too small, and can override the custom value. The warning also describes the process to configure a larger Audit log buffer. With the release of the RHBA-2022:6576 advisory, you can keep large systems compliant and correctly set their Audit log buffer.

(BZ#1993822)

3.10. Servers and Services

New package: compat-unixODBC234 for SAP

The new compat-unixODBC234 package provides version 2.3.4 of unixODBC, a framework that supports accessing databases through the ODBC protocol. This new package is available in the RHEL 7 for SAP Solutions sap-hana repository to enable streaming backup of an SAP HANA database using the SAP backint interface. For more information, see Overview of the Red Hat Enterprise Linux for SAP Solutions subscription.

The compat-unixODBC234 package conflicts with the base RHEL 7 unixODBC package. Therefore, uninstall unixODBC prior to installing compat-unixODBC234.

This package is also available for Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions, Red Hat Enterprise Linux 7.6 Extended Update Support, and Red Hat Enterprise Linux 7.7 Extended Update Support through the RHEA-2020:2178 advisory.

See also The compat-unixODBC234 package for SAP requires a symlink to load the unixODBC library.

(BZ#1790655)

MariaDB rebased to version 5.5.68

With RHEL 7.9, the MariaDB database server has been updated to version 5.5.68. This release provides multiple security and bug fixes from the recent upstream maintenance releases.

(BZ#1834835)

3.11. Storage

Support for Data Integrity Field/Data Integrity Extension (DIF/DIX)

DIF/DIX is supported on configurations where the hardware vendor has qualified it and provides full support for the particular host bus adapter (HBA) and storage array configuration on RHEL.

DIF/DIX is not supported on the following configurations:

  • It is not supported for use on the boot device.
  • It is not supported on virtualized guests.
  • Red Hat does not support using the Automatic Storage Management library (ASMLib) when DIF/DIX is enabled.

DIF/DIX is enabled or disabled at the storage device, which involves various layers up to (and including) the application. The method for activating the DIF on storage devices is device-dependent.

For further information on the DIF/DIX feature, see What is DIF/DIX.

(BZ#1649493)

3.12. Atomic Host and Containers

Red Hat Enterprise Linux Atomic Host is a secure, lightweight, and minimal-footprint operating system optimized to run Linux containers.

Important

Red Hat Enterprise Linux Atomic Host is retired as of August 6, 2020 and active support is no longer provided.

3.13. Red Hat Software Collections

Red Hat Software Collections (RHSCL) is a Red Hat content set that provides a set of dynamic programming languages, database servers, and related packages that you can install and use on all supported releases of Red Hat Enterprise Linux 7 on AMD64 and Intel 64 architectures, IBM Z, and IBM POWER, little endian.

Red Hat Developer Toolset is designed for developers working on the Red Hat Enterprise Linux platform. It provides current versions of the GNU Compiler Collection, GNU Debugger, and other development, debugging, and performance monitoring tools. Red Hat Developer Toolset is included as a separate Software Collection.

Dynamic languages, database servers, and other tools distributed with Red Hat Software Collections do not replace the default system tools provided with Red Hat Enterprise Linux, nor are they used in preference to these tools. Red Hat Software Collections uses an alternative packaging mechanism based on the scl utility to provide a parallel set of packages. This set enables optional use of alternative package versions on Red Hat Enterprise Linux. By using the scl utility, users can choose which package version they want to run at any time.

Important

Red Hat Software Collections has a shorter life cycle and support term than Red Hat Enterprise Linux. For more information, see the Red Hat Software Collections Product Life Cycle.

See the Red Hat Software Collections documentation for the components included in the set, system requirements, known problems, usage, and specifics of individual Software Collections.

See the Red Hat Developer Toolset documentation for more information about the components included in this Software Collection, installation, usage, known problems, and more.