Chapter 3. New Features
This chapter documents new features and major enhancements introduced in Red Hat Enterprise Linux 7.9.
3.1. Authentication and Interoperability
The Certificate Profiles extension no longer has a maximum number of policies per certificate
Previously, administrators could not add more than 20 policies to a certificate because of a hardcoded limit within the Certificate Profiles extension. This update removes the restriction, so you can add an unlimited number of policies to a certificate. In addition, the extension requires at least one policy, otherwise the
pkiconsole interface shows an error. If you modify the profile, the extension creates one empty policy. For example:
Identifier: Certificate Policies: - 22.214.171.124 Critical: no Certificate Policies:
SSSD rebased to version 1.16.5
The sssd packages have been upgraded to upstream version 1.16.5, which provides a number of bug fixes and enhancements over the previous version.
pacemaker rebased to version 1.1.23
The Pacemaker cluster resource manager has been upgraded to upstream version 1.1.23, which provides a number of bug fixes.
3.3. Compiler and Tools
per-thread metrics is now available for historical analysis
Optionally, enable logging of the
per-process performance metric values in the Performance Co-Pilot (PCP) using the
pcp-zeroconf package and
pmieconf utility. Previously, only the
per-process metric values were logged by
pmlogger through the
pcp-zeroconf package, but some analysis situation also requires
per-thread values. As a result, the
per-thread metrics are now available for historical analysis, after executing the following command:
# pmieconf -c enable zeroconf.all_threads
FreeRDP has been updated to 2.1.1
This release updates the FreeRDP implementation of the Remote Desktop Protocol (RDP) from version 2.0.0 to 2.1.1. FreeRDP 2.1.1 supports new RDP options for the current Microsoft Windows terminal server version and fixes several security issues.
For detailed information about FreeRDP 2.1.1, see the upstream release notes: https://github.com/FreeRDP/FreeRDP/blob/2.1.1/ChangeLog.
Kernel version in RHEL 7.9
Red Hat Enterprise Linux 7.9 is distributed with the kernel version 3.10.0-1160.
A new kernel parameter:
The page owner tracking is a new functionality, which enables users to observe the kernel memory consumption at the page allocator level. Users can employ this functionality to debug the kernel memory leaks, or to discover the kernel modules that consume excessive amounts of memory. To enable the feature, add the
page_owner=on parameter to the kernel command-line. For more information on how to set the kernel command-line parameters, see the Configuring kernel command-line parameters on Customer Portal.
Regardless of the
page_owner parameter setting (
off) to the kernel command-line, usage of the page owner tracking adds approximately 2.14% additional memory requirement on RHEL 7.9 systems (impacts the kernel, VM, or
cgroup). For further details on this topic, see the Why Kernel-3.10.0-1160.el7 consumes double amount of memory compared to kernel-3.10.0-1127.el7? Solution.
For more information about important changes to kernel parameters, see the New kernel parameters section.
EDAC driver support is now added to Intel ICX systems
This update adds the Error Detection and Correction (EDAC) driver to Intel ICX systems. As a result, memory errors can be detected on these systems and reported to the EDAC subsystem.
Intel® Omni-Path Architecture (OPA) Host Software
Intel® Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 7.9. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.
For instructions on installing Intel Omni-Path Architecture documentation, see: https://cdrdv2.intel.com/v1/dl/getContent/630393
The Mellanox ConnectX-6 Dx network adapter is now fully supported
This enhancement adds the PCI IDs of the Mellanox ConnectX-6 Dx network adapter to the
mlx5_core driver. On hosts that use this adapter, RHEL loads the
mlx5_core driver automatically. This feature, previously available as a technology preview, is now fully supported in RHEL 7.9.
3.6. Real-Time Kernel
kernel-rt source tree now matches the latest RHEL 7 tree
kernel-rt sources have been updated to use the latest RHEL kernel source tree, which provides a number of bug fixes and enhancements over the previous version.
unbound to run inside
chroot for systems without SELinux
For systems with SELinux enabled and in enforcing mode, SELinux provides significant protection and limits what the
unbound service can access. If you cannot configure SELinux in enforcing mode, and you want to increase the protection of the
unbound domain name server, use the
chroot utility for jailing
unbound into a limited
chroot environment. Note that the protection by
chroot is lower in comparison to SELinux enforcing mode.
unbound to run inside
chroot, prepare your environment as described in the following support article Running unbound in chroot.
3.8. Red Hat Enterprise Linux System Roles
rhel-system-roles package has been updated to provide multiple bug fixes and enhancements. Notable changes include:
802.1Xauthentication with EAP-TLS was added for the
networkRHEL System Role when using the
NetworkManagerprovider. As a result, now customers can configure their machines to use
802.1Xauthentication with EAP-TLS using the
networkRHEL System Role instead of having to use the
networkRHEL System Role tries to modify a link or network attributes without disrupting the connectivity, when possible.
The logging in
networkmodule logs has been fixed so that informative messages are no longer printed as warnings, but as debugging information.
networkRHEL System Role now uses
NetworkManagerscapability to revert changes, if an error occurs, when applying the configuration to avoid partial changes.
SCAP Security Guide now provides a profile aligned with the CIS RHEL 7 Benchmark v2.2.0
With this update, the
scap-security-guide packages provide a profile aligned with the CIS Red Hat Enterprise Linux 7 Benchmark v2.2.0. The profile enables you to harden the configuration of the system using the guidelines by the Center for Internet Security (CIS). As a result, you can configure and automate compliance of your RHEL 7 systems with CIS by using the CIS Ansible Playbook and the CIS SCAP profile.
Note that the
rpm_verify_permissions rule in the CIS profile does not work correctly. See the known issue description
rpm_verify_permissions fails in the CIS profile.
SCAP Security Guide now correctly disables services
With this update, the
SCAP Security Guide (SSG) profiles correctly disable and mask services that should not be started. This guarantees that disabled services are not inadvertently started as a dependency of another service. Before this change, the SSG profiles such as the U.S. Government Commercial Cloud Services (C2S) profile only disabled the service. As a result, services disabled by an SSG profile cannot be started unless you unmask them first.
The RHEL 7 STIG security profile updated to version V3R1
With the RHBA-2020:5451 advisory, the
DISA STIG for Red Hat Enterprise Linux 7 profile in the SCAP Security Guide has been updated to the latest version
V3R1. This update adds more coverage and fixes reference problems. The profile is now also more stable and better aligns with the RHEL7 STIG benchmark provided by the Defense Information Systems Agency (DISA).
You should use only the current version of this profile because the older versions of this profile are no longer valid. The OVAL checks for several rules have changed, and scans using the
V3R1 version will fail for systems that were hardened using older versions of SCAP Security Guide. You can fix the rules automatically by running the remediation with the new version of SCAP Security Guide.
Automatic remediation might render the system non-functional. Run the remediation in a test environment first.
The following rules have been changed:
The default value of this SSHD configuration has changed from
yes. You must now provide a value according to recommendations. Check the rule description for information about fixing this problem or run the remediation to fix it automatically.
Profiles for DISA STIG version v3r3
The Defense Information Systems Agency (DISA) has published an updated version of the Secure Technical Implementation Guide (STIG) for RHEL 7 version 3, release 3. The update available with the RHBA-2021:2803 advisory:
Aligns all rules within the existing
xccdf_org.ssgproject.content_profile_stigprofile with the latest STIG release.
Adds a new profile
xccdf_org.ssgproject.content_profile_stig_guifor systems with a graphical user interface (GUI).
scap-security-guide now provides an ANSSI-BP-028 High hardening level profile
With the release of the RHBA-2021:2803 advisory, the
scap-security-guide packages provide an updated profile for ANSSI-BP-028 at the High hardening level. This addition completes the availability of profiles for all ANSSI-BP-028 v1.2 hardening levels. Using the updated profile, you can configure the system to comply with the recommendations from the French National Security Agency (ANSSI) for GNU/Linux Systems at the High hardening level.
As a result, you can configure and automate compliance of your RHEL 7 systems according to your required ANSSI hardening level by using the ANSSI Ansible Playbooks and the ANSSI SCAP profiles. The Draft ANSSI High profile provided with the previous versions has been aligned to ANSSI DAT-NT-028. Although the profile names and versions have changed, the IDs of the ANSSI profiles such as
xccdf_org.ssgproject.content_profile_anssi_nt28_high remain the same to ensure backward compatibility.
- Automatic remediation might render the system non-functional. Red Hat recommends running the remediation in a test environment first.
The RHEL 8 STIG profile is now better aligned with the DISA STIG content
The DISA STIG for Red Hat Enterprise Linux 7 profile (
xccdf_org.ssgproject.content_profile_stig) available in the
scap-security-guide (SSG) package can be used to evaluate systems according to the Security Technical Implementation Guides (STIG) by the Defense Information Systems Agency (DISA). You can remediate your systems by using the content in SSG, but you might need to evaluate them using DISA STIG automated content. With the release of the RHBA-2022:6576 advisory, the DISA STIG RHEL 7 profile is better aligned with DISA’s content. This leads to fewer findings against DISA content after SSG remediation.
Note that the evaluations of the following rules still diverge:
SV-204511r603261_rule - CCE-80539-0 (
SV-204597r792834_rule - CCE-27485-2 (
Also, rule SV-204405r603261_rule from DISA’s RHEL 7 STIG is not covered in the SSG RHEL 7 STIG profiles.
A warning message to configure Audit log buffer for large systems added to SCAP rule
The SCAP rule
xccdf_org.ssgproject.content_rule_audit_rules_for_ospp now displays a performance warning on large systems where the Audit log buffer configured by this rule might be too small, and can override the custom value. The warning also describes the process to configure a larger Audit log buffer. With the release of the RHBA-2022:6576 advisory, you can keep large systems compliant and correctly set their Audit log buffer.
3.10. Servers and Services
compat-unixODBC234 for SAP
compat-unixODBC234 package provides version 2.3.4 of
unixODBC, a framework that supports accessing databases through the ODBC protocol. This new package is available in the RHEL 7 for SAP Solutions
sap-hana repository to enable streaming backup of an SAP HANA database using the SAP
backint interface. For more information, see Overview of the Red Hat Enterprise Linux for SAP Solutions subscription.
compat-unixODBC234 package conflicts with the base RHEL 7
unixODBC package. Therefore, uninstall
unixODBC prior to installing
This package is also available for Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions, Red Hat Enterprise Linux 7.6 Extended Update Support, and Red Hat Enterprise Linux 7.7 Extended Update Support through the RHEA-2020:2178 advisory.
MariaDB rebased to version 5.5.68
With RHEL 7.9, the
MariaDB database server has been updated to version 5.5.68. This release provides multiple security and bug fixes from the recent upstream maintenance releases.
Support for Data Integrity Field/Data Integrity Extension (DIF/DIX)
DIF/DIX is supported on configurations where the hardware vendor has qualified it and provides full support for the particular host bus adapter (HBA) and storage array configuration on RHEL.
DIF/DIX is not supported on the following configurations:
- It is not supported for use on the boot device.
- It is not supported on virtualized guests.
- Red Hat does not support using the Automatic Storage Management library (ASMLib) when DIF/DIX is enabled.
DIF/DIX is enabled or disabled at the storage device, which involves various layers up to (and including) the application. The method for activating the DIF on storage devices is device-dependent.
For further information on the DIF/DIX feature, see What is DIF/DIX.
3.12. Atomic Host and Containers
Red Hat Enterprise Linux Atomic Host is a secure, lightweight, and minimal-footprint operating system optimized to run Linux containers. See the Atomic Host and Containers Release Notes for the latest new features, known issues, and Technology Previews.
Red Hat Enterprise Linux Atomic Host is retired as of August 6, 2020 and active support is no longer provided.
3.13. Red Hat Software Collections
Red Hat Software Collections (RHSCL) is a Red Hat content set that provides a set of dynamic programming languages, database servers, and related packages that you can install and use on all supported releases of Red Hat Enterprise Linux 7 on AMD64 and Intel 64 architectures, IBM Z, and IBM POWER, little endian.
Red Hat Developer Toolset is designed for developers working on the Red Hat Enterprise Linux platform. It provides current versions of the GNU Compiler Collection, GNU Debugger, and other development, debugging, and performance monitoring tools. Red Hat Developer Toolset is included as a separate Software Collection.
Dynamic languages, database servers, and other tools distributed with Red Hat Software Collections do not replace the default system tools provided with Red Hat Enterprise Linux, nor are they used in preference to these tools. Red Hat Software Collections uses an alternative packaging mechanism based on the
scl utility to provide a parallel set of packages. This set enables optional use of alternative package versions on Red Hat Enterprise Linux. By using the
scl utility, users can choose which package version they want to run at any time.
Red Hat Software Collections has a shorter life cycle and support term than Red Hat Enterprise Linux. For more information, see the Red Hat Software Collections Product Life Cycle.
See the Red Hat Software Collections documentation for the components included in the set, system requirements, known problems, usage, and specifics of individual Software Collections.
See the Red Hat Developer Toolset documentation for more information about the components included in this Software Collection, installation, usage, known problems, and more.