Skip to navigation

Warning message

log in to add comments or rate this document

Vulnerability and threat mitigation features in Red Hat Enterprise Linux

Updated 2013-12-18T13:28:16+00:00

Red Hat Enterprise Linux versions have included a number of vulnerability and threat mitigation features. This table gives a summary of the features and the versions they appear in.

Features Red Hat Enterprise Linux Version
3 4 5 6
2003 Oct 2005 Feb 2007 Mar 2010 Nov
Firewall by default Y Y Y Y
Signed updates required by default Y Y Y Y
NX emulation using segment limits by default Y(since 9/2004) Y Y Y
Support for Position Independent Executables (PIE) Y(since 9/2004) Y Y Y
Address Randomization (ASLR) for Stack/mmap by default Y (since 9/2004) Y Y Y
ASLR for vDSO (if vDSO enabled) no vDSO Y Y Y
Support for NULL pointer dereference protection Y(since 11/2009) Y(since 9/2009) Y(since 5/2008) Y
NX for supported processors/kernels by default Y(since 9/2004) Y Y Y
Support for block module loading via cap-bound sysctl tunable
or /proc/sys/kernel/cap-bound
Y Y Y no cap-bound
Restricted access to kernel memory by default Y Y Y
Support for SELinux Y Y Y
SELinux enabled with targeted policy \
by default
Y Y Y
glibc heap/memory checks by default Y Y Y
Support for FORTIFY_SOURCE, used on selected packages Y Y Y
Support for ELF Data Hardening Y Y Y
All packages compiled using FORTIFY_SOURCE Y Y
All packages compiled with stack smashing protection Y Y
SELinux Executable Memory Protection Y Y
glibc pointer encryption by default Y Y
Enabled NULL pointer dereference protection by default Y(since 5/2008) Y
Enabled write-protection for kernel read-only data structures by default Y Y
FORTIFY_SOURCE extensions including C++ coverage Y
Support for block module loading via modules_disabled sysctl tunable or /proc/sys/kernel/modules_disabled d>

Y
Support for SELinux to restrict the loading of kernel modules by unprivileged processes in confined domains<\
/td>

Y
Enabled kernel -fstack-protector buffer overflow detection > by default Y
Support for sVirt labelling to provide securit\
y over guest instances
Y
Support for SELinux to confine users' access on a sy\
stem
Y
Support for SELinux to test untrusted content via a sandbox an> Y
Support for SELinux X Access Control Extension (XACE) > Y

Please note this table is for the most common architectures, x86 and x86_64 only and feature support for other supported architectures may vary.