mark :: blog

07 Jan 2008: Vulnerability and threat mitigation features in Red Hat Enterprise Linux and Fedora (Updated)

A year ago I published a table of Security Features in Red Hat Enterprise Linux and Fedora Core. Since then we've released two more Fedora versions, and a Red Hat Enterprise Linux, so it's time to update the table.

Between releases there are lots of changes made to improve security and I've not listed everything; just a high-level overview of the things I think are most interesting that help mitigate security risk. We could go into much more detail, breaking out the number of daemons covered by the SELinux default policy, the number of binaries compiled PIE, and so on.

  Fedora Core Fedora Red Hat Enterprise Linux
123456 78 345
2003Nov2004May2004Nov2005Jun2006Mar2006Oct 2007May2007Nov 2003Oct2005Feb2007Mar
Firewall by default YYYYYY YY YY Y
Signed updates required by default YYYYYY YY YY Y
NX emulation using segment limits by default YYYYYY YY Y2Y Y
Support for Position Independent Executables (PIE) YYYYYYYY Y2YY
Address Randomization (ASLR) for Stack/mmap by default3 YYYYYYYY Y2YY
ASLR for vDSO (if vDSO enabled)3 no vDSOYYYYYYY no vDSOYY
Restricted access to kernel memory by default  YYYYYYY  YY
NX for supported processors/kernels by default  Y1YYYYYY Y2YY
Support for SELinux  YYYYYYY  YY
SELinux enabled with targeted policy by default   YYYYYY  YY
glibc heap/memory checks by default   YYYYYY  YY
Support for FORTIFY_SOURCE, used on selected packages   YYYYYY  YY
All packages compiled using FORTIFY_SOURCE    YYYYY   Y
Support for ELF Data Hardening    YYYYY  YY
All packages compiled with stack smashing protection     YYYY   Y
SELinux Executable Memory Protection      YYY   Y
glibc pointer encryption by default      YYY   Y
FORTIFY_SOURCE extensions including C++ coverage        Y    
1 Since June 2004, 2 Since September 2004, 3 Selected Architectures

Created: 07 Jan 2008
Tagged as: , ,

Hi! I'm Mark Cox. This blog gives my thoughts on security work, open source, home automation, and other topics.