Red Hat Enterprise Linux 9: Integrated Security

Boston: Red Hat Enterprise Linux (RHEL) has been Linux for business for a generation now. Today, RHEL touches over $13 trillion from the global economy. Remember when people thought Linux couldn’t handle big business? Ha! With the release of RHEL 9 to Red Hat Summit In Boston, Red Hat enhanced its offerings from open hybrid cloud to bare metal servers to cloud providers and the furthest edge of corporate networks.

RHEL 9 customers want better security, and Red Hat will deliver. Beyond the usual RHEL hardening, testing, and vulnerability scanning, RHEL 9 incorporates features that help address hardware-level security vulnerabilities such as Specter and Meltdown. This includes features to help user-space processes create areas of memory inaccessible to potentially malicious code. The platform also meets customer security requirements, supporting PCI-DSS, HIPAA, etc.

Specific security functions:

  • Smart card authentication: Users can use smart card authentication to access remote hosts via RHEL web console (sudo, SSH, etc.).

  • Additional Security Profiles: you can improve your security information collection and correction services such as Red Hat Information and RedHat Satellite security standards such as PCI-DSS and HIPAA.

  • Detailed SSSD logging: SSSD, the enterprise single sign-on framework, now includes more details about event logging. This includes time to complete tasks, errors, authentication flow, etc. New search features also allow you to analyze performance and configuration issues.

  • Integrated OpenSSL 3: It supports the new OpenSSL 3 cryptographic frameworks. RHEL’s built-in utilities have been recompiled to use OpenSSL 3.

  • SSH root password login disabled by default: Yes, I know you ssh into your server with root passwords all the time. But it was never a good idea. By default, RHEL won’t let you do this. Yes, it’s annoying, but it’s even more annoying for hackers trying to log in as “root” using brute force password attacks. All in all, it’s a win in my book.

In this release, Red Hat also introduces Integrity Measurement Architecture (IMA) hashes and digital signatures. With IMA, users can verify operating system integrity with digital signatures and hashes. With this, you can detect malicious infrastructure changes, so you can stop system compromises in their tracks.

Red Hat is also adopting, through Kubernetes, Signstore to sign artifacts and verify signatures. Sigstore is a free software signing service that improves software supply chain security by making it easier to cryptographically sign release files, container images, and binaries. Once signed, the register of signatures is kept in a tamper-proof public register. The Sigstore will be free to use by all software developers and vendors. This gives software artifacts a safer chain of custody that can be secured and traced back to their source. Going forward, Red Hat will adopt Sigstore in OpenShift. Podman and other container technologies.

This version has many new advanced features. These include:

  • Complete edge management, delivered as a service, to monitor and scale deployments remotely with increased control and security functionality, encompassing zero-touch provisioning, system health visibility, and vulnerability mitigations responsive, all from a single interface.

  • Automatic roll-back of containers with Podman, RHEL’s integrated container management technology. This automatically detects if a recently updated container fails to start. In this case, it then restores the container to the previous working version.

The new RHEL also includes an expanded set of RHEL roles, which allow you to automatically create specific system configurations. So, for example, if you need an RHEL-only setup for Postfix, HA clusters, a firewall, Microsoft SQL Server, or a web console, you’re covered.

In addition to roles, RHEL 9 makes building new images easier: you can build both RHEL 8 and RHEL 9 images through a single build node. It also includes better support for custom file systems (non-LVM mount points) and bare metal deployments.

  • If you build Universal Base Image (UBI) containers, you can create them not only with standard UBI images, but also with micro, minimal and init images. You will need a fully subscribed RHEL 9 container host to do this. This allows you to pull additional RPMs from RHEL 9 repositories.

  • RHEL now uses cgroup2 default containers: Podman, Red Hat’s daemonless container engine replacement for Dockeruses short name signing and validation (e.g. ubi8 instead of register.access.redhat.com/ubi8/ubi) by default when pulling container images.

And, of course, Red Hat being Red Hat, RHEL 9 Beta ships with GCC 11 and the latest versions of the LLVM, Rust, and Go compilers. Going forward, Python 3.9 will also be the default Python version of RHEL 9.

As for the console, the new RHEL also supports kernel live patches from the console. With this, you can patch large distributed system deployments without having to write a shell program. And, since these are live patches, your RHEL instances can continue to work even when patched.

Put it all together and you have a solid business Linux for any purpose. Usually we wait before moving from one major version to another. This time, you might want to go ahead and upgrade to RHEL 9 sooner rather than later.

About Jon Moses

Check Also

IBM launches fourth-generation LinuxONE servers

IBM has unveiled the next generation of its LinuxONE server, which uses the Telum processor …