Open Source

The most important updates in Red Hat Enterprise Linux 6

It's been awhile since there was a new version of Red Hat Enterprise Linux. Vincent Danen looks at the updates in version 6 and gives high marks to cloud computing and security enhancements.

On November 10th, Red Hat unveiled the latest version of Red Hat Enterprise Linux: version 6. Version 5 was released in March of 2007, so it has been a long road to version 6.

Due to the length of time between releases, RHEL6 is a system that is quite unlike RHEL5. Obviously it comes with newer versions of software across the board, something welcome for those that find RHEL5 a little long in the tooth. Keeping in mind that "bleeding edge" doesn't necessarily belong in an enterprise platform, it is nice to have more recent software along with the inevitable feature enhancements.

Cloud computing

One of the big focuses on RHEL6 is cloud computing. This involves a number of factors, and a lot of work has gone into it to not only make it viable, but highly competitive with other offerings. Performance enhancements abound, making it very efficient and scalable not only for current hardware, but also hardware yet to come For example, systems with 64TB of physical memory and 4096 cores/threads are not typically in use today, but RHEL6 will support it, out of the box, when they are.

While performance is definitely one area of cloud computing, another area is virtualization, and this is where KVM becomes a direct competitor to other virtualization solutions from vendors such as VMware. Using KVM and libvirt, RHEL6 provides a great virtualization management infrastructure with a really powerful virtualization solution -- all baked right into the operating system for no extra cost.

Security

But all of this aside, the thing I am most passionate about is security. Perhaps it's an odd thing to be so interested in, but it's both hobby and profession for me, so the security features in RHEL6 are really important to me. And they will be important to anyone with a public or private cloud because heavy virtualization and cloud computing make proactive security even more important.

While RHEL has provided SELinux for a long time, RHEL6 provides further SELinux support and policies, making it easier to use now than in previous versions of RHEL. But SELinux is just one piece of the puzzle, and it's a complex one at that. While great strides have been made to make it easier, many people still opt to turn it off rather than figure out how to make it do what they want. So this is where other security enhancements come into play.

While RPM packages have always been signed, RHEL6 now uses the SHA-256 algorithm and a 4096-bit RSA signing key to sign packages. This provides users with greater confidence that packages are legitimate and authentic, compared to the weaker MD5 and SHA-1 algorithms that were used in previous versions.

Other security features that come standard in RHEL6, that have either been included in previous versions and built upon, or are new to RHEL6, are various binary proactive protection mechanisms. This includes using GCC's FORTIFY_SOURCE extensions, this time including coverage for programs written in C++. It also includes glibc pointer encryption, SELinux Executable Memory Protection, all programs compiled with SSP (Stack Smashing Protection), ELF binary data hardening, support for Position Independent Executables (PIE), and glibc heap/memory checks by default.

In the kernel are protections like NX (No-Execute) protection by default, restricted access to kernel memory, and Address Randomization (ASLR). The kernel also features support for preventing module loading, GCC stack protection, and write-protected kernel read-only data structures.

Considering all of these features, it is clear to see that proactive security has been taken seriously in Red Hat Enterprise Linux 6, and that a lot of work has gone into making RHEL a secure operating system suitable for any environment you throw at it: virtual, physical, or cloud. When you include new application features as a result of newer versions of software, the thousands of bugs fixed, the standard seven-year support lifecycle (with an optional extension to 10 years) -- all of this makes Red Hat Enterprise Linux 6 highly suited to enterprise deployment.

Yes, I am biased towards Red Hat as I am employed there, but I am also confident in what RHEL6 brings to the table and willingly stand behind it.

Let us know which updates and features you're most excited about in RHEL 6.

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

4 comments
rfolden
rfolden

You don't need no steenking security testing. It's GNU/Linux, by God, and it's bulletproof.

ivank2139
ivank2139

I think it would be very interesting to see a Security test report on a new RHEL6 server. Running a penetration test suite, like the SAINT scanner, against it and publishing the results would be of interest to some of us. Compare that to a few of the other OS's thought to be secure, like OpenBSD and maybe Oracle's Solaris and Windows Server offerings. And you did not mention anything about the OpenSCAP that Redhat has contributed so much effort to.

HAL 9000
HAL 9000

But nothing is Bullet Proof. Yes GNU/Linux is good but it still has weaknesses that can and are taken advantage of. ;) Col

vdanen
vdanen

I agree, it would be interesting to see. I'll have to see what open scanners there are; SAINT seems to be a commercial offering that I'm not interesting in paying for. OpenSCAP is useful from a monitoring perspective, absolutely. Perhaps a future tip can delve into what OpenSCAP is and how it can be useful.