Red Hat Enterprise Linux shares most of the same security mechanisms as other Linux distributions. However, it lets administrators further batten down their system hatches through support for SELinux (Security-Enhanced Linux), a set of kernel modifications and utilities initially developed by the National Security Agency that brings a mandatory access control permissions scheme to Linux. Developing and troubleshooting SELinux policies, particularly on a system running many applications, is a tricky business. RHEL 4 eases the burden by shipping with a "targeted" policy that protects by default a small set of system services that are at great risk for attack because they typically face the Internet.The ExecShield feature is not new in RHEL 4 (it was introduced as part of RHEL 3s third update, released in August of last year), but its a solid tool for preventing software exploits caused by buffer overflow attacks. ExecShield is described in detail in a paper released by Red Hat (and available at www.redhat.com/f/pdf/rhel/WHP0006US_Execshield.pdf). In the paper, Red Hat reports that ExecShield stopped 11 of 16 serious Linux vulnerabilities that surfaced between Nov. 1, 2003, and Aug. 11, 2004, and for which exploits were made available. Were not aware of a distribution outside of the Red Hat/Fedora family that uses ExecShield, which is open source but was developed by Red Hat. As with SELinux, ExecShield underwent testing in multiple Fedora releases during the last year before making its way into RHEL. Red Hats focus for RHEL 4 was primarily under the hood, so its not too surprising that we didnt see many differences in the products administration tools. In fact, with graphical system administration tools that lag behind those of Novell Inc.s SuSE Linux Enterprise Server 9 and Windows 2003 Server in both scope and intelligence, RHEL 4 will have administrators spending more time than they would probably like at the command line. This wont be a problem for those familiar with RHEL, but it certainly steepens the learning curve, particularly where new features such as SELinux are concerned. Fortunately, Red Hat provides well-written and easily accessible documentation (available at www.redhat.com/docs/manuals/enterprise). As with previous versions of RHEL, we could install RHEL 4 software and receive updates by connecting to the Red Hat Network with RHELs up2date client. In the version of up2date that ships with RHEL 4, we could also draw packages from the yum and apt software repositories or from a standard directory. We upgraded a system running RHEL 3 AS to RHEL 4 AS without incident. SELinux was disabled by default on the new machine, and enabling it would have entailed some administrative chores. This is one reason why Red Hat recommends that users upgrade to RHEL 4 via a clean install. Red Hat does not, however, support upgrading to RHEL 4 from a previous version using up2date. To update, administrators must boot from an install disk image (from a disk or a PXE [Preboot Execution Environment] server), which then runs Red Hats Anaconda installer application. Weve had success upgrading between Fedora Core releases using an application such as yum, and wed like to see Red Hat do the testing required to support this sort of upgrade in RHEL. RHEL 4 ships with an updated version of the LVM (Logical Volume Manager), which aims to make it easier for administrators to manage storage among multiple disks. RHEL 4s Anaconda installation program uses LVM by default, but, for various reasons, administrators may wish to return to creating standard partitions instead. RHEL 4s LVM implementation doesnt support RAID mirroring yet, although Red Hat officials have said support will be added in an update coming soon. RHEL 4 also includes a graphical client for managing LVM, but we found this tool to be very basic. Next page: RHEL Web resources.
During tests, eWEEK Labs was able to toggle off and on certain elements of the default SELinux policy using the same system-config-securitylevel tool with which users graphically adjust basic firewall settings. However, its necessary to use the command line for more than a very basic SELinux configuration. (Red Hat has produced a nice manual for SELinux on RHEL 4, available at www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide.)