Security features in Red Hat Enterprise Linux 9

Red Hat Enterprise Linux 9 (RHEL 9) is the latest version of Red Hat’s flagship operating system, released at the Red Hat Summit in May 2022. New capabilities added to RHEL 9 help simplify how organizations manage security and compliance when deploying new systems or managing existing infrastructure. This article takes a brief look at three of the new security features available in this release.

SSH root password login disabled by default

The default superuser account in Unix- and Linux-based systems is "root". Because the username is always “root” and access rights are unlimited, this account is the most valuable target for hackers. Attackers use bots to scan for systems with exposed SSH ports, and when found, they attempt to use common usernames and brute-force passwords to gain entry. Of course, the impact of a successful exploit would be a lot lower if the compromised user has unprivileged access. The breach would then be contained and limited to one user only.

With RHEL 9, root user authentication with a password over SSH has been disabled by default. The OpenSSH default configuration only allows root logins via authentication methods such as public-key authentication, reducing the chance that attackers will gain access through brute-force password attacks. Instead of using the root password, developers can access remote development environments using SSH keys to log in.

OpenSSL 3.0.1

RHEL 9 provides OpenSSL packages in upstream version 3.0.1, which includes many improvements and bug fixes over the previous versions. Some notable improvements include the following.

Providers are collections of algorithms, and you can choose different providers for different applications. This allows application developers to make security decisions about their applications without worrying too much about the security of underlying cryptographic algorithms. OpenSSL currently includes the following providers: base, default, fips, legacy and null. By default, OpenSSL loads and activates the default provider, which includes commonly used algorithms. Developers can programmatically invoke any providers based on application requirements.

The IBM Z-platform supports "CP Assist For Cryptographic Functions (CPACF)" which delivers high-speed on-chip cryptography. OpenSSL now supports this via NIST SP800-90A-compliant AES-based deterministic random bit generator (DRBG). This allows applications running on IBM Z-platform to use this higher speed and more secure random number generator.

Finally, support has been added for better certificate management via Certificate Management Protocol (CMP, RFC 4210), the Certificate Request Message Format (CRMF), and HTTP transfer (RFC 6712). CMP messages are self-contained with protection independent of transfer mechanism, therefore they support end-to-end security.

Built-in RHEL utilities have been recompiled to utilize OpenSSL 3. This allows users to take advantage of new security ciphers for encrypting and protecting information.

Improved system-wide crypto-policies

In RHEL 9, the system-wide cryptographic policies have been adjusted to provide up-to-date security defaults:

• Disabled TLS 1.0, TLS 1.1, DTLS 1.0, RC4, CAMELLIA, DSA, 3DES, and FFDHE-1024 in all policies.

• Increased minimum RSA key size and minimum Diffie-Hellman parameter size in LEGACY.

• With the exception of Hash-based Message Authentication Codes (HMACs), SHA-1 is disabled in TLS and SSH algorithms.

If needed, customers can enable some of the disabled algorithms by using custom policies or sub policies.

Apart from the above, RHEL 9 includes protection against hardware-level security vulnerabilities like Spectre and Meltdown, and the operating system can also help user-space processes create memory areas inaccessible to malicious code.

Additionally, RHEL 9 provides readiness for Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA) and other customer security requirements. Its integrity measurement architecture (IMA) digital hashes and signatures create a new way for users to detect rogue infrastructure modifications.

Learn more about these and other security enhancements included in RHEL 9.