Good Morning Everyone,

Does anyone know the security differencs between RHEL4 and RHEL5?

thank you.

-windowsnot

That's a hard question to answer. Two things come to mind:-

• Disk encryption with LUKS
• SELinux - MCS & MLS

SELinux is generally improved (to the point you can use it).

Are you concerned about anything specifically?

Thanks for the feedback...

Yes...I am more concerned with things like auditd, faillog, security relevant objects. Are they still the same in RHEL5 Has any new software been added to RHEL5 that can be considered security hazard?

My current job requires that a version of OS that has never been installed be pre-approved by our security team before it can be loaded on a system...
the IS security team would like to know what the significant differences in security are from RHEL4 to RHEL5. Of course I can't tell them because I can't load it on a system until it is approved...

They have sent me on a goose chase to find out what the differences are and present them the details so that we can officially used RHEL5 for production use...

The best way to answer that is to look at the changelogs, they will tell you what is different between the 2 versions and to which version packages are at. Though frankly I would have thought that assessing security is part of the security team's remit not yours...?

You have hit the nail right on the head my friend...
but it is one of those things that you can't argue with...

Thanks for the info I will check that out...

This may not explain the difference between RH4 and RH5 too well, but it may give you a little ammunition to make the case for 5.

From the RHEL 5 Features page:
This page regarding RH Certifications and Accreditations explains how much attention they put into meeting the various security requirements of state/federal IT security regulations.

Hope that helps!

would it not be better for them to install it one one non-production fully isolated test bed and then thoroughly asses that,

Multilevel security implementation for SELinux (2.6.12)

Audit subsystem

support for process-context based filtering (2.6.17)

more filter rule comparators (2.6.17)


TCP/UDP getpeercon: enabled security-aware applications to retrieve the entire security context of a process on the other side of a socket using an IPSec security association. If only MLS-level information is needed or interoperability with legacy unix system is required, NetLabel can be used in place of IPSec.

I'm moving this to Red Hat, as it's a 100% distro-specific question.

I'll leave a redirect in Security for a few days.

You get the latest version of MySQL, instead of purchasing it in an application stack add-on.