Chapter 3. New Features
This chapter documents new features and major enhancements introduced in Red Hat Enterprise Linux 7.9.
3.1. Authentication and Interoperability
The Certificate Profiles extension no longer has a maximum number of policies per certificate
Previously, administrators could not add more than 20 policies to a certificate because of a hardcoded limit within the Certificate Profiles extension. This update removes the restriction, so you can add an unlimited number of policies to a certificate. In addition, the extension requires at least one policy, otherwise the pkiconsole
interface shows an error. If you modify the profile, the extension creates one empty policy. For example:
Identifier: Certificate Policies: - 2.5.29.32 Critical: no Certificate Policies:
(BZ#1768718)
SSSD rebased to version 1.16.5
The sssd packages have been upgraded to upstream version 1.16.5, which provides a number of bug fixes and enhancements over the previous version.
3.2. Clustering
pacemaker
rebased to version 1.1.23
The Pacemaker cluster resource manager has been upgraded to upstream version 1.1.23, which provides a number of bug fixes.
3.3. Compiler and Tools
The per-thread
metrics is now available for historical analysis
Optionally, enable logging of the per-thread
and per-process
performance metric values in the Performance Co-Pilot (PCP) using the pcp-zeroconf
package and pmieconf
utility. Previously, only the per-process
metric values were logged by pmlogger
through the pcp-zeroconf
package, but some analysis situation also requires per-thread
values. As a result, the per-thread
metrics are now available for historical analysis, after executing the following command:
# pmieconf -c enable zeroconf.all_threads
3.4. Desktop
FreeRDP has been updated to 2.1.1
This release updates the FreeRDP implementation of the Remote Desktop Protocol (RDP) from version 2.0.0 to 2.1.1. FreeRDP 2.1.1 supports new RDP options for the current Microsoft Windows terminal server version and fixes several security issues.
For detailed information about FreeRDP 2.1.1, see the upstream release notes: https://github.com/FreeRDP/FreeRDP/blob/2.1.1/ChangeLog.
3.5. Kernel
Kernel version in RHEL 7.9
Red Hat Enterprise Linux 7.9 is distributed with the kernel version 3.10.0-1160.
See also Important Changes to External Kernel Parameters and Device Drivers.
A new kernel parameter: page_owner
The page owner tracking is a new functionality, which enables users to observe the kernel memory consumption at the page allocator level. Users can employ this functionality to debug the kernel memory leaks, or to discover the kernel modules that consume excessive amounts of memory. To enable the feature, add the page_owner=on
parameter to the kernel command-line. For more information on how to set the kernel command-line parameters, see the Configuring kernel command-line parameters on Customer Portal.
Regardless of the page_owner
parameter setting (on
or off
) to the kernel command-line, usage of the page owner tracking adds approximately 2.14% additional memory requirement on RHEL 7.9 systems (impacts the kernel, VM, or cgroup
). For further details on this topic, see the Why Kernel-3.10.0-1160.el7 consumes double amount of memory compared to kernel-3.10.0-1127.el7? Solution.
For more information about important changes to kernel parameters, see the New kernel parameters section.
(BZ#1781726)
EDAC driver support is now added to Intel ICX systems
This update adds the Error Detection and Correction (EDAC) driver to Intel ICX systems. As a result, memory errors can be detected on these systems and reported to the EDAC subsystem.
(BZ#1514705)
Intel® Omni-Path Architecture (OPA) Host Software
Intel® Omni-Path Architecture (OPA) host software is fully supported in Red Hat Enterprise Linux 7.9. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.
The Mellanox ConnectX-6 Dx network adapter is now fully supported
This enhancement adds the PCI IDs of the Mellanox ConnectX-6 Dx network adapter to the mlx5_core
driver. On hosts that use this adapter, RHEL loads the mlx5_core
driver automatically. This feature, previously available as a technology preview, is now fully supported in RHEL 7.9.
(BZ#1829777)
3.6. Real-Time Kernel
The kernel-rt
source tree now matches the latest RHEL 7 tree
The kernel-rt
sources have been updated to use the latest RHEL kernel source tree, which provides a number of bug fixes and enhancements over the previous version.
(BZ#1790643)
3.7. Networking
Configuring unbound
to run inside chroot
for systems without SELinux
For systems with SELinux enabled and in enforcing mode, SELinux provides significant protection and limits what the unbound
service can access. If you cannot configure SELinux in enforcing mode, and you want to increase the protection of the unbound
domain name server, use the chroot
utility for jailing unbound
into a limited chroot
environment. Note that the protection by chroot
is lower in comparison to SELinux enforcing mode.
For configuring unbound
to run inside chroot
, prepare your environment as described in the following support article Running unbound in chroot.
3.8. Red Hat Enterprise Linux System Roles
rhel-system-roles
updated
The rhel-system-roles
package has been updated to provide multiple bug fixes and enhancements. Notable changes include:
-
Support for
802.1X
authentication with EAP-TLS was added for thenetwork
RHEL System Role when using theNetworkManager
provider. As a result, now customers can configure their machines to use802.1X
authentication with EAP-TLS using thenetwork
RHEL System Role instead of having to use thenmcli
command-line utility. -
The
network
RHEL System Role tries to modify a link or network attributes without disrupting the connectivity, when possible. -
The logging in
network
module logs has been fixed so that informative messages are no longer printed as warnings, but as debugging information. -
The
network
RHEL System Role now usesNetworkManagers
capability to revert changes, if an error occurs, when applying the configuration to avoid partial changes.
3.9. Security
SCAP Security Guide now provides a profile aligned with the CIS RHEL 7 Benchmark v2.2.0
With this update, the scap-security-guide
packages provide a profile aligned with the CIS Red Hat Enterprise Linux 7 Benchmark v2.2.0. The profile enables you to harden the configuration of the system using the guidelines by the Center for Internet Security (CIS). As a result, you can configure and automate compliance of your RHEL 7 systems with CIS by using the CIS Ansible Playbook and the CIS SCAP profile.
Note that the rpm_verify_permissions
rule in the CIS profile does not work correctly. See the known issue description rpm_verify_permissions
fails in the CIS profile.
SCAP Security Guide
now correctly disables services
With this update, the SCAP Security Guide
(SSG) profiles correctly disable and mask services that should not be started. This guarantees that disabled services are not inadvertently started as a dependency of another service. Before this change, the SSG profiles such as the U.S. Government Commercial Cloud Services (C2S) profile only disabled the service. As a result, services disabled by an SSG profile cannot be started unless you unmask them first.
The RHEL 7 STIG security profile updated to version V3R1
With the RHBA-2020:5451 advisory, the DISA STIG for Red Hat Enterprise Linux 7
profile in the SCAP Security Guide has been updated to the latest version V3R1
. This update adds more coverage and fixes reference problems. The profile is now also more stable and better aligns with the RHEL7 STIG benchmark provided by the Defense Information Systems Agency (DISA).
You should use only the current version of this profile because the older versions of this profile are no longer valid. The OVAL checks for several rules have changed, and scans using the V3R1
version will fail for systems that were hardened using older versions of SCAP Security Guide. You can fix the rules automatically by running the remediation with the new version of SCAP Security Guide.
Automatic remediation might render the system non-functional. Run the remediation in a test environment first.
The following rules have been changed:
- CCE-80224-9
-
The default value of this SSHD configuration has changed from
delayed
toyes
. You must now provide a value according to recommendations. Check the rule description for information about fixing this problem or run the remediation to fix it automatically. - CCE-80393-2
- xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon
- CCE-80394-0
- xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon
- CCE-80391-6
- xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage
- CCE-80660-4
- xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles
- CCE-80392-4
- xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool
- CCE-82362-5
- xccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare
- CCE-80398-1
- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage
- CCE-80404-7
- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh
- CCE-80410-4
- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab
- CCE-80397-3
- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd
- CCE-80403-9
- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp
- CCE-80411-2
- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check
- CCE-27437-3
- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands
- CCE-80395-7
- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd
- CCE-80406-2
- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop
- CCE-80407-0
- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue
- CCE-80408-8
- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign
- CCE-80402-1
- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit
- CCE-80401-3
- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo
- CCE-80400-5
- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su
- CCE-80405-4
- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount
- CCE-80396-5
- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd
- CCE-80399-9
- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper
Profiles for DISA STIG version v3r3
The Defense Information Systems Agency (DISA) has published an updated version of the Secure Technical Implementation Guide (STIG) for RHEL 7 version 3, release 3. The update available with the RHBA-2021:2803 advisory:
-
Aligns all rules within the existing
xccdf_org.ssgproject.content_profile_stig
profile with the latest STIG release. -
Adds a new profile
xccdf_org.ssgproject.content_profile_stig_gui
for systems with a graphical user interface (GUI).
scap-security-guide
now provides an ANSSI-BP-028 High hardening level profile
With the release of the RHBA-2021:2803 advisory, the scap-security-guide
packages provide an updated profile for ANSSI-BP-028 at the High hardening level. This addition completes the availability of profiles for all ANSSI-BP-028 v1.2 hardening levels. Using the updated profile, you can configure the system to comply with the recommendations from the French National Security Agency (ANSSI) for GNU/Linux Systems at the High hardening level.
As a result, you can configure and automate compliance of your RHEL 7 systems according to your required ANSSI hardening level by using the ANSSI Ansible Playbooks and the ANSSI SCAP profiles. The Draft ANSSI High profile provided with the previous versions has been aligned to ANSSI DAT-NT-028. Although the profile names and versions have changed, the IDs of the ANSSI profiles such as xccdf_org.ssgproject.content_profile_anssi_nt28_high
remain the same to ensure backward compatibility.
- WARNING
- Automatic remediation might render the system non-functional. Red Hat recommends running the remediation in a test environment first.
The RHEL 8 STIG profile is now better aligned with the DISA STIG content
The DISA STIG for Red Hat Enterprise Linux 7 profile (xccdf_org.ssgproject.content_profile_stig
) available in the scap-security-guide
(SSG) package can be used to evaluate systems according to the Security Technical Implementation Guides (STIG) by the Defense Information Systems Agency (DISA). You can remediate your systems by using the content in SSG, but you might need to evaluate them using DISA STIG automated content. With the release of the RHBA-2022:6576 advisory, the DISA STIG RHEL 7 profile is better aligned with DISA’s content. This leads to fewer findings against DISA content after SSG remediation.
Note that the evaluations of the following rules still diverge:
-
SV-204511r603261_rule - CCE-80539-0 (
auditd_audispd_disk_full_action
) -
SV-204597r792834_rule - CCE-27485-2 (
file_permissions_sshd_private_key
)
Also, rule SV-204405r603261_rule from DISA’s RHEL 7 STIG is not covered in the SSG RHEL 7 STIG profiles.
(BZ#1967950)
A warning message to configure Audit log buffer for large systems added to SCAP rule audit_rules_for_ospp
The SCAP rule xccdf_org.ssgproject.content_rule_audit_rules_for_ospp
now displays a performance warning on large systems where the Audit log buffer configured by this rule might be too small, and can override the custom value. The warning also describes the process to configure a larger Audit log buffer. With the release of the RHBA-2022:6576 advisory, you can keep large systems compliant and correctly set their Audit log buffer.
3.10. Servers and Services
New package: compat-unixODBC234
for SAP
The new compat-unixODBC234
package provides version 2.3.4 of unixODBC
, a framework that supports accessing databases through the ODBC protocol. This new package is available in the RHEL 7 for SAP Solutions sap-hana
repository to enable streaming backup of an SAP HANA database using the SAP backint
interface. For more information, see Overview of the Red Hat Enterprise Linux for SAP Solutions subscription.
The compat-unixODBC234
package conflicts with the base RHEL 7 unixODBC
package. Therefore, uninstall unixODBC
prior to installing compat-unixODBC234
.
This package is also available for Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions, Red Hat Enterprise Linux 7.6 Extended Update Support, and Red Hat Enterprise Linux 7.7 Extended Update Support through the RHEA-2020:2178 advisory.
See also The compat-unixODBC234
package for SAP requires a symlink to load the unixODBC
library.
(BZ#1790655)
MariaDB
rebased to version 5.5.68
With RHEL 7.9, the MariaDB
database server has been updated to version 5.5.68. This release provides multiple security and bug fixes from the recent upstream maintenance releases.
3.11. Storage
Support for Data Integrity Field/Data Integrity Extension (DIF/DIX)
DIF/DIX is supported on configurations where the hardware vendor has qualified it and provides full support for the particular host bus adapter (HBA) and storage array configuration on RHEL.
DIF/DIX is not supported on the following configurations:
- It is not supported for use on the boot device.
- It is not supported on virtualized guests.
- Red Hat does not support using the Automatic Storage Management library (ASMLib) when DIF/DIX is enabled.
DIF/DIX is enabled or disabled at the storage device, which involves various layers up to (and including) the application. The method for activating the DIF on storage devices is device-dependent.
For further information on the DIF/DIX feature, see What is DIF/DIX.
(BZ#1649493)
3.12. Atomic Host and Containers
Red Hat Enterprise Linux Atomic Host is a secure, lightweight, and minimal-footprint operating system optimized to run Linux containers.
Red Hat Enterprise Linux Atomic Host is retired as of August 6, 2020 and active support is no longer provided.
3.13. Red Hat Software Collections
Red Hat Software Collections (RHSCL) is a Red Hat content set that provides a set of dynamic programming languages, database servers, and related packages that you can install and use on all supported releases of Red Hat Enterprise Linux 7 on AMD64 and Intel 64 architectures, IBM Z, and IBM POWER, little endian.
Red Hat Developer Toolset is designed for developers working on the Red Hat Enterprise Linux platform. It provides current versions of the GNU Compiler Collection, GNU Debugger, and other development, debugging, and performance monitoring tools. Red Hat Developer Toolset is included as a separate Software Collection.
Dynamic languages, database servers, and other tools distributed with Red Hat Software Collections do not replace the default system tools provided with Red Hat Enterprise Linux, nor are they used in preference to these tools. Red Hat Software Collections uses an alternative packaging mechanism based on the scl
utility to provide a parallel set of packages. This set enables optional use of alternative package versions on Red Hat Enterprise Linux. By using the scl
utility, users can choose which package version they want to run at any time.
Red Hat Software Collections has a shorter life cycle and support term than Red Hat Enterprise Linux. For more information, see the Red Hat Software Collections Product Life Cycle.
See the Red Hat Software Collections documentation for the components included in the set, system requirements, known problems, usage, and specifics of individual Software Collections.
See the Red Hat Developer Toolset documentation for more information about the components included in this Software Collection, installation, usage, known problems, and more.