Red Hat SummitChapter 7. Security considerations in Satellite
Satellite supports multiple security mechanisms to provide additional layers of protection. Implementing these security features enhances the overall security of your Satellite deployment.
These security considerations apply to both Satellite Server and Capsule Server environments.
- Federal Information Processing Standards (FIPS) Mode
Satellite supports running on FIPS-enabled Red Hat Enterprise Linux hosts to comply with security standards for cryptographic modules. However, Satellite itself is not FIPS-certified. In addition, you cannot enable FIPS mode after the installation of Satellite.
FIPS mode enforces the use of validated cryptographic algorithms and modules. Enabling FIPS mode ensures that all cryptographic operations within the system adhere to strict security standards.
For more information, see Switching RHEL to FIPS mode in Red Hat Enterprise Linux 9 Security hardening.
NoteSatellite supports DEFAULT and FIPS crypto-policies. The FUTURE crypto-policy is not supported for Satellite Server and Capsule Server installations. The FUTURE policy is a stricter forward-looking security level intended for testing a possible future policy. For more information, see Using system-wide cryptographic policies in Red Hat Enterprise Linux 9 Security hardening.
- File Access Policy Daemon (
fapolicyd) By enabling
fapolicydon your Satellite Server, you can monitor and control file and directory access, which provides an additional security layer.This feature helps prevent unauthorized code execution and enhances system integrity. You can enable or disable
fapolicydon both Satellite Server and Capsule Server at any time, depending on your security requirements.For additional information about
fapolicyd, including instructions on enabling it, see Blocking and allowing applications by using fapolicyd in Red Hat Enterprise Linux 9 Security hardening.- Post-Quantum Cryptography (PQC)
- Red Hat does not support PQC compatibility for Satellite.
- Security-Enhanced Linux (SELinux)
Satellite requires SELinux, a mandatory access control system that restricts system access and reduces the risk of security vulnerabilities. SELinux enforces policies that define which processes can access specific system resources, providing protection against unauthorized access and exploitation.
To maintain a high-security environment, Red Hat recommends running Satellite with SELinux in enforcing mode. It ensures that access control policies are strictly enforced, minimizing the risk of privilege escalation or unauthorized actions.
- Additional Security Recommendations
- Regularly updating security policies and configurations, as well as monitoring system logs and security policies, can help detect and respond to potential threats effectively.
- Security compliance
- For certain use cases, your Satellite Server must meet the requirements of security compliance. You can use Security Content Automation Protocol (SCAP) to scan your system for security policy compliance. For more information, see Managing security compliance.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}