Chapter 7. Security considerations in Satellite

Satellite supports running on FIPS-enabled Red Hat Enterprise Linux hosts to comply with security standards for cryptographic modules. However, Satellite itself is not FIPS-certified. In addition, you cannot enable FIPS mode after the installation of Satellite.

FIPS mode enforces the use of validated cryptographic algorithms and modules. Enabling FIPS mode ensures that all cryptographic operations within the system adhere to strict security standards.

For more information, see Switching RHEL to FIPS mode in Red Hat Enterprise Linux 9 Security hardening.

By enabling fapolicyd on your Satellite Server, you can monitor and control file and directory access, which provides an additional security layer.

This feature helps prevent unauthorized code execution and enhances system integrity. You can enable or disable fapolicyd on both Satellite Server and Capsule Server at any time, depending on your security requirements.

For additional information about fapolicyd, including instructions on enabling it, see Blocking and allowing applications by using fapolicyd in Red Hat Enterprise Linux 9 Security hardening.

Satellite requires SELinux, a mandatory access control system that restricts system access and reduces the risk of security vulnerabilities. SELinux enforces policies that define which processes can access specific system resources, providing protection against unauthorized access and exploitation.

To maintain a high-security environment, Red Hat recommends running Satellite with SELinux in enforcing mode. It ensures that access control policies are strictly enforced, minimizing the risk of privilege escalation or unauthorized actions.