8. Security

The System Security Services Daemon (SSSD) is a new feature in Red Hat Enterprise Linux 6 that implements a set of services for central management of identity and authentication. Centralizing identity and authentication services enables local caching of identities, allowing users to still identify in cases where the connection to the server is interrupted. SSSD supports many types of identity and authentication services, including: Red Hat Directory Server, Active Directory, OpenLDAP, 389, Kerberos and LDAP.

Security-Enhanced Linux (SELinux) adds Mandatory Access Control (MAC) to the Linux kernel, and is enabled by default in Red Hat Enterprise Linux 6. A general purpose MAC architecture needs the ability to enforce an administratively-set security policy over all processes and files in the system, basing decisions on labels containing a variety of security-relevant information.

Red Hat Enterprise Linux provides the ability to encrypt the data on storage devices, assisting in the prevention of unauthorized access of the data. Encryption is achieved by transforming the data into a format that can only be read using a specific encryption key. This key — which is created during the installation process, and protected by a passphrase — is the only way to decrypt the encrypted data.

However, if the passphrase is misplaced, the encryption key cannot be used, and data on the encrypted storage device cannot be accessed.

Red Hat Enterprise Linux 6 provides the ability to save encryption keys and create backup passphrases. This feature allows for the recovery of an encrypted volume (including the root device) even when the original passphrase is misplaced.

libvirt is a C language application programming interface (API) for managing and interacting with the virtualization capabilities of Red Hat Enterprise Linux 6. In this release, libvirt features the new sVirt component. sVirt integrates with SELinux, providing security mechanisms to prevent unauthorized access of guests and hosts in a virtualized environment.

The Enterprise Security Client (ESC) is a simple GUI that allows Red Hat Enterprise Linux to manage smart cards and tokens. New smart cards can be formatted and enrolled, meaning that new keys are generated and certificates requested for the smart card automatically. The smart card lifecycle can be managed, as well, so that lost smart cards can have their certificates revoked and expired certificates can be renewed. The ESC works in conjunction with a larger public-key infrastructure management product, either Red Hat Certificate System or Dogtag PKI.