New features in Red Hat Enterprise Linux 8.2
Next Level
RHEL 8.2 comes with many new features, ranging from the kernel, through security and networking, to the desktop.
In mid-April, just before the virtual Red Hat Summit 2020 (Figure 1), Red Hat announced an update of its flagship Red Hat Enterprise Linux (RHEL) distribution. If you want to read the real news about RHEL 8.2 from the press release [1], you have to fight your way through a thick fog of marketing phrases and buzzwords. You'll find references to "shifting global dynamics," as well as the "interconnected nature of the hybrid cloud era," and, of course, COVID-19, which somehow makes everything else even more urgent.
According to the announcement, updates to the Red Hat Insights analysis platform will provide customers with such gifts as "new intelligent management and monitoring capabilities." The new release also promises "improved container tools" and a "smoother user experience for both Linux experts and newcomers."
Beyond the hype, however, the announcement does point to some concrete improvements that could make a difference for users and IT professionals.
Infrastructure Updates
Sys admins will appreciate a new drift service that automatically compares a system to a predefined base configuration, thus helping to uncover any unauthorized changes. RHEL 8.2 also lets you manage memory resources via cgroup v2, setting quotas to prevent individual processes from hogging too much memory.
The Tuned system tuning tool is now available in the latest upstream version 2.13. Tuned monitors the system and can optimize performance based on profiles that depend on the intended use. You will find profiles for high data throughput, low latency, and energy saving. The updated Tuned comes with a new architecture-dependent tuning framework in RHEL 8.2, supporting several new include
directives. Updates are available for the sap-hana
, latency-performance
, and realtime
tuning profiles.
The BIND DNS server has moved to basic version 9.11.13, which introduces new algorithms, commands, and variables. tcp-highwater
shows the maximum number of competing TCP clients per run, and BIND also supports an algorithm for SipHash-2-4-based DNS cookies, as described in RFC 7873. The named-checkconf
command takes into account DNS64 network extensions that allow NAT from IPv6 clients on IPv4 servers.
In case of a distributed denial-of-service (DoS) attack, the servers no longer return SERVERFAIL
messages but fall back on old cached records thanks to the new stale-answer
function. The feature can be (de)activated via the configuration file or the remote control channel (rndc
).
Secure with OpenSCAP
The Defense Information Systems Agency (DISA) is an agency of the U.S. Department of Defense that was founded back in 1960 and has coined numerous abbreviations [2], which mostly relate to communication programs or technologies for the U.S. military services. One of the abbreviations is STIG, which stands for Security Technical Implementation Guides; it consists of recommendations for hardening the security of your own IT systems.
Red Hat customers who want to base their security on these recommendations can now look forward to a suitable profile and kickstart file for OpenSCAP. SCAP is the Security Content Automation Protocol that Red Hat users deploy for automated system monitoring and predefined security policy compliance checks as needed.
Armed with the new profile and the kickstart file for OpenSCAP, customers can check whether their systems are STIG-compliant. And not only that: The scap-security-guide packages also include a profile and the appropriate kickstart files for the Essential Eight policy of the Australian Cyber Security Center (ACSC).
In RHEL 8.2, users of the Podman container software, which – in contrast to Docker – does not require root privileges or a daemon, can use the oscap-podman
tool to scan containers with OpenSCAP to identify security holes and check compliance.
SELinux Extension
Numerous other changes affect SELinux and the associated tools and types. udica
, a tool introduced with RHEL 8.2, generates SELinux security policies specifically adapted to containers. If a container reports an access denial caused by udica
, udica
will change the associated policy if desired. In this case, the admin adds the new rule via the parameter -a
or --append-rules
.
There is also a new setroubleshoot
plugin for SELinux. setroubleshoot
detects blocked execmem
access and gives the admin advice on how to proceed. The setools-gui package was already available in RHEL 7 and is now also on board in RHEL 8.2.
SELinux also manages lvmdbusd
, a D-Bus API for the Logical Volume Manager (LVM). Users restricted by SELinux are allowed to manage user session services themselves starting in RHEL 8.2, for example, by running the systemctl --user
command. The semanage port
tool no longer exclusively focuses on TCP and UDP ports, but also on Stream Control Transmission Protocol (SCTP) and Datagram Congestion Control Protocol (DCCP) ports.
Further security updates affect the clevis
command, which provides admins with information about LUKS-encrypted disks and also decrypts them automatically.
Rsyslog can now communicate with REST interfaces thanks to the omhttp
plugin. The audit package has seen an update, as has the Audit subsystem in the kernel. Red Hat has also incorporated changes from the first release candidate of kernel 5.5, including improved search options on remote filesystems. Last but not least, the new release includes updates for sudo
and PAM.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.