8 tech tips to advance security and compliance

Mitigate risk, enforce security configuration and policy, and help your organization stay compliant with Red Hat® Enterprise Linux® security and compliance capabilities.

System-wide cryptographic policy provides a consistent way to implement and maintain standards-based compliance settings for your infrastructure. 

With one simplified command, you can select a built-in cryptographic policy and apply it consistently across the applications on your system. Plus, if you have specialized regulatory compliance requirements, you can create a custom policy to meet your objectives.

Learn more about managing compliance

Red Hat Enterprise Linux system roles, powered by Red Hat Ansible® Automation Platform, allow administrators to use automation to install and manage security settings at scale in less time. 

System roles are written to work with multiple Red Hat Enterprise Linux releases across various footprints, allowing administrators to use best practices for Red Hat solutions. With a single command or workflow, you can configure new security settings and maintain them on all your systems.

Learn more about security automation

Red Hat Enterprise Linux includes centralized identity management (IdM) capabilities that allow you to authenticate users and implement role-based access controls (RBAC) using a single, scalable interface that spans your entire datacenter. 

Identity management in Red Hat Enterprise Linux integrates with Microsoft Active Directory, lightweight directory access protocol (LDAP), and other third-party identity and access management solutions through standard application programming interfaces (APIs). 
You can also centrally manage authentication and authorization for services using certificate-based authentication and authorization techniques.

Find out more about identity management

Security-Enhanced Linux (SELinux) is an implementation of mandatory access control (MAC) in the Linux kernel. Red Hat Enterprise Linux containers run with SELinux by default. This includes an additional layer of security in the operating system (OS) and prevents containers from breaking out and overwriting the underlying host OS or other containers on the system. Udica allows system administrators and container developers to analyze a running container and auto-generate a policy with container-specific SELinux rules. This simplifies policy writing and reduces risk by eliminating the need to run containers with superuser privileges. 

Experiment and learn more about policy lockdown

Red Hat provides kernel live patches for common vulnerabilities and exposures (CVEs) rated critical or important for extended update support (EUS) releases at no extra cost. Kernel live patching (KLP) allows you to patch a running kernel to immediately address vulnerabilities without rebooting your system to minimize downtime without compromising security.

Experiment and learn more about KLP

Included in a Red Hat Enterprise Linux subscription, at no added cost, Red Hat Insights is a Software-as-a-Service (SaaS) offering that provides users with actionable security data about their deployments. Discover and address operational and vulnerability risks, scan your systems faster to determine which patches are missing, and prioritize which critical patches to apply first. You can create, modify, implement, and maintain security configuration policies across all your Red Hat Enterprise Linux systems from a single web interface. Additionally, you can execute, scale, and automate remediation plans from Red Hat Insights with a Red Hat Smart Management subscription.

Learn more about compliance

Red Hat Enterprise Linux includes session recording, which has auditing and logging capabilities that let security administrators capture keystrokes and activities of a select group of users on a system. This data is recorded in the same system journal or log file as all other activities and can be analyzed and correlated using replay and pause capabilities included in the playback tool.  

Experiment with session recording

Application allowlisting can reduce potential attack vectors and prevent rogue applications from executing on your system. The file access policy daemon (fapolicyd) offers built-in application allowlisting, which permits only approved executables to run on a system by a user. System administrators can configure fapolicyd with default policies or build their own to prevent modified or unauthorized applications from running. 

Find out more about application allowlisting