When migrating from RHEL/CentOS 5 to 6, security teams face significant architectural changes. While Red Hat's official Security Guide provides baseline recommendations, it lacks the military-grade hardening specifics found in NSA's RHEL 5 guide. Key differences include:
# Major security changes in RHEL 6 vs 5:
1. Switch from PAM to SSSD for authentication
2. Introduction of AIDE (Advanced Intrusion Detection Environment)
3. Enhanced SELinux policies with targeted booleans
4. FirewallD replacing iptables (in later RHEL 6 versions)
5. GRUB 2 password protection requirementsRed Hat's Security Guide covers fundamentals, but for high-security environments, consider supplementing with:
- DISA STIG for RHEL 6 (Public Release)
- NIST Special Publication 800-53 Controls
- CIS Red Hat Enterprise Linux 6 Benchmark
These demonstrate NSA-style hardening adapted for RHEL 6:
# Example 1: Secure SSH configuration (sshd_config)
Protocol 2
LogLevel VERBOSE
PermitRootLogin no
MaxAuthTries 3
LoginGraceTime 1m
ClientAliveInterval 300
ClientAliveCountMax 0
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256# Example 2: Kernel hardening (sysctl.conf)
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_redirects = 0
fs.protected_hardlinks = 1
fs.protected_symlinks = 1When moving from RHEL 5 to 6 security configurations:
- Audit all custom PAM modules for SSSD compatibility
- Convert iptables rules to FirewallD where applicable
- Test legacy applications under stricter SELinux policies
- Implement AIDE as replacement for Tripwire-like functionality
For teams needing reproducible configurations:
# Using OpenSCAP for baseline compliance
yum install scap-security-guide
oscap xccdf eval --profile stig-rhel6-server \
--results /var/log/oscap_results.xml \
--report /var/log/oscap_report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xmlRemember that automated tools should supplement, not replace, manual review of security configurations specific to your threat model.
When migrating from RHEL/CentOS 5 to 6, system administrators face significant architectural changes including:
- Systemd replacing traditional init system
- Enhanced SELinux policies
- New cryptographic implementations
- Updated kernel security features
While Red Hat's Security Guide provides baseline information, it lacks the depth of NSA's RHEL 5 hardening guide. Consider these key differences:
# RHEL 5 vs 6 service management example
# RHEL 5:
service httpd restart
chkconfig httpd on
# RHEL 6:
systemctl restart httpd.service
systemctl enable httpd.service
These materials provide NSA-like rigor for RHEL 6:
- DISA's STIGs for Red Hat Enterprise Linux 6
- CIS Benchmark for RHEL 6
- NIST's Security Configuration Checklists
Essential security tweaks for fresh RHEL 6 installations:
# Kernel hardening
echo "kernel.exec-shield = 1" >> /etc/sysctl.conf
echo "kernel.randomize_va_space = 2" >> /etc/sysctl.conf
# Filesystem protections
chmod 750 /var/log/secure
chmod 600 /etc/securetty
# Network hardening
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
echo "net.ipv6.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
RHEL 6 introduces more granular SELinux controls. Example context modifications:
# Verify SELinux status
sestatus
# Custom web directory context
semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
restorecon -Rv /web
# Port management
semanage port -a -t http_port_t -p tcp 8080
- Audit all custom init scripts for systemd conversion
- Review firewall rules (iptables to firewalld transition)
- Test existing applications with new SELinux policies
- Validate cryptographic module compatibility
- Update monitoring tools for new system metrics
Consider postponing if your environment requires:
- Legacy application support with no RHEL 6 compatibility
- Specialized hardware without updated drivers
- Custom security modules dependent on RHEL 5 kernel features