Security

In the previous article, we talked about the visual changes and new features in CentOS 8 update; as you all know, one of the critical features of the Linux OS and all of its distros are the trusted security patches and how the developers care about the update patches whenever a security hole shows up. Regarding security, Linux OS is a game-changer in this field; tighter security features have been added to the brand-new release.

For example:

• CentOS 8 comes with System-wide Cryptographic Policies that help you manage cryptographic compliance. No need to modify and tune specific applications.
• OpenSSH has been rebased to version 7.8p1– with no support for SSH version 1 protocol, Blowfish/CAST/RC4 ciphers, and hmac-ripemd160 message authentication code.
• CentOS 8 comes with System-wide Cryptographic Policies that help you manage cryptographic compliance. No need to modify and tune specific applications.

Cockpit

The cockpit is now part of Red Hat Enterprise Linux default repositories. From this update, you will get your web console automatically installed in the GUI version of CentOS 8. No more hassle because firewall ports required by the console are automatically open.

• The cockpit is now compatible with mobile browsers. This means users can manage systems using the CentOS/RHEL 8 web console from a mobile device.

Supported CPU Architectures include:

• AMD and Intel 64-bit architectures
• The 64-bit ARM architecture
• IBM Power Systems, Little Endian
• IBM Z

Infrastructure services

In CentOS 7, CUPS logs were stored in specific files within the /var/log/cups directory. This is now changed because all types of CUPS logs are centrally-logged in the system journal daemon together with records from other programs. You now use journalctl -u cups to access them.

BIND features

• New quotas have been added to limit queries sent by recursive resolvers to authoritative servers experiencing denial-of-service attacks.
• The nslookup utility now looks up both IPv6 and IPv4 addresses by default.
• The named service now checks whether other name server processes are running before starting up.
• When loading a signed zone, named now checks whether a Resource Record Signature’s (RSIG) inception time is in the future, and if so, it regenerates the RRSIG immediately.
• Zone transfers now use smaller message sizes to improve message compression, which reduces network usage.
• A new method of provisioning secondary servers called Catalog Zones has been added.
• The named service and the dig utility now send Domain Name System Cookies.
• The Response Rate Limiting feature can now help mitigate DNS amplification attacks.
• The performance of the response-policy zone (RPZ) has been improved.

Aside from all of the lousy talking about the new update of the CentOS, in the feedback that we received from our customers, we got to know almost all the users are very happy with the latest tools. It is easier now for beginners or users who are not entirely familiar with the command line in the Linux OS and the terminal interface.

Virtualization

• Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM hypervisor.
• The QEMU emulator introduces the sandboxing feature. QEMU sandboxing provides configurable limitations to what systems called QEMU can perform and thus makes virtual machines more secure.
• Q35, a more modern PCI Express-based machine type, is supported by RHEL 8 Virtualization. All virtual machines created in RHEL 8 are set to use the Q35 PC machine type by default.
• Nested virtualization is now available on IBM POWER 9
• KVM virtualization is usable in CentOS 8 Hyper-V virtual machines
• KVM virtualization now supports the User-Mode Instruction Prevention (UMIP) feature, which can help prevent user-space applications from accessing system-wide settings
• KVM virtualization now supports the 5-level paging feature, which significantly increases the physical and virtual address space the host and guest systems can use.
• NVIDIA vGPU is now compatible with the VNC console
• Ceph storage is supported by KVM virtualization on all CPU architectures sponsored by Red Hat
• CentOS 8 is distributed with qemu-KVM 2.12 with – Q35 guest machine type support, UEFI guest boot support, vCPU hot plug and hot unplug, NUMA tuning and pinning in the guest and guest I/O threading

Despite all of our talk in this article, nothing is good enough if the system that we used to for many years changed to an entirely different OS, but if you want to know for sure that this new update is good enough, it’s no harm to take try on it.