CentOS 8 Part B: Advanced Configuration and Management

Security

In the previous article, we discussed the visual changes and new features in the CentOS 8 Update. As you are all aware, one of the critical features of the Linux OS and all its distros is the trusted Security patches, and how developers prioritize Update patches whenever a Security hole is identified.

Regarding Security, Linux is a game-changer; tighter Security features have been added to the new release.

For example:

• CentOS 8 comes with System-wide Cryptographic Policies that help you manage cryptographic compliance—no need to modify and tune specific applications.
• OpenSSH has been updated to version 7.8p1, which no longer supports the SSH version 1 protocol, Blowfish/CAST/RC4 ciphers, and hmac-ripemd160 message authentication code.
• CentOS 8 comes with System-wide Cryptographic Policies that help you manage cryptographic compliance—no need to modify and tune specific applications.

Cockpit

The cockpit is now part of Red Hat Enterprise Linux’s default repositories. With this Update, your web console will be automatically installed in the GUI version of CentOS 8—no more hassle, as the firewall ports required by the console are automatically opened.

• The cockpit is now compatible with mobile browsers. This means users can manage systems using the CentOS/RHEL 8 web console from a mobile device.

Supported CPU Architectures include:

• AMD and Intel 64-bit architectures
• The 64-bit ARM architecture
• IBM Power Systems, Little Endian
• IBM Z

Infrastructure services

In CentOS 7, CUPS logs were stored in specific files within the /var/log/cups directory. This has now changed because all types of CUPS logs are centrally logged in the System Journal Daemon, together with records from other programs. You now use journalctl -u cups to access them.

BIND features

• New quotas have been introduced to limit the number of queries recursive resolvers can send to authoritative servers under denial-of-service attack.
• The nslookup utility now defaults to looking up both IPv6 and IPv4 addresses.
• The named service now checks whether other name server processes are running before starting up.
• When loading a signed zone, named now checks whether a Resource Record Signature (RRSIG) inception Time is in the future; if so, it regenerates the RRSIG immediately.
• Zone transfers now use smaller message sizes to improve message compression, thereby reducing Network usage.
• A new method for provisioning secondary servers, called Catalog Zones, has been added.
• The named service and the dig utility now send Domain Name System Cookies.
• The Response Rate Limiting feature can now help mitigate DNS amplification attacks.
• The performance of the Response Policy Zone (RPZ) has been improved.

Aside from the negative feedback about the new CentOS Update from our customers, we found that almost all users are pleased with the latest tools. It is now easier for beginners or users unfamiliar with the Linux OS’s command line and terminal interface.

Virtualization

• Secure Encrypted Virtualization (SEV) feature for AMD EPYC host machines that use the KVM Hypervisor.
• The QEMU emulator introduces the sandboxing feature. QEMU sandboxing provides configurable limits on what QEMU can do, thereby making virtual machines more secure.
• Q35, a more modern PCI Express-based machine type, is supported by Red Hat Enterprise Linux (RHEL) 8 Virtualization. All virtual machines created in RHEL 8 use the Q35 PC machine type by default.
• Nested virtualization is now available on IBM POWER 9
• KVM virtualization is usable in CentOS 8 Hyper-V virtual machines
• KVM virtualization now supports the User-Mode Instruction Prevention (UMIP) feature, which can help prevent user-space applications from accessing system-wide settings
• KVM virtualization now supports 5-level paging, which significantly increases the physical and virtual address space available to boot host and guest systems.
• NVIDIA vGPU is now compatible with the VNC console
• Ceph storage is supported by KVM virtualization on all CPU architectures sponsored by Red Hat
• CentOS 8 is distributed with qemu-KVM 2.12 with Q35 guest machine type support, UEFI guest boot support, vCPU hot plug and hot unplug, NUMA tuning and pinning in the guest, and guest I/O threading

Despite all our discussion in this article, nothing is good enough if the System we’ve used for many years is replaced with an entirely different OS. However, if you want to be sure this new Update is good enough, there’s no harm in trying it.

FAQ