As the speed, sophistication, and volume of attacks on corporate systems accelerate, CISOs and IT security teams struggle to apply an effective and consistent Linux security policy across all their servers. With Rocky Linux from CIQ - Hardened (RLC-H), you get Enterprise Linux and can be assured that it is delivered securely, configured correctly, and is proactively protecting your apps and services from malicious threats.

RLC-H comes pre-configured against key threat vectors, and delivers hardened kernel and memory integrity checking in runtime. The operating system is pre-harened and offers further options to apply OpenSCAP policies to apply in compliant environments like DISA-STIG and CIS. Going beyond reactive security, RLC-H takes a proactive approach to keeping your operating environment safe, and eliminates manual work spent tuning and applying security profiles so you can meet corporate and audit requirements easily and effectively.

As the speed, sophistication, and volume of attacks on corporate systems accelerate, CISOs and IT security teams struggle to apply an effective and consistent Linux security policy across all their servers. With RLC-H, you get Enterprise Linux and can be assured that it is delivered securely, configured correctly, and is proactively protecting your apps and services from malicious threats.

Highlights:

• Hardened packages: RLC-H includes patches and configuration changes for critical packages like glibc where we remove unsafe environment variables when crossing a privilege boundary.
• Hardened OpenSSH: Another critical package hardened in RLC-H is OpenSSH, where we reduce its attack surface through removal of non-essential libraries.
• LKRG threat detection and response: Linux Kernel Runtime Guard (LKRG) detects kernel vulnerability exploits and identifies and responds to unauthorized modifications of a running kernel and its security-critical data (notably including task credentials).
• hardened_malloc: Security-focused general purpose memory allocator which implements secure heap allocation strategies and strengthens resistance against heap exploitation techniques.
• Stronger passwords: RLC-H includes passwdqc for stronger password policies and yescrypt hashing for enhanced resistance to GPU password cracking.
• Advanced CVE mitigation: CIQ team delivers patches for especially important CVEs ahead of standard updates, significantly reducing exposure time.
• Customizable security controls: RLC-H offers a control framework that includes a set of predefined facilities for password security and reduced exposure of local privileged programs (such as SUID root).
• Package validation: All packages are CIQ-verified and cryptographically signed, ensuring package integrity from verified CIQ repositories. In addition to a checksum, each image ships with an SBOM.

Various levels of support are available for RLC-H. Review the CIQ Enterprise Support Options, found in the product information links, or the plan details for more information. If you purchase an option with Standard or Premium support included, you will need to contact CIQ through our web site to set up your account on our support portal. SLAs for response times won't apply until your support account has been activated. (Azure Support Integration is coming in 2025, but is not yet available.)