Available Now: A Security focused Linux… and pre-configured compliance options

Over the past few months, we've partnered with dozens of companies to test and refine our tech preview release of Rocky Linux from CIQ - Hardened (RLC-H). We're grateful to everyone who helped us perfect this critical release. This week, RLC-H reached general availability and is now available for download via CIQ Portal. We welcome discussions with anyone interested in testing or evaluating RLC-H for their environments.

RLC-H is a security-focused version of Rocky Linux from CIQ (RLC), designed for anyone concerned about security and environments with explicit deep security requirements. It features hardened core packages that help minimize zero-day attacks, accelerated risk mitigation to reduce exposure while staying ahead of updates, and strong access controls that include advanced password hashing and threat detection capabilities. We’ve added many features to this release and they are outlined below.

Layering on compliance.

When we originally released RLC-H, we focused mainly on key security requirements. At the same time, we had other initiatives that would help RLC meet some of the strenuous compliance requirements you might have. So, with GA, we decided to introduce and integrate pre-hardened images for frameworks like DISA STIG or CIS, along with FIPS 140-3 compliant packages in RLC-H. These new options will help you eliminate months of manual configuration so you can speed compliance, automate ongoing efforts and help meet the audit requirements.

Challenging an assumption: Every environment needs a secure OS.

When we first dreamt up RLC-H, we envisioned it as a niche Linux distribution for workloads with the most stringent security requirements. While this remains true, we've also discovered that most environments could benefit from a more security-forward distribution. Although the OS and Linux, in particular, has always been a key focus for security practitioners, it's now more critical than ever. Security incidents have measurable business impact across all organizations, and the rate of incidents and threat vectors continues to increase.

This necessitates a "depth-in-defense" from infrastructure up through the app layer. While RLC-H may be used for specific workloads with deep security requirements, it is also configurable and allows it to be used across your entire Linux ecosystem, from log-in to compute nodes as any unhardened system can serve as an attack vector that compromises your entire environment.

Many of the tech preview participants had security concerns with Enterprise Linux and the speed at which they could manually configure hundreds of servers, apply patches and address CVEs. For these organizations, RLC-H provides an optimal solution.

RLC-H: Enterprise Linux optimized for security.

As noted, we worked with our tech preview partners to sort out the “right” set of features for RLC-H and learned a lot. RLC-H starts with open source Rocky Linux and enhances it to meet key security and general enterprise requirements. The final list of features for GA can be outlined as differences between RLC-H and Rocky Linux:

• Hardened Packages: RLC-H includes patches and configuration changes for critical packages like glibc and OpenSSH to enhance security. This includes removing unsafe environment variable usage, stripping non-essential libraries, and enforcing stricter security policies.
• Additional Security Tools: RLC-H incorporates advanced security tools such as Linux Kernel Runtime Guard (LKRG) for kernel-level protection and hardened_malloc for enhanced memory security.
• Proactive Security: RLC-H helps you stay ahead of zero-day and newly discovered vulnerabilities, reducing the threat window and making systems less of a target. Code changes address entire classes of exploits, not just single CVEs.
• Pre-Remediated, Compliant Images: RLC-H offers pre-remediated and compliant images. It also provides pre-configured DISA-STIG or CIS security hardening and FIPS 140-3 compliant cryptographic modules.
• Indemnification: RLC-H includes indemnification, so you have assurance and guarantees so you can use the open source software with confidence.
• Long Term Support (LTS): LTS can be added to RLC-H for specific point releases to enable you to stay compliant for over four additional years.
• Customizable Security Controls: RLC-H offers a Control Framework that persists custom security configurations across updates, and optional modules can be enabled or disabled based on security vs. performance needs.
• Password Security Enhancements: RLC-H includes passwdqc for stronger password policies and YesCrypt Hashing for enhanced resistance to password cracking.
• Package Validation: RLC-H packages are CIQ-verified and cryptographically signed, ensuring package integrity from verified CIQ repositories, compared to the community-maintained packages of standard Rocky Linux. In addition to a checksum, each image ships with an SBOM.

Why do you need a hardened version of Enterprise Linux?

The kernel is a valuable surface area for an attacker and has become an increasingly important target for attackers as they can use it to gain complete control of systems. Meanwhile, Baseline perimeter controls like firewalls and even SELinux are not enough as sophisticated attacks like rootkits and privilege escalation can circumvent these. As noted, you need multiple layers of security in place, especially as the rate of new attacks increases. Resilience and zero-trust are critical protections and your infrastructure, and especially Enterprise Linux, needs to play a part. A hardened version will help with the following:

• Increased security mitigates risk and drives business value - Security incidents have a measurable business impact (downtime and reputation)
• Mandatory security compliance is costly - While required, the requirements are time-consuming, error-prone, and resource intense
• Security resources are expensive and they should be focused on strategic initiatives - Routine security tasks need to be automated so resources can focus on business
• Competitive advantage is critical in a rapidly changing environment - Even slight optimizations can result in an advantage over competitors or threat actors

How to get RLC-H?

If you need more information about RLC-H, we have more info on our website and in our docs. If you are interested in evaluating or using RLC-H, we’d love to talk to you.

Want to learn more from our team of experts? Click here to get started.

Want to learn more? Check out this solution brief!