4 min read
Why RLC Pro Hardened starts where others finish
February 2026 | Based on independent OpenSCAP DISA STIG benchmark testing
Running Linux in a regulated or security-sensitive environment means hardening your OS before you can trust it. That usually means running remediation scripts, auditing the results, and then managing every remaining failure as a formal finding. Each one requires a POA&M entry, a remediation owner, and a retest cycle before you can close it. The fewer failures you start with, the faster you reach Authorization to Operate (ATO). That connection between day-one security posture and compliance timeline is what this post is about.
RLC Pro Hardened, CIQ's enterprise distribution built on Rocky Linux 9, is engineered to give your security team that head start. To quantify exactly what it means, we ran independent OpenSCAP scans using the DISA STIG for RHEL 9 on three configurations:
- RLC 9.7 - fresh install, no modifications (baseline)
- RLC 9.7 - after running the official STIG remediation playbook (the best you can do with standard Rocky)
- RLC Pro Hardened 9.7 (STIG) - fresh install, no modifications, no remediation scripts run
The comparison that matters most is #2 versus #3: the best that a hardened-by-hand RLC achieves versus what RLC Pro Hardened delivers out of the box.
96% STIG compliance before your first remediation step
| Configuration | Rules evaluated | Pass | Fail | Score |
|---|---|---|---|---|
| RLC 9.7 - baseline (no remediation) | 445 | 164 | 273 | 45.32% |
| RLC 9.7 - after STIG remediation playbook | 445 | 407 | 22 | 83.87% |
| RLC Pro Hardened 9 (STIG) - out of the box, no remediation | 468 | 446 | 13 | 96.12% |
RLC Pro Hardened starts at 96% before a single remediation step is taken. Rocky Linux, even after you have run the remediation playbook, lands at 83.87%.
Update March 2026: A subsequent scan of RLC Pro Hardened 9.7 shows continued improvement, reaching 97.64% compliance (469 passing, 8 failures) on the STIG profile and 99.30% on the CIS profile. The results are trending in the right direction as the benchmark content matures.
That gap, 12 percentage points, 39 more passing rules, 9 fewer failures, represents work you no longer have to do.
Note: RLC Pro Hardened evaluates 468 rules versus 445 for RLC. The 23 additional rules are applicable to RLC Pro Hardened because it ships with dedicated mount points (/tmp, /var, /var/log, /var/log/audit, etc.), firewalld, USBGuard, and SSSD certificate authentication configured by default. On a standard Rocky Linux install, those components are absent or unconfigured, so the scanner marks those rules as not applicable. The higher rule count reflects a broader security baseline, not a difference in the benchmark used.
Note: Some of the 13 failing rules are attributable to the automated test environment used to generate this report.
Fewer findings your security team has to manage
Running the STIG remediation playbook on Rocky Linux may be quick (~7 mins or more). That might sound trivial, but it is just the beginning of the compliance story:
- You need to trust the script you are running on a production or production-like system.
- The scan after remediation still shows 22 remaining failures. Each one is a finding that needs a POA&M, a remediation owner, and a retest cycle.
- Every new deployment resets the clock. You are not buying yourself a hardened image; you are buying yourself a process.
RLC Pro Hardened does not eliminate every finding; the 13 remaining failures are real, and most require environment-specific tuning (site-specific password policies, organizational PKI integration, and similar configuration that only you can provide). But the core OS hardening, the part that is the same across every deployment, is already done.
That is the peace of mind. You can absolutely harden Rocky Linux yourself. The tooling exists, and it works. RLC Pro Hardened exists for organizations that would rather start from a position of 96% compliance and spend their security team's time on the 4% that requires their specific context.
What RLC Pro Hardened gets right out of the box
FIPS 140 mode (enabled by default)
FIPS 140 is a federal security standard for cryptographic modules, required for virtually all U.S. government and DoD workloads. Rocky Linux requires post-install configuration to enable it. RLC Pro Hardened ships with FIPS mode active by default, a hard requirement for FedRAMP, DoD IL, and CMMC environments.
System cryptography policy set to FIPS:STIG
Beyond FIPS mode, RLC Pro Hardened pre-configures the system-wide cryptography policy to the FIPS:STIG profile. This enforces only FIPS-approved ciphers and algorithms system-wide, consistent across all services and applications, without per-service configuration.
Kernel attack surface reduction
Disabling kernel modules for hardware and protocols your systems will never use is a textbook STIG requirement. RLC Pro Hardened ships with those modules disabled and blocked by default. On a standard Rocky Linux install, that work is left to you.
Audit trail that covers commonly missed events
RLC Pro Hardened extends the default auditd configuration with rules that are commonly missed:
- Kernel module load tracking: every init_module syscall is logged
- Privileged command auditing: tools like unix_chkpwd are fully audited
- DAC change tracking: all xattr-related syscalls (setxattr, removexattr, fsetxattr, lsetxattr, fremovexattr, lremovexattr) are captured
These are the audit events that matter most for detecting privilege escalation and unauthorized access.
Enterprise vendor support verified
The DISA STIG requires that the installed OS be vendor-supported. RLC Pro Hardened is backed by CIQ's enterprise support and passes that control. For organizations subject to RMF, ATO, or similar authorization processes, this is a meaningful and auditable distinction.
A faster path to authorization
Every STIG failure is a finding. Fewer findings mean:
- A shorter POA&M to manage
- Less risk of configuration drift between install and authorization
- A faster path to Authorization to Operate (ATO)
Starting at 13 failures instead of 22 is not a cosmetic difference. It represents a materially shorter remediation backlog and a more defensible initial security posture on day one.
How we tested
All results are based on OpenSCAP scans using the DISA STIG for Red Hat Enterprise Linux 9 V2R5, applied to RLC+ 9.7 and RLC Pro Hardened 9.7. The Rocky Linux post-remediation scan was produced by running the standard STIG remediation playbook against a clean Rocky Linux 9.7 install. The RLC Pro Hardened scan was run against a clean RLC Pro Hardened 9.7 install with no additional remediation applied. Scans were performed in February 2026. Full HTML scan reports with per-rule pass/fail status are available on request.
Ready to start secure?
If your organization operates in a regulated environment (federal, defense, healthcare, or financial), the compliance work starts at install time. RLC Pro Hardened delivers a DISA STIG-compliant foundation at first boot, giving your security team a running start instead of a to-do list.
Talk to CIQ about RLC Pro Hardened
RLC Pro Hardened is developed and supported by CIQ. DISA STIG compliance data based on independent OpenSCAP scan results from February 2026.
Built for scale. Chosen by the world’s best.
2.75M+
Rocky Linux instances
Being used world wide
90%
Of fortune 100 companies
Use CIQ supported technologies
250k
Avg. monthly downloads
Rocky Linux
