Security
Rocky Linux Security
Being a large open source project with community contributions leaves Rocky Linux open to malicious attacks. Thankfully, the Rocky Linux infrastructure is designed from the ground up with security in mind, allowing both casual contributors and large security-focused organizations to safely use Rocky. In addition, there is an entire security team ensuring that Rocky Linux is a safe operating system for users.
Security Measures
As the official founding support and services partner and sponsor of Rocky Linux, CIQ is committed to providing its clients with secure and reliable technology solutions. Through Rocky Linux, CIQ can ensure data and systems are protected against cyber threats and malicious attacks.
Advanced security measures implemented by CIQ include:
FIPS 140-3
Rocky Linux is now on the NIST Implementation Under Test List. This is a significant accomplishment because of the extensive validation process for FIPS 140-3 requirements. The Federal Information Processing Standard Publication 140-3, FIPS 140-3 is a U.S. government computer security standard used to approve cryptographic modules. FIPS validation is required in many applications with high security requirements, such as in health care, government, defense, and financial environments. CIQ has arranged and funded the FIPS validation process and will be providing it back to the entire RESF / Rocky community for free.
Transparency
Rocky Linux is built with the Peridot open source, cloud-native build and release system. What this means is that anyone can build, enhance, and reproduce Rocky Linux independently using Peridot; it also means that the entire Rocky Linux build process and pipelines are transparent and out in the open. Among other things, this transparency prevents malicious packages from being entered into the operating system. Developed by CIQ, given to the Rocky Enterprise Software Foundation (RESF) and released as an open source project, it also helps ensure that Rocky Linux will always be freely available and community controlled.
Errata
Rocky Linux security updates and vulnerabilities are available on errata.rockylinux.org. The use of errata is a critical aspect in managing supply chain security, as it provides the reporting necessary to have transparency of the latest bug fixes, CVEs, functionality enhancements and more, all in real time. By making this information fully available alongside Rocky Linux repositories, users can perform more granular maintenance to their systems. Rocky Linux is now including this information in full in their current supported repositories, but is also making historical data available through the errata Web UI. The RESF, which maintains Rocky Linux, will provide full API access to this data.
Security Patches
As previously mentioned, users can go to errata.rockylinux.org to see security updates and vulnerabilities. Additionally, users can join the Rocky Linux mailing list to receive updates about patches, which are available at download.rockylinux.org. To receive notifications about patches, go to lists.resf.org and find the list called, “Rocky Announce”. Finally, users can use DNF to see what updates their systems need. There is a demo starting at 22:34 of this webinar.
Conclusion
Because Rocky Linux is a community Enterprise Linux platform, security measures are a top priority. As the official founding support and services partner and sponsor of Rocky Linux, CIQ will continue to invest in security features and policies that ensure that all users, from large companies all the way down to individuals, trust the operating system they are using.