Rocky Linux from CIQ - Hardened

Stop Linux threats: employ proactive security

RLC-H delivers trusted Enterprise Linux that is delivered securely, always up to date, and proactively protects apps and services from malicious threats.

Enterprise Linux

built by the Rocky community;

optimized, hardened and supported by CIQ

Hardened packages

RLC-H includes patches and configs for key packages like glibc where we remove unsafe environment variables when crossing a privilege boundary.

OpenSSH

RLC-H hardens the OpenSSH package, reducing its attack surface through removal of non-essential libraries.

LKRG attack detection and response

RLC-H adds Linux Kernel Runtime Guard (LKRG) to detect kernel vulnerability exploits and identifies/responds to unauthorized modifications of a running kernel and its security-critical data.

hardened_malloc

RLC-H adds a security-focused general purpose memory allocator which implements secure heap allocation strategies and strengthens resistance against heap exploitation techniques.

Stronger passwords

RLC-H includes passwdqc for stronger password policies and yescrypt hashing for enhanced resistance to GPU password cracking.

Accelerated CVE mitigation

The CIQ team delivers patches for especially important CVEs ahead of standard updates, significantly reducing exposure time.

Custom security controls

RLC-H offers a control framework that includes a set of predefined facilities for password security and reduced exposure of local privileged programs (such as SUID root).

Package validation

All packages are CIQ-verified and cryptographically signed, ensuring package integrity from verified CIQ repositories. In addition to a checksum, each image ships with an SBOM.

Advanced kernel protection with LKRG 1.0

Linux Kernel Runtime Guard (LKRG) adds real-time kernel integrity monitoring to RLC-H. Operating as a kernel module, LKRG continuously validates critical kernel components and detects exploitation attempts as they occur.

What LKRG monitors:

Vulnerabilities your team hasn't detected yet
Kernel memory structures and loaded modules
Process credentials and security contexts
CPU security features and enforcement
Control flow integrity

LKRG 1.0 delivers production-ready capabilities:

Support for Linux kernels 3.10 through 6.17
Enhanced container workload compatibility
Performance optimizations reducing overhead
Reduced false positives on modern kernels

Proven protection against real-world exploits:

CVE-2021-3490 (eBPF)
CVE-2022-0492 (container escape)
CVE-2024-1086 (nf_tables use-after-free)

RLC-H and compliance for regulated deployments

RLC-H eliminates manual work so you can speed compliance, automate ongoing efforts, and help meet audit requirements with pre-hardened images for frameworks like DISA STIG or CIS, along with FIPS 140-3 compliant cryptographic modules. You can also add pre-remediated and compliant images to RLC-H based on your compliance requirements.

LKRG provides continuous monitoring required for dynamic security frameworks, complementing static configuration compliance with active threat detection.

Why RLC-H?

As the speed, sophistication, and volume of attacks on corporate systems accelerate, CISOs and IT security teams struggle to apply an effective and consistent Linux security policy across all their servers.

With RLC-H, you get Enterprise Linux and can be assured that it is delivered securely, configured correctly, and is proactively protecting your apps and services from malicious threats.

Proactive

Pre-configured against key threat vectors and delivers hardened memory and kernel integrity checking.

Current

Delivers the latest version of Rocky Linux and is actively updated with all updates and patches.

Speed

Use a pre-hardened Linux OS, so you eliminate the need to manually update a fleet of servers.

Security experts in your corner, protecting your infrastructure while your team drives results

RLC-H comes with support from our team of experts who have decades experience securing Linux in some of the most demanding and stringent environments on the planet.

$8.8M

Avg. cost of a license violation.

CIQ indemnifies you against open-source license compliance risk.

76%

of codebases contain at least one vulnerability.

CIQ provides CVE patch SLAs and hardened security.

Includes indemnification

Rocky Linux from CIQ - Hardened comes with the protection and indemnification guarantees that eliminate your risk and liability in the case of legal issues against the open source software. CIQ is accountable and delivers the coverage to keep your legal and compliance teams satisfied.

Get Rocky Linux from CIQ - Hardened

Also available on