RLC Pro Hardened

Stop Linux threats: employ proactive security

RLC Pro Hardened delivers trusted Enterprise Linux that is delivered securely, always up to date, and proactively protects apps and services from malicious threats.

CIQ trusted by:

Enterprise Linux
built by the Rocky community;
optimized, hardened and supported by CIQ

Hardened packages

RLC Pro Hardened includes patches and configs for key packages like glibc where we remove unsafe environment variables when crossing a privilege boundary.

OpenSSH

RLC Pro Hardened hardens the OpenSSH package, reducing its attack surface through removal of non-essential libraries.

LKRG attack detection and response

RLC Pro Hardened adds Linux Kernel Runtime Guard (LKRG) to detect kernel vulnerability exploits and identifies/responds to unauthorized modifications of a running kernel and its security-critical data.

hardened_malloc

RLC Pro Hardened adds a security-focused general purpose memory allocator which implements secure heap allocation strategies and strengthens resistance against heap exploitation techniques.

Stronger passwords

RLC Pro Hardened includes passwdqc for stronger password policies and yescrypt hashing for enhanced resistance to GPU password cracking.

Accelerated CVE mitigation

The CIQ team delivers patches for especially important CVEs ahead of standard updates, significantly reducing exposure time.

Custom security controls

RLC Pro Hardened offers a control framework that includes a set of predefined capabilities for password security and reduced exposure of local privileged programs (such as SUID root).

Package validation

All packages are CIQ-verified and cryptographically signed, ensuring package integrity from verified CIQ repositories. In addition to a checksum, each image ships with an SBOM.

Advanced kernel protection with LKRG 1.0

Linux Kernel Runtime Guard (LKRG) adds real-time kernel integrity monitoring to RLC Pro Hardened. Operating as a kernel module, LKRG continuously validates critical kernel components and detects exploitation attempts as they occur.

What LKRG monitors:

Vulnerabilities your team hasn't detected yet
Kernel memory structures and loaded modules
Process credentials and security contexts
CPU security features and enforcement
Control flow integrity

LKRG 1.0 delivers production-ready capabilities:

Support for Linux kernels 3.10 through 6.17
Enhanced container workload compatibility
Performance optimizations reducing overhead
Reduced false positives on modern kernels

Proven protection against real-world exploits:

CVE-2021-3490 (eBPF)
CVE-2022-0492 (container escape)
CVE-2024-1086 (nf_tables use-after-free)

RLC Pro Hardened and compliance for regulated deployments

RLC Pro Hardened eliminates manual work so you can speed compliance, automate ongoing efforts, and help meet audit requirements with pre-hardened images for frameworks like DISA STIG or CIS, along with FIPS 140-3 compliant cryptographic modules. You can also add pre-remediated and compliant images to RLC Pro Hardened based on your compliance requirements.

LKRG provides continuous monitoring required for dynamic security frameworks, complementing static configuration compliance with active threat detection.

NEW: Post-quantum cryptography

RLC Pro Hardened now includes FIPS 140-3 validated PQC algorithms (ML-KEM, ML-DSA, SLH-DSA) the meet NSA CNSA 2.0 requirements and protect against future quantum computing threats

Runtime kernel protection

KRG provides continuous monitoring required for dynamic security frameworks, complementing static configuration compliance with active threat detection.

Post-quantum cryptography

LFIPS 140-3 validated PQC algorithms (ML-KEM, ML-DSA, SLH-DSA) meet NSA CNSA 2.0 requirements and protect against future quantum computing threats

Why RLC Pro Hardened?

As the speed, sophistication, and volume of attacks on corporate systems accelerate, CISOs and IT security teams struggle to apply an effective and consistent Linux security policy across all their servers.

With RLC Pro Hardened, you get Enterprise Linux and can be assured that it is delivered securely, configured correctly, and is proactively protecting your apps and services from malicious threats.

Proactive

Pre-configured against key threat vectors and delivers hardened memory and kernel integrity checking.

Current

Delivers the latest version of Rocky Linux and is actively updated with all updates and patches.

Speed

Use a pre-hardened Linux OS, so you eliminate the need to manually update a fleet of servers.

Security experts in your corner, protecting your infrastructure while your team drives results

RLC Pro Hardened comes with support from our team of experts who have decades experience securing Linux in some of the most demanding and stringent environments on the planet.

$8.8M

Avg. cost of a license violation.

CIQ indemnifies you against open source license compliance risk.

76%

of codebases contain at least one vulnerability.

CIQ provides CVE patch SLAs and hardened security.

Includes indemnification

RLC Pro Hardened comes with the protection and indemnification guarantees that eliminate your risk and liability in the case of legal issues against the open source software. CIQ is accountable and delivers the coverage to keep your legal and compliance teams satisfied.

Get RLC Pro Hardened

Also available on

Download the RLC Pro Hardened guide

Download the RLC Pro Hardened guide and learn more about what CIQ added to Rocky Linux!