CIQ extends active defense to the operating system with proactive hardening for Rocky Linux from CIQ -- Hardened

News provided by

Jan 22, 2026, 08:05 ET

While traditional Enterprise Linux waits for patches, RLC-H detects and disrupts kernel exploits at runtime, protecting enterprise infrastructure during the critical window before vulnerabilities are even discovered.

RENO, Nev., Jan. 22, 2026 /PRNewswire/ -- CIQ, the founding support and services partner of Rocky Linux, today announced expanded availability of Rocky Linux by CIQ – Hardened (RLC-H), a security-first Enterprise Linux offering designed to proactively reduce exploitation risk at the operating system level. These expanded proactive hardening capabilities signal a shift beyond compliance-driven security, extending active defense into the operating system itself and creating a new layer of protection where traditional security tools do not reach.

RLC-H introduces a security extension to Enterprise Linux: proactive hardening, runtime protections that detect and disrupt exploitation techniques as they occur, not after patches are released. Built with direct involvement from Solar Designer, creator of Openwall GNU/*/Linux and co-creator of John the Ripper, RLC-H embeds offensive-informed defensive controls directly into the kernel, memory allocator and core system components.

Every security team knows the equation: a vulnerability is disclosed, a patch is released days or weeks later, and the remediation cycle takes weeks more. RLC-H changes that equation.

"Security teams are stuck in a reactive cycle: wait for the CVE, wait for the patch, wait for the maintenance window," said Brian Dawson, Director of Product Management at CIQ. "RLC-H breaks that cycle with proactive hardening that protects systems whether patches exist or not. We're not replacing reactive security—we're adding a layer that works while you're waiting for it."

Traditional Enterprise Linux offerings focus on secure configuration and compliance frameworks. RLC-H goes further, embedding runtime protections that operate continuously whether you're patched or not:

Kernel Runtime Protection (LKRG): Monitors critical kernel structures in real-time to detect privilege escalation, container escapes and rootkit behavior as exploitation attempts occur. Catches attacks that slip past endpoint tools. Pre-built, Secure Boot signed, enabled by default.
hardened_malloc: Replaces the standard memory allocator with a security-focused implementation that makes heap corruption exploits (use-after-free, buffer overflows, double-free) unreliable or immediately fatal to the attacker, eliminating entire vulnerability classes.
Hardened core libraries: Security-focused rebuilds of glibc and OpenSSH with reduced attack surface. OpenSSH ships with 13 shared libraries instead of 28, eliminating Kerberos and other unnecessary dependencies that expand the threat surface.
Credential hardening: passwdqc enforces password policy at the OS level. yescrypt replaces sha512crypt for password hashing, making stolen hashes 1,000x harder to crack with GPUs, even in the event of credential disclosure.
Secure crash handling: Core dump protections (fs.suid_dumpable=0) prevent privileged process memory exposure, blocking entire classes of credential disclosure attacks like CVE-2025-4598.
Day-one STIG compliance: Up to 95% DISA STIG compliance out-of-box, reducing hardening time from 40+ hours to under 30 minutes per system.

RLC-H is designed for organizations where a successful compromise makes headlines: Fortune 1000 enterprises, federal agencies, defense contractors, critical infrastructure operators and regulated SaaS providers running Linux at scale.

"CISOs lose sleep over what they don't know," said Peter Nelson, Chief Technology Officer at CIQ. "Whether a zero-day exists in their kernel. Whether their infrastructure is protected during the patch window. RLC-H moves security into the OS architecture itself, runtime protections that operate whether patches exist or not. That's the kind of defense-in-depth that lets security teams sleep at night."

RLC-H pairs proactive runtime protections with compliance-aligned configurations, delivering defense and compliance, not one or the other. Organizations no longer need to choose between security posture and audit readiness.

CIQ security experts will host a technical webinar, "Stop exploits before patches exist: LKRG runtime defense + Day-one STIG compliance," on February 12, 2026, at 2:00 PM ET. Learn how RLC-H's layered defense stack detects and disrupts exploits at runtime while achieving up to 95% STIG compliance out-of-box. Also, read more about RLC-H and LKRG at the CIQ blog.

RLC-H is available now at https://ciq.com/products/rocky-linux/hardened/.

About CIQ

CIQ builds secure, high-performance infrastructure for the AI era. As the founding support partner of Rocky Linux, CIQ provides enterprise solutions including Fuzzball, Warewulf Pro, Ascender Pro and Rocky Linux from CIQ. CIQ is trusted by organizations modernizing for a future defined by data and AI. Learn more at https://ciq.com.

MEDIA CONTACT:
Cristin Connelly
Cathey.co for CIQ
[email protected]

SOURCE CIQ