The developers of the Rocky Linux distribution have announced the creation of a new Special Interest Group (SIG) called “security.” The purpose of this group is to support packages related to enhanced protection and the provision of additional security tools. The group will also release alternative versions of existing packages with added mechanisms to increase safety and eliminate vulnerabilities that are present in RHEL and CentOS Stream.
The developments made by the security SIG will be published in a separate repository, which can also be used in other distributions compatible with Red Hat Enterprise Linux. To connect the repository in Rocky Linux, users can already utilize the “DNF Install Rocky-Release-Security” command.
The repository currently offers several packages:
- The “lkrg” (Linux Kernel Runtime Guard) module, which is designed to identify and block attacks on the kernel structures’ integrity. This module can protect against unauthorized modifications to the kernel and attempts to change the privileges of user processes. The “lkrg” package is available for both Rhel8 and Rhel9 branches. For more information on “lkrg,” visit https://www.openwall.com/lkrg/.
- The “passwdqc” instrumentation for password complexity control, including the PAM_PASSWDQC module, PWQCHECK, PWQFILTER, PWQGEN, and the Libpasswdqc library. This package is built for the Rhel9 branch. To learn more about “passwdqc,” go to https://www.openwall.com/passwdqc/.
- The Glibc package, which includes security enhancements developed by the OWL project and used in Alt Linux. This package also includes fixes for two vulnerabilities: CVE-2023-4911, which allows a local user to elevate their privileges in the system through manipulated data in the Glibc_tunables environment variable, and CVE-2023-4527, which can result in data leakage or a crash in Getaddrinfo functions. The Glibc package is assembled for the Rhel9 branch. For more information on OWL, visit https://www.openwall.com/.
- The Openssh package, where SSHD is linked with a reduced number of separate libraries. This package is available for the Rhel9 branch.