Special Interest Group Announcement - Security

The Rocky Linux Project announces the general availability of the Security Special Interest Group (SIG) packages and wiki, which provide extra security-related packages and security-hardened override packages (replacing those from the main distribution) for Rocky Linux and other Enterprise Linux (EL) distributions.

Responsibilities

The Security SIG’s mission is to:

• Develop and maintain various security related packages that are not in upstream EL.
• Identify, develop, and maintain security hardening changes relative to upstream EL packages.
• Include/backport additional security fixes that are not yet in upstream EL packages.
• Contribute to the respective upstreams where practical.

Use dnf install rocky-release-security to enable the Security SIG repositories containing several overrides for packages in the main distribution.

Packages

Extra packages include (for EL8 and EL9) lkrg (Linux Kernel Runtime Guard) and passwdqc (Password/passphrase strength checking and policy enforcement), while override packages (currently for EL9) include glibc (adds many security-hardening changes originating from Owl and ALT Linux on top of EL package) and openssh (fewer shared libraries exposed in sshd processes while otherwise fully matching EL package’s functionality). More packages are planned.

Security SIG contributor Solar Designer reassured the community that these repos already include “security-hardened glibc for EL9 distros (EL8 soon) with a mitigation effective against CVE-2023-4911.”

Contributing

If anyone else wants to join this effort - in any capacity including development, maintenance, testing, documentation, user support, spreading the word, or something else - please join the Mattermost channel and let us know!

All this information and more can be found at the SIG Wiki. Thanks to the team for pulling it together.