Michael Young

Secure boot has been around for many years now, having been introduced into the UEFI spec in 2006.  It is one of those things that tends to be turned off when installing Linux. There are different opinions around secure boot and whether it solves a problem or not. It is becoming more common for environments to require keeping secure boot turned on. Secure boot is not going away in the near future. It is now being used in the cloud. We need to get to know our frenemy.

Hardening a Linux system is straightforward in concept and surprisingly complex in practice. Most teams rely on Ansible playbooks, custom scripts, and manual STIG checklists that are difficult to maintain, hard to audit, and prone to drift over time.

This workshop takes a practical, side-by-side look at Linux hardening: we start with a fresh Rocky Linux install and walk through the manual hardening process — SSH configuration, kernel tuning, password policy, SELinux, and compliance frameworks like DISA-STIG and CIS. We then explore what Rocky Linux from CIQ — Hardened (RLC-H) delivers out of the box: kernel runtime guards, hardened memory allocation, pre-remediated compliance images, Secure Boot, and commercially backed CVE remediation — by design, not by configuration.

This is not a lecture. Attendees of all experience levels are welcome, and those with deep security backgrounds are especially encouraged to bring their perspective. The goal is an honest conversation about where the traditional DIY approach holds up, where it falls short, and what a purpose-built hardened distribution changes.

No CIQ Portal access required. All hands-on exercises use community Rocky Linux.