Package‑level security hardening can eliminate entire classes of vulnerabilities before CVEs are published — or mitigate them before patches exist. The Rocky Linux Security SIG demonstrates this proactive approach by modifying core packages and integrating tools such as LKRG, drawing on decades of Openwall hardening work.
A key example: the hardened glibc in Rocky Linux prevented exploitation of CVE‑2023‑4911 (Looney Tunables), reducing impact before upstream Enterprise Linux shipped a fix.
This talk explains: