Control Tool Guide

Overview

The control tool is a security configuration utility included with Rocky Linux from CIQ – Hardened (RLC-H). It provides a unified interface to register and control system facilities, primarily those that can be dangerous to system security.

A facility is typically a configuration setting of a service or a privileged program (SUID/SGID/setcap), or a related group of them. Since these programs pose security risks in case of vulnerabilities, the control tool allows administrators to enable, disable, or configure them safely and consistently.

control originates in Owl and is actively maintained in ALT Linux. In Rocky Linux, it has been adapted to provide its own sub-packages with facility specifications and RPM trigger scripts, so settings persist across package upgrades.

Package Information

$ rpm -qi control
Name        : control
Version     : 0.8.0
Release     : 9.el9_6.security
Architecture: noarch
License     : GPLv2+
Vendor      : Ctrl IQ, Inc.
Summary     : A set of scripts to control installed system facilities
Description :
Provides a common interface to register and control system facilities.
Used for configuration settings and privileged (SUID/SGID/setcap) programs
that may be risky for system security.

Purpose and Benefits

Security Management

• Centralized Control: One interface for managing multiple facilities.
• Risk Mitigation: Safely disable or restrict risky privileged programs.
• Reliability and Compliance: Persistent security settings across updates.

Administrative Efficiency

• Simplified Management: No need to maintain forks of upstream packages.
• Consistent Interface: Same commands across facilities.
• Safe Defaults: Defaults are secure, with hardened options available.

Available Security Facilities

Run control with no arguments to list facilities and their current/possible settings.

Default (upstream-like) configuration

chage               public        (public restricted)
gpasswd             public        (public wheelonly restricted)
mount               public        (public wheelonly unprivileged restricted)
newgidmap           public        (public wheelonly restricted)
newgrp              public        (public wheelonly restricted)
newuidmap           public        (public wheelonly restricted)
pam_timestamp_check public        (public restricted)
password-hash       sha512crypt   (sha512crypt yescrypt)
password-policy     pwquality     (pwquality passwdqc)
unix_chkpwd         public        (public restricted)
write               public        (public restricted)

With maximum security hardening

chage               restricted    (public restricted)
gpasswd             restricted    (public wheelonly restricted)
mount               restricted    (public wheelonly unprivileged restricted)
newgidmap           restricted    (public wheelonly restricted)
newgrp              restricted    (public wheelonly restricted)
newuidmap           restricted    (public wheelonly restricted)
pam_timestamp_check restricted    (public restricted)
password-hash       yescrypt      (sha512crypt yescrypt)
password-policy     passwdqc      (pwquality passwdqc)
unix_chkpwd         restricted    (public restricted)
write               restricted    (public restricted)

Sub-Packages

The control system is modular, with facilities provided by sub-packages:

• control
  The main package providing the common interface, but no facilities on its own.

• control-shadow-utils
  Controls 5 privileged programs from shadow-utils:

• chage, gpasswd, newgrp (SUID root)

• newuidmap, newgidmap (cap_setuid=ep)

• control-util-linux
  Controls privileged programs from util-linux / util-linux-core:

• mount, umount (SUID root)

• write (SGID tty)

• control-pam
  Controls PAM-related facilities:

• Password hashing scheme (sha512crypt, yescrypt)

• Password policy (pwquality, passwdqc)
• unix_chkpwd, pam_timestamp_check (SUID root helpers)

Using the Control Tool

Basic Syntax

control <facility> <action>

• <facility>: e.g. password-policy, password-hash, chage, mount
• <action>: help, list, status, summary, or a STATUS value

Examples

# Show tool help
control --help

# List facilities
control

# Check facility status
control password-policy status

# Switch facility setting
sudo control password-policy passwdqc

Change Log (Highlights)

• 0.8.0-9 (Jun 2025): Fix mount triggers to use util-linux-core.
• 0.8.0-8 (May 2025): Improved password-policy parsing, password-hash regex.
• 0.8.0-7 (Jan 2024): Added unix_chkpwd and pam_timestamp_check.
• 0.8.0-5/6 (Dec 2023): Added PAM facilities, improved sub-facility handling.
• 0.8.0-0 (Dec 2023): Initial packaging for EL based on ALT Linux & Owl.

See Also

• LKRG Guide - Linux Kernel Runtime Guard configuration
• Malloc Hardening Guide - Memory protection features
• Getting Started Guide - Initial RLC-H setup

For additional information about the control tool, refer to:

• Man pages: man control
• Package documentation: rpm -qd control
• Security facilities documentation