AMD SEV/SEV-ES requires 2nd-generation AMD EPYC (Rome) or later; RHEL 9 provides memory encryption but not security attestation.
Anaconda installation is controlled through a layered boot parameter framework: inst.ks= for Kickstart automation, inst.repo= for installation source selection (supporting HTTP/FTP/NFS/CDN), inst.stage2= for runtime image location, inst.graphical/text/cmdline for UI mode control, and inst.sshd for remote access during installation.
After every interactive RHEL installation, a reference Kickstart file is saved at /root/anaconda-ks.cfg.
ansible-freeipa is the official Red Hat package for Ansible-based IdM automation on RHEL 9, providing roles (ipaserver, ipareplica, ipaclient) for installation and modules (ipauser, ipagroup, ipahost) for object management.
Audit immutable mode (-e 2) no longer prevents auditd from starting; augenrules returns exit code 0 in this mode.
Audit immutable mode (-e 2) with augenrules returns exit code 0 in RHEL 9.5, allowing auditd to start at boot.
authselect is the current tool for configuring authentication profiles (PAM/NSS) on RHEL 9, replacing the deprecated authconfig.
autofs mounts filesystems on demand when accessed. Master map /etc/auto.master.d/*.autofs references indirect or direct map files. Direct maps use /- entry. Enable with systemctl enable --now autofs.
Command substitution $(command) captures command stdout for use in variable assignments, conditionals, and loops. Preferred over backtick syntax. Can be nested.
Bash conditional execution uses if/then/elif/else/fi and test or [ ] brackets. File tests: -f (file exists), -d (directory). Numeric: -eq -ne -gt -lt. String: = != -z -n.
The default shell in RHEL 9 is /bin/bash. Users access a shell prompt via terminal emulators, virtual consoles (Ctrl+Alt+F1-F6), or SSH.
Bash script positional parameters: $1-$9 (arguments), $0 (script name), $# (argument count), "$@" (all args preserving word boundaries). shift removes first parameter.
Static IP boot option syntax is ip=IP::GATEWAY:NETMASK:HOSTNAME:INTERFACE:none — seven colon-separated fields in that order.
bootc provides atomic updates (pull new image and reboot) and rollback to previous OS versions if an update causes problems.
Key bootc commands: bootc install to-disk, bootc switch, bootc upgrade, bootc status.
bootdev= is mandatory when using multiple ip= boot options to designate the primary boot interface.
BPF JIT compilation is always enabled in RHEL 9 (CONFIGBPFJITALWAYSON=y); BPF programs are compiled to native code, not interpreted.
BPF is restricted to privileged users by default in RHEL 9 (unprivilegedbpfdisabled=2); values are 0=allowed, 1=disabled, 2=disabled but admin can change.
bpftool feature enumerates all BPF features (program types, map types, helpers, kernel config) supported by the running RHEL kernel.
chage manages password aging: -M (max days), -m (min days), -W (warning), -E (account expiry date), -d 0 (force change). chage -l shows current settings. Defaults in /etc/login.defs.
The chcat command manages MCS categories on both users (chcat -l) and files; chcat -L lists category labels.
chrony is the default NTP time synchronization client on RHEL 9. Configure NTP servers in /etc/chrony.conf with iburst. Use timedatectl for timezone and NTP control. chronyc sources shows sync status.
The RHEL 9 web console (Cockpit) listens on port 9090 by default.
The firewalld service name for permitting web console access is cockpit (firewall-cmd --add-service=cockpit).
The web console is enabled via cockpit.socket (socket activation), not as a persistent daemon: sudo systemctl enable --now cockpit.socket.
SELinux uses MCS (via container-selinux) to isolate containers from each other.
Registered RHEL systems receive content from either Red Hat Content Delivery Network (CDN) or Red Hat Satellite Server.
Create and edit text files using vim, the default editor on RHEL 9. Use i to insert, Esc to return to normal mode, :wq to save and quit. Also use touch to create empty files and cat > file for quick creation.
Default database ports on RHEL 9: MariaDB/MySQL use port 3306, PostgreSQL uses port 5432.
Database server packages on RHEL 9 come from the AppStream repository using module streams for version selection.
Database server packages on RHEL 9 are provided from the AppStream repository using module streams for version selection.
DAX (direct persistent memory mapping) for ext4/XFS requires NVDIMMs and the dax mount option (e.g., mount -o dax /dev/pmem0 /mnt/dax); it is a Technology Preview in RHEL 9.2.
DAX (Direct Access) requires persistent memory hardware (NVDIMMs), a compatible file system (ext4 or XFS), and the dax mount option (mount -o dax).
Deprecated functionality in RHEL remains functional in the current major version but is planned for removal in a future major release; it should not be relied upon for new deployments.
The %{?dist} macro in spec files automatically appends the distribution tag (e.g., .el9 for RHEL 9).
dnf autoremove does not automatically exclude installonly packages; use dnf mark install <pkg> to protect packages from autoremoval.
The command dnf builddep <spec> installs build dependencies listed in an RPM spec file.
dnf remove --duplicates exits with code 0 when no duplicates are found.
efibootmgr is used to view and modify the UEFI boot order on RHEL 9 systems.
/etc/fapolicyd/rules.d/ replaces the monolithic fapolicyd.rules file; fagenrules merges rules into compiled.rules.
File and directory operations: cp (copy), cp -r (recursive), cp -a (archive), mv (move/rename), rm (remove), rm -r (recursive), mkdir (create directory), mkdir -p (create parent dirs), touch (create/update).
Firewall rules control traffic in three directions: incoming, outgoing, and forwarded.
firewalld rules control three directions of network traffic: incoming, outgoing, and forwarded.
/etc/fstab configures persistent filesystem mounts at boot using UUID= or LABEL= for reliability. Format: device mountpoint fstype options dump pass. Test with mount -a before rebooting.
getconf PAGESIZE returns 65536 for a 64k page kernel and 4096 for a 4k page kernel.
Greenboot is the health-check framework for automated rollback on RHEL for Edge systems.
grep searches files for lines matching regular expressions. Key flags: -i (case-insensitive), -v (invert match), -r (recursive), -n (line numbers), -E (extended regex). Supports anchors ^ and $.
groupadd creates groups, groupdel removes them. usermod -aG adds user to supplementary group (without -a it replaces all groups). groups and id show group memberships. /etc/group stores group data.
grubby --set-default is the command to change the default boot kernel on RHEL 9.
Hard links share the same inode, cannot cross filesystems or link to directories. Symbolic links have their own inode, can cross filesystems and link to directories. ln creates hard links, ln -s creates soft links.
IdM API access requires valid Kerberos credentials to establish a session.
The IdM API is consumed via Python scripts using the ipalib library, not a traditional REST client (it wraps JSON-RPC internally).
Authenticating to Red Hat Identity Management (IdM) requires obtaining a Kerberos ticket with kinit before performing any administration tasks.
IdM automatically creates DNS SRV records for Kerberos, LDAP, and other services when integrated DNS is enabled.
Automount maps can be managed centrally through IdM rather than using local configuration files on each host.
IdM stores identity data in a 389 Directory Server (LDAP) backend
IdM integrates a Kerberos KDC, 389 Directory Server (LDAP), Dogtag CA, and SSSD for client-side credential caching.
IdM centralizes management of users, groups, hosts, and access policies (HBAC and sudo rules).
IdM provides a unified identity management stack bundling 389 Directory Server (LDAP), MIT Kerberos KDC, Dogtag CA, and SSSD into a single integrated platform with centralized user/group/host/policy management.
IdM provides automated service discovery when integrated DNS is deployed: the BIND-with-LDAP DNS subsystem automatically creates SRV records for Kerberos and LDAP services, enabling ipa-client-install to locate and join the IdM domain without explicit server specification via DNS SRV autodiscovery.
IdM DNS forward policy options are only (forward only to forwarder) and first (try forwarder first, then resolve locally).
DNS is optional in IdM — an external DNS server can be used instead, but SRV and other records must then be managed manually.
DNS service (port 53 TCP/UDP) must be open in firewalld on IdM servers running integrated DNS.
IdM integrated DNS uses BIND with an LDAP backend, storing zone data in the IdM directory rather than in /var/named/ zone files.
IdM provides health-monitored identity services: the complete identity stack (389 DS/Kerberos/CA/SSSD) is monitored by automated health checks via ipa-healthcheck with systemd timer scheduling, enabling proactive detection of certificate expiration, replication failures, and service degradation before they impact authentication.
IdM includes an integrated Certificate Authority (Dogtag) for TLS and user certificates
IdM provides an integrated DNS subsystem: BIND with LDAP backend stores zone data in the IdM directory (not zone files), supports configurable forward policies (only and first), reverse DNS zones via in-addr.arpa naming, and requires port 53 TCP/UDP open in firewalld — all managed through the IdM interface rather than traditional BIND administration.
Red Hat Identity Management (IdM) on RHEL 9 can integrate with Samba, Ansible, and automount as external services for centralized authentication.
IdM integration with external services relies on Kerberos authentication and LDAP directory as underlying mechanisms.
IdM Kerberos authentication uses kinit to obtain tickets, klist to verify current tickets, and kdestroy to remove tickets.
All IdM administration — both API and CLI — requires prior Kerberos authentication: kinit to obtain tickets, klist to verify, kdestroy to remove, with the API consuming credentials via ipalib.
Users must authenticate with kinit to obtain a Kerberos ticket before performing any IdM administration tasks
klist verifies the current Kerberos ticket and kdestroy removes it
Red Hat Identity Management (IdM) is only officially supported on RHEL, not on other Linux distributions.
IdM reverse DNS zones use the in-addr.arpa naming convention (e.g., 1.168.192.in-addr.arpa for 192.168.1.0/24).
IdM is a RHEL-exclusive deployment of upstream FreeIPA with three installable roles (server, replica, client), pre-tuned for typical deployments out of the box and officially supported only on RHEL.
IdM supports one-time passwords (OTP) as a second factor alongside Kerberos passwords for two-factor authentication.
Two primary IdM migration paths exist: upgrading RHEL 8 IdM to RHEL 9 IdM, and migrating from an external LDAP directory to RHEL 9 IdM.
ipa vault-archive stores data in an IdM vault; ipa vault-retrieve retrieves it.
IdM vault data is encrypted on the client side before transmission — the IdM server never has access to plaintext secrets.
The Dogtag KRA (Key Recovery Authority) must be installed (ipa-kra-install) on at least one IdM server before vaults can be used.
IdM vaults can be scoped as user vaults (single user), service vaults (single service), or shared vaults (multiple users/groups).
IdM vaults provide secure secret storage with client-side encryption (server never sees plaintext), multiple scopes (user/service/shared), KRA backend requirement, and archive/retrieve CLI operations.
IdM vault types are standard (accessible by owner/members), symmetric (password-protected with symmetric key), and asymmetric (encrypted with public key, decrypted with private key).
The IdM Web UI is accessed at https://<idm-server>/ipa/ui/ and is functionally equivalent to the CLI for administration tasks.
ifname=interface:MAC is the only supported way to set custom network interface names during Anaconda installation.
Image Builder blueprints are written in TOML format and define packages, groups, and customizations for image builds.
Image Builder blueprints are written in TOML format and define packages, groups, and customizations
RHEL Image Builder provides a complete image creation pipeline: TOML blueprint definition, osbuild-composer backend with socket activation, multi-format output, and a push-then-compose CLI workflow.
Image Builder (osbuild-composer) is the supported tool for composing RHEL for Edge images, available via composer-cli and Cockpit web UI.
RHEL Image Builder uses osbuild-composer as the backend service and composer-cli as the command-line interface, enabled via osbuild-composer.socket.
osbuild-composer is the backend service for RHEL Image Builder and composer-cli is its command-line interface
Image Builder supports multiple output formats from a single blueprint including qcow2, vmdk, ami, vhd, iso, and others, listed via composer-cli compose types.
The Image Builder service is enabled with systemctl enable --now osbuild-composer.socket
The Image Builder workflow is: create blueprint → push blueprint (composer-cli blueprints push) → start compose (composer-cli compose start) → download image (composer-cli compose image <UUID>).
inst.graphical is the default Anaconda installation mode; inst.text forces text mode, inst.cmdline forces non-interactive mode (requires Kickstart).
The inst.ks= boot option specifies the Kickstart file location for automated RHEL installations (e.g., inst.ks=http://server/path/ks.cfg).
The inst.ksstrict boot option turns deprecated Kickstart command warnings into errors.
inst.repo= defines the primary installation source for Anaconda, supporting cdrom, hd, nfs, http, https, ftp, and hmc protocols.
inst.repo=nfs uses NFSv3 by default; use nfsvers=X to specify a different NFS version.
inst.sshd enables SSH access during installation; on IBM Z it is auto-started by default; root has no password unless set via sshpw Kickstart command.
inst.stage2= specifies the location of the installer runtime image (install.img), which is separate from the package repository specified by inst.repo=.
During RHEL installation, Ctrl+Alt+F1 switches to the tmux console and Ctrl+Alt+F6 switches to the graphical installer.
The RHEL installer defaults to DHCP for network configuration; the ip= boot option overrides this.
The RHEL installer runs tmux in virtual console 1 with five windows: main program (Ctrl+b 1), root shell (Ctrl+b 2), anaconda.log (Ctrl+b 3), storage.log (Ctrl+b 4), program.log (Ctrl+b 5).
I/O redirection uses > (overwrite stdout to file), >> (append), 2> (redirect stderr), &> (redirect both stdout and stderr), | (pipe between commands), and < (stdin from file).
Use input-output redirection to control where command output goes: > overwrites file, >> appends, 2> redirects stderr, &> redirects both stdout and stderr, | pipes output to another command, < reads stdin from file.
iouring is disabled by default in RHEL 9 via kernel.iouring_disabled=2; values are 0=all users, 1=privileged only, 2=disabled for all.
ipa-client-install uses DNS SRV records for autodiscovery of the IdM domain when --server is not specified.
ipa-healthcheck detects replication conflicts, expired certificates, misconfigured permissions, and stopped services across check sources including ipahealthcheck.ipa.certs, ipahealthcheck.ipa.dns, ipahealthcheck.ds.replication, and ipahealthcheck.meta.services.
ipa-healthcheck --failures-only filters output to show only failed checks; --source targets specific check categories.
ipa-healthcheck outputs results in JSON format with severity levels: SUCCESS, WARNING, ERROR, CRITICAL.
The ipa-healthcheck utility is installed via dnf install ipa-healthcheck and runs on IdM server/replica nodes (not clients).
Periodic automated health checks can be enabled via systemctl enable --now ipa-healthcheck.timer.
/root/anaconda-ks.cfg is automatically created after every interactive RHEL installation and can be reused as a Kickstart file
After every interactive RHEL installation, a Kickstart file is automatically saved at /root/anaconda-ks.cfg and can be reused for future installations.
Kickstart provides a complete automated deployment pipeline: inst.ks= boot parameter, multiple installation sources (media/CDN/network), syntax validation via ksvalidator, fully unattended operation, and auto-generated template from prior installs.
cmdline mode halts the installation if any user interaction is required — all options must be pre-configured in the Kickstart file.
The default Kickstart completion method is halt (equivalent to shutdown -H) if no completion command is specified.
eula --agreed is required in Kickstart for unattended installations to skip the EULA acceptance prompt.
The harddrive Kickstart command supports ext2, ext3, ext4, vfat, and xfs filesystems for the installation source partition.
The inst.ks= boot parameter specifies a Kickstart file location, supporting HTTP, HTTPS, FTP, NFS, hard drive, and CDROM sources.
The install Kickstart command has been removed in RHEL 9; installation source commands (cdrom, url, nfs, etc.) are used directly.
Kickstart installations can pull content from local media (DVD/USB), ISO images, Red Hat CDN, or network servers (HTTP, FTP, NFS).
Kickstart logging command for remote syslog uses TCP only, with default port 514.
The rhsm Kickstart command allows registering and installing directly from the Red Hat CDN without needing %post scripts.
Kickstart supports installation sources: local media, ISO, Red Hat CDN, and network servers (HTTP/HTTPS/FTP/NFS)
Kickstart enables fully unattended RHEL installation when all required parameters are provided in the Kickstart file.
A URL-based installation source takes precedence over CDN even when rhsm is specified with valid credentials.
The ksvalidator command (from the pykickstart package) validates Kickstart file syntax before use.
kTLS (kernel TLS) is enabled by loading the tls kernel module (modprobe tls) and setting ktls = true in a gnutls crypto-policy local.d file.
Kernel TLS (KTLS) is a Technology Preview in RHEL 9.2, appearing in both security (gnutls acceleration) and networking (kernel-level TLS offload) contexts.
Leapp is the official Red Hat tool for performing in-place upgrades between major RHEL versions (e.g., RHEL 8 to RHEL 9).
leapp preupgrade should be run before leapp upgrade to identify inhibitors and potential issues without making changes.
RHEL in-place upgrades via Leapp require sequential major version progression (no skipping) with a mandatory preupgrade assessment before the actual upgrade.
The lpfc kernel driver is the Emulex driver for Fibre Channel HBAs in RHEL.
lpfc is the Emulex driver for Fibre Channel HBAs in RHEL.
Core LVM commands: pvcreate (init PV), vgcreate (create VG), lvcreate -n name -L size vg (create LV), lvextend/lvresize (resize), pvs/vgs/lvs (summary display).
LVM provides flexible, non-disruptive storage management through a three-layer abstraction (PV → VG → LV) that enables spanning multiple disks into unified volume groups, online extension without downtime, and a consistent command vocabulary (pvcreate, vgcreate, lvcreate, lvextend, lvreduce, vgextend) for all operations.
An LVM logical volume acts as a virtual block device that can hold any filesystem or be used as swap.
LVM logical volumes can be extended online (non-disruptively) without downtime.
LVM uses a three-layer hierarchy: Physical Volumes (PV) → Volume Groups (VG) → Logical Volumes (LV).
Multiple physical volumes can be combined into a single volume group, enabling storage that spans multiple disks.
man pages are organized in sections: 1 (user commands), 5 (file formats), 8 (admin commands). Use man -k or apropos to search. info provides detailed docs. /usr/share/doc has package documentation.
MBR supports 4 primary partitions, max 2 TiB. GPT supports 128 partitions, no size limit. fdisk, gdisk, and parted manage partitions. Run partprobe after partition table changes.
A user must be assigned to all categories on a file to access it (conjunction rule — not just one matching category).
SELinux Multi-Category Security (MCS) categories range from c0 to c1023 (1024 possible categories).
Human-readable MCS category labels are defined in /etc/selinux/<policy>/setrans.conf and require restarting the mcstrans service to take effect.
MCS is evaluated after DAC and Type Enforcement — it can only further restrict access, never relax it.
In the targeted SELinux policy, MCS is not configured for regular users by default — a CIL module with (typeattributeset mcsconstrainedtype (user_t)) must be installed via semodule -i.
MCS provides a restrictive supplementary access layer: enforced only after DAC and Type Enforcement pass, requiring conjunction of all assigned categories, with session-boundary enforcement of changes.
MCS category changes for users take effect only at the next login, not on the current session.
modprobe.blacklist= disables kernel modules during installation and persists after installation (stored in /etc/modprobe.d/).
The multipathd flushonlast_del parameter accepts values: always/yes, unused/no (default), and never.
Nested KVM virtualization is a Technology Preview in RHEL 9, working on Intel, AMD64, and IBM Z hosts.
NIC teaming (team=) is deprecated in RHEL 9; network bonding is the recommended alternative.
A volume labeled OEMDRV with a file named ks.cfg in its root is auto-detected by the Anaconda installer for Kickstart — no inst.ks= boot option is required.
Polyinstantiation is configured in /etc/security/namespace.conf; the pamnamespacehelper does NOT read files from /etc/security/namespace.d/.
Polyinstantiated directories in SELinux isolate /tmp, /var/tmp, and home directories per-user, preventing race condition attacks and information leaks. Instance directories (/tmp-inst/, /var/tmp/tmp-inst/) hold per-user subdirectories that get bind-mounted over the shared paths.
Polyinstantiation instance directories (/tmp-inst/, /var/tmp/tmp-inst/) must be created with mode 000 (mkdir --mode 000).
Polyinstantiation is enforced via the pamnamespace.so PAM module with the unmntremnt option in the session stack.
Polyinstantiation uses the user method on non-MLS systems and the level method on MLS systems in namespace.conf.
Polyinstantiation can be verified with findmnt --mountpoint /tmp/; the source should show /tmp-inst/<user>.
Use top and ps aux to identify CPU/memory intensive processes. kill PID sends SIGTERM (15, graceful). kill -9 PID sends SIGKILL (forced). nice/renice adjust scheduling priority (-20 to 19).
Process output of shell commands within a script using command substitution $(command). Captures stdout for use in variable assignments, conditionals, and loops. Can be nested and is preferred over backticks.
Process script inputs using positional parameters $1, $2, etc. $0 is the script name, $# is the argument count, "$@" expands all arguments preserving word boundaries. Use shift to consume parameters.
Quadlet generates systemd service files from Podman container descriptions and is a Technology Preview in RHEL 9.2.
rd.break interrupts the RHEL 9 boot process for emergency access. Procedure: edit GRUB entry, append rd.break, then remount /sysroot rw, chroot, passwd root, touch /.autorelabel.
ReaR (Relax-and-Recover) is the Red Hat-supported tool for full system backup and bare-metal disaster recovery on RHEL 9.
Red Hat migrated issue tracking from Bugzilla (BZ#) to Jira (RHEL-, RHELDOCS-, RHELPLAN- prefixes) for RHEL tracking.
RHEL registration issues a certificate that identifies and authenticates the system to Red Hat.
RHEL system registration is required before the system can access Red Hat repositories for updates via yum/dnf.
RHEL system registration with subscription-manager requires root privileges.
The -F flag on restorecon forces a full relabel including the SELinux user field, not just the type.
RHCSA candidates must master a core CLI toolkit: Bash scripting fundamentals (positional parameters $1-$9, $#, "$@"), I/O redirection (>, >>, 2>, &>, pipes), pattern matching (grep with -i/-v/-r and regex), and the documentation system (man pages with section conventions and apropos search) — these form the essential tools foundation of the RHCSA exam.
RHEL release note changes are categorized as Known Issues, Deprecated Functionality, Technology Previews, Bug Fixes, and Enhancements/New Features.
Kernel module management commands: lsmod lists loaded modules, modprobe loads modules, modprobe -r unloads modules, modinfo shows driver details/version/parameters.
RHEL for Edge images use rpm-ostree for image-based atomic updates and rollbacks, not traditional RPM/DNF package management.
RHEL image mode (bootc) manages the OS as a standard OCI container image, built with Podman/Buildah and stored in container registries.
Kernel module management commands: lsmod lists loaded modules, modprobe loads modules, modprobe -r unloads modules, modinfo shows module details including version and parameters.
Kernel modules are stored in /lib/modules/$(uname -r)/.
RHEL 9 follows a minor release cadence (9.0, 9.1, 9.2, 9.3, 9.4, ...) delivering updates on a roughly 6-month cycle while maintaining ABI compatibility.
RHEL does not support skipping major versions during in-place upgrades (e.g., RHEL 7 → 9 directly is not supported).
RHEL release notes are living documents that receive ongoing updates well after the initial release; RHEL 9.3 (released November 2023) had release notes updated through November 2025.
RHEL System Roles are Ansible-based roles for consistent configuration management across multiple RHEL hosts.
RHEL system roles are installed to /usr/share/ansible/roles/ and collections to /usr/share/ansible/collections/
Key RHEL system roles include timesync, network, selinux, storage, firewall, logging, and kdump.
RHEL system roles can be referenced as legacy names (e.g., rhel-system-roles.timesync) or collection names (e.g., redhat.rhelsystemroles.timesync).
RHEL system roles are installed via the rhel-system-roles package and placed in /usr/share/ansible/roles/ and /usr/share/ansible/collections/.
RHEL system roles are installed via the rhel-system-roles package
In-place upgrade from RHEL 8 to RHEL 9 is supported using the Leapp tool; Convert2RHEL handles conversions from CentOS/Alma/Rocky/Oracle Linux.
RHEL 9 provides a complete AD integration stack: realmd orchestrates domain join, SSSD serves as default authentication backend, with a defined set of required packages.
RHEL 9 supports two methods for direct Active Directory integration: SSSD and Samba Winbind.
Required packages for SSSD-based AD join: sssd, realmd, oddjob, oddjob-mkhomedir, adcli, samba-common-tools.
Managed Service Accounts (MSA) allow access to AD resources without full domain membership on RHEL 9.
AIDE configuration is at /etc/aide.conf and the default database location is /var/lib/aide/aide.db.gz.
AIDE configuration is controlled by /etc/aide.conf, which defines monitored paths and tracked attributes.
After aide --init or aide --update, the output file /var/lib/aide/aide.db.new.gz must be renamed to /var/lib/aide/aide.db.gz before it becomes active.
AIDE is a detection-only tool that identifies filesystem changes after they occur but does not prevent them; IMA provides both detection and prevention.
AIDE is a detection-only tool that identifies filesystem changes but does not prevent them; IMA provides both detection and prevention.
AIDE file integrity checking uses aide --init to initialize the database, aide --check to detect changes, and aide --update to update the database after review.
AIDE provides a complete file integrity monitoring workflow: three operations (init/check/update), mandatory database rename after generation, AppStream package source, with the critical caveat that it is detection-only.
The aide package requires the AppStream repository for installation.
AIDE has three key operations: --init (create baseline database), --check (verify integrity), --update (refresh database after legitimate changes).
All four predefined crypto policies disable IKEv1, 3DES, RC4, DSA, and TLS v1.1 and older.
RHEL 9 uses the Anaconda graphical installer for interactive GUI-based installation.
RHEL 9 provides a managed application runtime platform with relational databases (MariaDB/MySQL/PostgreSQL via AppStream module streams), a controlled Python ecosystem (venv isolation, AppStream version selection, platform-python reserved), and RPM packaging tools for custom software distribution.
Application Streams allow multiple versions of user-space components to be updated independently of the core OS, each with its own lifecycle.
In RHEL 9, initial Application Stream versions install as plain RPMs via dnf install without needing to enable modules first (simplified from RHEL 8).
In RHEL 9, initial Application Stream versions install as plain RPMs via dnf install without needing dnf module enable first.
AppStream uses modules to deliver multiple versions of the same software (e.g., different Python or Node.js streams); modularity is not present in BaseOS.
The AppStream repository delivers additional applications, runtime languages, databases, and tools as both traditional RPMs and modules.
Some Application Streams have shorter support lifecycles than the base RHEL 9 OS.
RHEL 9 minimum hardware versions by architecture: x86_64 requires x86-64-v2, aarch64 requires ARMv8.0-A, ppc64le requires POWER9, s390x requires z14.
Each RHEL 9 architecture requires its own separate Red Hat subscription.
RHEL 9 ships with a 4k page size kernel by default on ARM (AArch64) systems.
In RHEL 9, the audit dispatcher (audisp) functionality is integrated into auditd; plugin configs live in /etc/audit/plugins.d/.
File audit watches are added with auditctl -w <path> -p <permissions> -k <key> and searched with ausearch -k <key>.
The default audit log location is /var/log/audit/audit.log.
The default audit log location is /var/log/audit/audit.log, configured via /etc/audit/auditd.conf.
Persistent audit rules are placed in /etc/audit/rules.d/; /etc/audit/audit.rules is auto-generated by augenrules on service start.
Pre-configured audit rules for compliance standards (OSPP, PCI-DSS, STIG) are available in /usr/share/audit/sample-rules/.
RHEL 9 provides a unified audit subsystem with integrated dispatcher, file watch rules, original login identity tracking via auid, dedicated service management (not systemctl), and configurable log location.
auditctl -e 0 temporarily disables auditing and auditctl -e 1 re-enables it at runtime.
auditctl -w <path> -p <perms> -k <key> creates file watch rules; permission flags are w (write), a (attribute), r (read), x (execute).
auditd must be managed with service auditd start/stop/restart — systemctl is only valid for enable and status.
The auid (Audit UID / loginuid) is assigned at login and inherited across su/sudo, tracking the original login identity for accountability.
The auid (audit UID / loginuid) is assigned at login and inherited across su/sudo, tracking the original login identity for accountability.
RHEL 9 provides layered authentication hardening across three defense dimensions: account lockout policy via pam_faillock with configurable thresholds and admin unlock, password lifecycle management via chage with aging/expiry/force-change controls, and SSH key-based authentication with Ed25519 as the recommended algorithm.
RHEL 9 defense-in-depth security (SELinux enforcing, firewalld, crypto policies, granular audit) is fully automatable at fleet scale through Ansible system roles and SELinux deployment automation (semanage export/import, fixfiles autorelabel, Ansible roles), enabling consistent security posture across hundreds of hosts.
For bare-metal RHEL 9 installations, /boot, /, /home, /tmp, and /var/tmp should be on separate partitions for security isolation.
Both BaseOS and AppStream repositories are required for a complete RHEL 9 installation.
RHEL 9 content is split into two required repositories: BaseOS (core OS foundation) and AppStream (additional user-space applications, runtimes, databases).
The BaseOS repository contains core OS foundation packages delivered exclusively as traditional RPMs.
BaseOS provides core OS functionality (full RHEL support lifecycle); AppStream provides additional user-space applications, runtime languages, and databases.
The Boot ISO requires network access to BaseOS/AppStream repositories to install packages; the Installation ISO (Binary DVD) contains both repos.
The RHEL 9 boot ISO (~700 MB) contains only the installer and kernel; it requires a network installation source and cannot install standalone.
RHEL 9 manages kernel boot parameters through grubby as the central tool: changing the default boot kernel (--set-default), persistently adding kernel arguments (--update-kernel --args), controlling CPU vulnerability mitigations (mitigations=), tuning crashkernel memory reservation (crashkernel=size,high/low), and emergency access via rd.break boot interrupt.
The /boot partition cannot be encrypted with LUKS; if /boot is part of an encrypted / partition, the system cannot boot.
RHEL 9 has CONFIGBPFJITALWAYSON=y, meaning the BPF JIT compiler is mandatory and the BPF interpreter is not available (security hardening).
CDN-based RHEL 9 installations use the inst.rhsm boot parameter and require registering with Red Hat during installation.
RHEL 9 provides centralized observability through two complementary subsystems: the audit framework (file watches, auid login tracking, compliance rules, dedicated service management) and the logging system role (rsyslog configuration via Ansible with structured input/output/flow variable groups and SELinux-aware port management).
RHEL 9 uses cgroups v2 (unified hierarchy) by default.
cgroupsv1 is deprecated in RHEL 9 (which defaults to cgroupsv2); RHEL 10 will only support cgroupsv2.
chrony is the default NTP implementation in RHEL 9, replacing ntpd.
Clevis is the client-side framework for automated decryption; Tang is the stateless server that never stores or learns client keys.
Binding a LUKS volume to a Tang server: clevis luks bind -d /dev/<device> tang '{"url":"http://tang.srv"}'.
Clevis pins available in RHEL 9 are: tang (network server), tpm2 (TPM 2.0 chip), pkcs11 (smart cards), and sss (Shamir's Secret Sharing for threshold-based high availability).
Cluster-managed services must not be started or enabled via systemctl; Pacemaker controls their lifecycle.
The CodeReady Linux Builder repository is available with all RHEL subscriptions but its packages are unsupported.
RHEL 9 packages are assigned Application Compatibility Levels 1–4, where Level 1 provides the highest ABI stability guarantee across the major release.
RHEL 9 installation is controlled through a comprehensive boot parameter framework combining installer directives (inst.ks, inst.repo, inst.stage2, inst.graphical/text/cmdline, inst.sshd, inst.vnc) with network configuration parameters (DHCP default, seven-field ip= static override, bootdev= for multi-NIC, ifname= for custom interface naming).
RHEL 9 is undergoing systematic modernization through coordinated deprecation across networking (ifcfg to keyfile, iptables to nftables, teaming to bonding) and infrastructure (cgroups v1 to v2, monolithic libvirtd to modular daemons, virt-manager to Cockpit).
RHEL 9 provides a comprehensive security posture integrating defense-in-depth hardened defaults (SELinux, firewalld, crypto policies, audit), continuous compliance monitoring (audit logging, AIDE integrity, OpenSCAP scanning), and layered authentication hardening (pam_faillock, password aging, SSH key-based auth) into a unified security architecture.
RHEL 9 container isolation leverages the full MCS restrictive access control model: container-selinux assigns unique MCS categories per container, enforced only after DAC and Type Enforcement pass, requiring conjunction of all assigned categories for inter-container access.
Podman (not Docker) is the standard container runtime in RHEL 9, along with Buildah and Skopeo.
RHEL 9 content is architecturally split into two mandatory repositories: BaseOS (core OS foundation, RPMs only) and AppStream (user-space applications delivered as both RPMs and modules), with modules enabling multiple concurrent software versions and some Application Streams having shorter support lifecycles than the base OS.
RHEL 9 supports continuous OS evolution from routine security patches (DNF advisory-filtered updates across BaseOS/AppStream with severity filtering) through major version transitions (Leapp sequential in-place upgrades with mandatory preupgrade assessment) to image-based atomic updates (rpm-ostree/bootc with health-check rollback for Edge deployments).
RHEL 9 compliance is observable through complementary mechanisms: continuous audit logging (file watches, auid tracking, pre-configured compliance rule sets for OSPP/PCI-DSS/STIG) provides ongoing evidence collection, while periodic AIDE integrity checks and OpenSCAP scanning provide point-in-time compliance verification.
RHEL 9 addresses CPU-level security vulnerabilities through multiple coordinated mechanisms: SMT disabling for L1TF/MDS mitigation, shared buffer clearing for MMIO/MDS/TAA with interdependent mitigation toggles, restricted unprivileged BPF access by default, and mandatory BPF JIT compilation that eliminates the interpreter as an attack surface.
crashkernel=size,high and crashkernel=size,low control kdump memory reservation above/below 4 GB; crashkernel=X without high/low takes precedence.
The DEFAULT and LEGACY crypto policies require minimum 2048-bit RSA/DH keys; FUTURE requires minimum 3072-bit.
The command update-crypto-policies --set POLICY changes the system-wide cryptographic policy and requires root privileges.
The command update-crypto-policies --show displays the current system-wide cryptographic policy on RHEL 9.
RHEL 9 provides complete crypto policy lifecycle management: four predefined policies, set/show CLI commands, persistent state file verification, and extensibility via custom .pmod subpolicies.
A reboot is recommended after changing the system-wide cryptographic policy for full effect.
Scoped cryptographic policy directives use @ syntax to restrict settings to specific protocols or libraries (e.g., cipher@TLS, group@SSH).
The current effective cryptographic policy can be verified at /etc/crypto-policies/state/CURRENT.pol.
Custom cryptographic subpolicy files use the .pmod extension with uppercase filenames and are stored in /etc/crypto-policies/policies/modules/.
RHEL 9 defaults to Wayland as the display protocol for GNOME, with X11/Xorg available as a fallback.
XFS is the default file system in RHEL 9.
RHEL 9 uses DNF (not yum) as the primary package management tool.
The DEFAULT crypto policy enforces TLS 1.2 as the minimum TLS version.
RHEL 9 containers operate within a defense-in-depth security stack where per-container MCS categories (assigned by container-selinux) provide inter-container isolation, layered on top of SELinux type enforcement, firewalld network controls, system-wide crypto policies, and continuous audit logging — meaning container breakout must defeat not just the container boundary but every surrounding security layer.
RHEL 9 enforces defense-in-depth through four integrated security layers: hardened defaults (SELinux enforcing, firewalld, crypto policies), granular cryptographic policy lifecycle management, layered SELinux MAC enforcement with type-based policy, and a unified audit subsystem with original-identity tracking across privilege escalation.
RHEL 9 provides a structured diagnostic reporting workflow: sos report (requiring root privileges) collects comprehensive system state into compressed tarballs in /var/tmp/, and sos clean obfuscates hostnames, IP addresses, and other sensitive data before the report is shared with Red Hat support.
Direct AD integration means the RHEL host joins AD directly; indirect integration uses IdM/IPA as a broker with a cross-realm trust to AD.
dnf check-update --security lists available security updates; dnf update --security installs all available security updates.
Installed packages can be queried with dnf list installed or rpm -qa; available packages with dnf list available or dnf repoquery.
The dnf package manager replaces yum in RHEL 9 for all package and update operations.
dnf updateinfo info <advisory-id> displays details about a specific advisory; dnf updateinfo is the subcommand for querying errata metadata.
RHEL ships device drivers as loadable kernel modules, not compiled monolithically into the kernel.
RHEL 9 system administration operates through complementary local and remote interfaces: the GNOME desktop on Wayland with systemd target switching for interactive console management, and the Cockpit web console with socket activation and firewall integration for browser-based remote management.
RHEL 9 supports two complementary OS upgrade paradigms: sequential in-place upgrades via Leapp (with mandatory preupgrade assessment and no major version skipping) for traditional RPM-based systems, and atomic image-based updates via rpm-ostree/bootc with automated health-check rollback (Greenboot) for Edge deployments.
RHEL 9 provides dual workload isolation with distinct security models: virtual machines via the managed KVM/QEMU/libvirt stack with Cockpit web management and hardware-level isolation, and containers via Podman with MCS-enforced category-based separation where each container receives unique SELinux categories enforced after DAC and Type Enforcement.
The dump backup utility is deprecated in RHEL 9; use tar, dd, or bacula instead (restore remains available).
RHEL for Edge uses an image-based OS model with rpm-ostree for atomic updates/rollbacks, Greenboot for automated health-check rollback, and bootc for container-native image management.
RHEL 9 provides end-to-end encrypted storage lifecycle management: NBDE with Clevis/Tang for automated decryption across multiple pin types, volume-type-specific unlock requirements (dracut for root, systemd for non-root), and system-wide cryptographic policy governance ensuring encryption algorithms comply with organizational standards.
RHEL 9 provides a comprehensive enterprise identity ecosystem: IdM as a unified stack (LDAP/Kerberos/CA/SSSD), Kerberos-gated administration for all management interfaces, encrypted secret storage via vaults with client-side encryption and KRA backend, and direct Active Directory integration via SSSD/realmd for hybrid environments.
Red Hat advisories come in three types: RHSA (security), RHBA (bug fix), and RHEA (enhancement).
RHEL 9 provides a layered filesystem mounting model: XFS as the default filesystem, persistent mounts via /etc/fstab with UUID/LABEL identification for reliability, and on-demand network mounting via autofs for filesystems accessed infrequently.
FIPS mode should be enabled at install time using the fips=1 kernel parameter; the fips-mode-setup tool is deprecated.
FIPS mode in RHEL 9 is enabled via fips=1 kernel parameter at install time (not /etc/system-fips); check status with fips-mode-setup --check.
FIPS mode is enabled on RHEL 9 using fips-mode-setup --enable and verified with fips-mode-setup --check; a reboot is required after enabling.
Setting the FIPS crypto policy alone does not guarantee FIPS 140 compliance; cryptographic keys must be regenerated.
RHEL 9 has firewalld active by default as part of its security baseline.
firewalld is enabled by default on RHEL 9 but may be disabled by Kickstart configurations.
RHEL 9 uses firewalld with an nftables backend as the firewall framework.
RHEL 9 provides four predefined system-wide cryptographic policies: DEFAULT, LEGACY, FUTURE, and FIPS.
RHEL 9 supports four architectures: x86-64 (minimum v2), ARM aarch64 (minimum ARMv8.0-A), IBM Power ppc64le (minimum POWER9), and IBM Z s390x (minimum z14).
Key application stream packages (httpd, mariadb, postgresql, python, ruby, php, perl) are designated as Full Life Application Streams at Compatibility Level 3.
RHEL 9 defense-in-depth extends from hardware-level CPU mitigations (SMT disable for L1TF/MDS, BPF JIT hardening, unprivileged BPF restrictions) through cryptographic policy enforcement to data-at-rest protection (LUKS2/NBDE encryption and SELinux/MCS mandatory access control), ensuring no single layer's compromise alone exposes stored data.
RHEL 9 GNOME defaults to Wayland as the display server, with X11 available as a fallback.
RHEL 9 GNOME defaults to Wayland as the display server with X11 as fallback
Switching between GUI and text mode at boot uses systemctl set-default graphical.target or systemctl set-default multi-user.target.
systemctl set-default graphical.target enables GUI at boot; systemctl set-default multi-user.target disables it
systemctl isolate graphical.target starts the GNOME/display manager; systemctl isolate multi-user.target switches to text-only mode.
RHEL 9 provides a single managed desktop environment (GNOME on Wayland by default) with systemd target control for boot mode selection and virtual console switching for multi-session access.
Production HA clusters on RHEL 9 require mandatory STONITH fencing, pcs as the primary management CLI, dedicated firewall ports (TCP 2224/3121, UDP 5405), and Pacemaker-controlled service lifecycle (no systemctl).
Corosync provides the cluster communication and membership layer underneath Pacemaker in RHEL 9 HA clusters.
RHEL 9 HA clusters require firewall ports TCP 2224 (pcsd), UDP 5405 (corosync), and TCP 3121 (pacemaker-remoted).
RHEL 9 High Availability Add-On uses Pacemaker as its cluster resource manager.
RHEL 9 manages a hardened kernel runtime through coordinated boot parameter management (grubby for default kernel and persistent args, mitigations= for CPU vulnerability controls, crashkernel= for dump reservation) and explicit security-vs-performance equilibrium controls (TuneD profiles, BPF restrictions with JIT-only enforcement, io_uring default-disabled).
RHEL 9 explicitly manages the hardware security-vs-performance equilibrium: CPU vulnerability mitigations (SMT disable for L1TF/MDS, BPF restrictions, io_uring disabled by default) reduce attack surface at performance cost, while TuneD profiles provide compensating performance optimization.
RHEL 9 enterprise identity services are health-monitored end-to-end: the full identity ecosystem (IdM with AD cross-forest trust, Kerberos-gated administration, vault client-side encryption) is continuously verified by automated ipa-healthcheck with systemd timer scheduling, JSON output with severity grading, and failure-only filtering for operational alerting.
RHEL 9 enterprise identity provides automated service discovery: IdM's integrated DNS subsystem (BIND with LDAP backend, configurable forward policies, auto-created SRV records) enables clients to locate and enroll into the identity ecosystem via ipa-client-install without explicit server specification.
IdM-AD trust is a cross-forest trust (not a simple domain trust) that integrates Kerberos, LDAP, DNS, and certificate services between the two environments.
IdM typically establishes a one-way trust where AD users can authenticate to IdM-managed services, not the reverse.
Establishing an IdM-AD trust requires common Kerberos encryption types, firewall ports (389/636, 88/464, 53, 135, 138, 139, 445, 3268), proper DNS resolution between domains, and Kerberos realm configuration.
Red Hat Identity Management (IdM) bundles 389 Directory Server, MIT Kerberos KDC, SSSD, and Certmonger into one integrated identity solution.
Red Hat IdM is the upstream FreeIPA project packaged by Red Hat.
IdM can optionally provide its own integrated DNS and Certificate Authority (Dogtag CA), or integrate with existing external DNS and CA infrastructure; this choice is made at install time.
IdM is pre-tuned for typical deployments by default; manual performance tuning is only needed for large-scale, high-load, or latency-sensitive environments.
IdM (Identity Management) has three installable roles: server, replica, and client, installed via ipa-server-install, ipa-replica-install, and ipa-client-install respectively.
The ifcfg format for NetworkManager profiles is deprecated in RHEL 9; use nmcli connection migrate to convert to keyfile format.
The ifcfg format for NetworkManager profiles is deprecated in RHEL 9; keyfile format in /etc/NetworkManager/system-connections/ is the default.
RHEL 9 has deprecated core infrastructure components beyond networking: cgroups v1 (replaced by v2), the dump backup utility (replaced by tar/dd/bacula), ISC DHCP (replaced by Kea/dhcpcd), monolithic libvirtd (replaced by modular daemons), and virt-manager (replaced by Cockpit) — representing a systematic modernization of virtualization, storage, and service management subsystems.
Valid protocols for the inst.repo= kernel boot parameter: http, https, ftp, nfs, hmc (and cdrom for local media).
Installing GNOME on a minimal RHEL 9 system uses dnf groupinstall "Server with GUI".
Installing GNOME on a minimal RHEL 9 system is done with dnf groupinstall "Server with GUI"
RHEL 9 installer supports layered network configuration via boot parameters: DHCP by default, static IP override via the seven-field ip= syntax (IP::GATEWAY:NETMASK:HOSTNAME:INTERFACE:none), custom interface naming via ifname=interface:MAC, and bootdev= required for designating the primary boot interface in multi-NIC environments.
The iptables backend in firewalld is deprecated in RHEL 9; nftables is the replacement.
ISC DHCP (client and server) is deprecated in RHEL 9; replacements are ISC Kea (server) and dhcpcd (client).
RHEL 9 manages kernel configuration across two complementary dimensions: runtime module lifecycle (loadable drivers with lsmod/modprobe, persistent blacklisting) and boot parameter management (grubby for persistent kernel args, CPU vulnerability mitigations, crashkernel memory reservation).
RHEL 9 kernel is configured with CONFIG_HZ = 1000 (timer interrupt frequency).
RHEL 9 manages kernel drivers as loadable modules with a complete lifecycle: modules stored in /lib/modules/$(uname -r)/, managed via lsmod/modprobe/modprobe -r/modinfo commands, with persistent blacklisting via modprobe.blacklist= that survives installation.
Kernel modules are managed with lsmod (list loaded), modprobe (load), modprobe -r (unload), and modinfo (query info); persistent config goes in /etc/modprobe.d/*.conf.
RHEL 9 supports automatic installation via Kickstart, which provides predefined configuration for Anaconda.
Kickstart is the preferred automated installation method for deploying many RHEL systems; the graphical installer is for one or a few systems.
RHEL 9 protects data at rest through two independent and complementary layers: cryptographic protection (LUKS2 encryption with NBDE automated decryption governed by system-wide crypto policies) and mandatory access control (SELinux DAC → Type Enforcement → MCS enforcement chain) — ensuring that even if one layer is bypassed, the other independently restricts unauthorized access.
LEGACY is the only predefined crypto policy that allows SHA-1 in digital signatures; the DEFAULT:SHA1 subpolicy is the targeted alternative.
The monolithic libvirtd daemon is deprecated in RHEL 9; modular libvirt daemons are the replacement.
RHEL Lightspeed is an AI-powered command-line assistant for RHEL 9 that uses natural language input, grounded in RHEL documentation and the Red Hat Knowledgebase.
Logging system role input types are: basics (local journal/socket), remote (network receiver), and files (specific file paths).
Logging system role output types are: files (local), remote_files (per-host remote storage organized by %FROMHOST%), and forwards (send to remote server).
The RHEL logging system role is redhat.rhelsystemroles.logging and configures rsyslog on managed nodes.
The logging system role uses three variable groups: logginginputs (log sources), loggingoutputs (log destinations), and logging_flows (connecting inputs to outputs).
Default SELinux-allowed syslog ports are 601, 514, 6514, 10514, and 20514.
The RHEL 9 logging system role (redhat.rhelsystemroles.logging) provides a structured rsyslog configuration framework organized around three variable groups: inputs (basics/remote/files as log sources), outputs (files/remote_files/forwards as destinations), and flows connecting them, with SELinux constraining allowed syslog ports to 601, 514, 6514, 10514, and 20514.
TLS for the logging system role requires managed nodes to be enrolled in an IdM domain for CA-signed certificates.
TLS for the logging system role requires managed nodes to be enrolled in an IdM domain for CA-signed certificates.
In the logging system role, if both udpports and tcpports are set on a remote input, udpports is used and tcpports is dropped.
When both udpports and tcpports are set on a logging system role remote input, udpports is used and tcpports is dropped.
The command lspci -k lists PCI devices and their associated kernel driver modules.
LUKS2 is the default disk-encryption format in RHEL 9; LUKS1 volumes use the luksmeta package for NBDE state storage.
LUKS2 is the default disk-encryption format in RHEL 9; LUKS1 volumes use the luksmeta package for NBDE state storage.
RHEL 9 provides a managed relational database platform: three supported RDBMS (MariaDB, MySQL, PostgreSQL) delivered via AppStream repository module streams for version selection, with standardized default ports (3306 for MariaDB/MySQL, 5432 for PostgreSQL).
RHEL 9 provides a fully managed virtualization stack: KVM/QEMU/libvirt for VM execution with virsh/virt-install for CLI management, and the Cockpit web console (socket-activated on port 9090, firewall-integrated) as the modern browser-based management interface replacing the deprecated virt-manager.
RHEL 9 follows a minor release cadence of approximately every 6 months (9.0 May 2022 through 9.7 Nov 2025).
RHEL 9 has minor releases from 9.0 through 9.7.
The mitigations= kernel boot parameter controls all CPU vulnerability mitigations: off disables all, auto (default) enables with SMT on, auto,nosmt disables SMT if needed.
MMIO stale data, MDS, and TAA mitigations share the same CPU buffer clearing mechanism; disabling one may require disabling the others.
RHEL 9 application platform is actively modernizing: runtime infrastructure (databases via AppStream streams, managed Python ecosystem, RPM packaging lifecycle) evolves in parallel with systematic deprecation of legacy components (ifcfg, iptables, teaming, cgroups v1, monolithic libvirtd) driving migration to modern replacements.
RHEL 9 supports Multipath TCP (MPTCP), enabling a single TCP connection to use multiple network paths simultaneously.
RHEL 9 delivers a security-hardened platform across four supported architectures (x86-64, ARM, POWER, Z) with per-architecture CPU minimums and separate subscription requirements, sharing common defense-in-depth defaults (SELinux enforcing, firewalld active, SHA-1 disabled, system-wide crypto policies) though per-architecture differences exist in kernel configuration.
RHEL 9 supports four architectures with per-architecture minimum CPU microarchitecture versions, separate subscription requirements, and architecture-specific kernel configurations (e.g., 4k page size default on ARM).
RHEL 9 provides a complete Network-Bound Disk Encryption stack: Clevis client-side framework, Tang stateless server on port 80, multiple pin types (tang/tpm2/pkcs11/sss), and JWK-based key management.
Non-root volume auto-unlock requires clevis-systemd package, systemctl enable clevis-luks-askpass.path, and _netdev in fstab/crypttab.
Automated non-root volume unlock with NBDE requires the clevis-systemd package, enabling clevis-luks-askpass.path, and adding _netdev to fstab/crypttab.
Root volume auto-unlock with NBDE requires the clevis-dracut package and running dracut -fv --regenerate-all.
Automated root volume unlock with NBDE requires the clevis-dracut package and running dracut -fv --regenerate-all.
NBDE auto-unlock diverges by volume type: root volumes require clevis-dracut and initramfs regeneration, while non-root volumes require clevis-systemd and _netdev mount option.
Network teaming (teamd/libteam) is deprecated in RHEL 9; bonding is the recommended replacement.
Network teaming (teamd/libteam) is deprecated in RHEL 9; bonding is the replacement.
RHEL 9 networking has undergone a systematic deprecation of legacy technologies: ifcfg replaced by keyfile, iptables by nftables, network teaming by bonding, and SCP by SFTP.
NetworkManager (nmcli, nmtui) is the networking stack in RHEL 9.
NetworkManager is the default networking service in RHEL 9, replacing legacy network-scripts.
RHEL 9 provides a secure NTP time synchronization stack with chrony as the default implementation and a restricted-privilege service mode for minimal client configurations.
RHEL 9 enables continuously observable and verifiable security by combining operational visibility (audit subsystem with login tracking and diagnostic reporting via sos) with compliance verification (AIDE file integrity monitoring, OpenSCAP policy scanning, pre-configured compliance rules for OSPP/PCI-DSS/STIG) into a single observable security posture.
GNOME is the only desktop environment available in RHEL 9; no KDE or other alternative DE is shipped.
openldap was downgraded to Compatibility Level 4 in RHEL 9 due to upstream instability.
RHEL 9 provides operational visibility through an integrated audit subsystem (file watches, login identity tracking via auid, pre-configured compliance rules) combined with structured diagnostic reporting (sos report with root-privilege collection and sos clean data obfuscation).
OpenSCAP compliance scanning on RHEL 9 uses the oscap command with profiles from the scap-security-guide package located at /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml.
Account lockout policy on RHEL 9 is configured via pam_faillock in /etc/security/faillock.conf; locked accounts can be reset with faillock --user username --reset.
Password quality requirements on RHEL 9 are configured via pam_pwquality in /etc/security/pwquality.conf.
RHEL 9 provides a structured patch management lifecycle: the content delivery architecture splits packages across BaseOS and AppStream repositories, DNF serves as the unified package manager, and security-specific tooling (dnf check-update --security, dnf updateinfo info) enables targeted security patching with advisory-level granularity.
The pcs command is the primary CLI tool for configuring and managing Pacemaker/Corosync clusters on RHEL 9.
The pcsd service must be running and enabled on all nodes before Pacemaker cluster setup.
Each RHEL 9 architecture requires its own separate subscription.
RHEL subscriptions are per-architecture — each architecture requires its own subscription type.
RHEL 9 exposes explicit performance-vs-security tradeoff controls: TuneD (enabled by default) provides profile-based system performance tuning, while security restrictions constrain high-performance subsystems — iouring disabled by default (kernel.iouringdisabled=2) and BPF restricted to privileged users (unprivilegedbpf_disabled=2) — requiring administrators to consciously relax security for performance gains.
/usr/libexec/platform-python is a minimal internal Python for system tools and is not intended for user use.
RHEL 9 point releases (9.0, 9.1, 9.2, …) maintain backward ABI/API compatibility within the major version.
The post-installation hardening sequence is: update system (dnf update) → verify/enable firewall → disable unneeded services.
RHEL 9 isolates both processes and persistent data: SELinux Type Enforcement with MCS categories and polyinstantiation isolates running processes and their filesystem views, while LUKS2/NBDE encryption and AIDE integrity monitoring protect data at rest independently of process-level controls.
Additional Python versions (e.g., 3.11, 3.12) are available as separate packages from AppStream (e.g., python3.11, python3.12).
RHEL 9 provides a managed Python ecosystem: Python 3 only (no Python 2), internal platform-python reserved for system tools, /usr/bin/python symlink via dedicated package, and additional versions available from AppStream.
RHEL 9 provides /usr/bin/python as a symlink to python3 via the python-unversioned-command package.
python3 -m venv is the recommended way to create isolated Python environments on RHEL 9; pip should be used inside virtual environments rather than system-wide.
RHEL 9 ships Python 3 only; Python 2 is not included in the base repositories.
The rcu_nocbs=<cpu-list> boot parameter offloads RCU callbacks from specified CPUs to dedicated kthreads, reducing OS jitter for real-time workloads.
The realmd tool orchestrates AD domain join operations for both SSSD and Winbind backends using commands realm join, realm discover, and realm list.
RHEL 9 requires x86-64-v2 as the minimum CPU microarchitecture level for x86_64, meaning older CPUs lacking SSE4.2, POPCNT, etc. are unsupported.
RHEL 9 provides resilient compute infrastructure by combining the managed KVM/QEMU/libvirt virtualization stack (with Cockpit web management and virsh CLI) and Pacemaker/Corosync HA clustering with mandatory STONITH fencing and pcs-managed service lifecycle.
RHEL 9 provides a complete RPM packaging lifecycle: the rpmbuild directory tree (~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}) hosts spec files following the NVR naming convention with automatic distribution tagging via %{?dist}, build dependencies resolved through dnf builddep, and flexible output options (binary-only, source-only, or both RPMs).
The command rsyslogd -N 1 validates rsyslog configuration syntax on a managed node.
The SCP protocol is deprecated in RHEL 9; SFTP is the default replacement in OpenSSH.
RHEL 9 security configuration is automatable at fleet scale through SELinux deployment automation (Ansible roles, semanage export/import, fixfiles autorelabel) integrated with RHEL System Roles for consistent cross-host configuration management.
RHEL 9 provides three complementary security compliance mechanisms: continuous audit logging with original-identity tracking and pre-configured compliance rule sets (OSPP, PCI-DSS, STIG), file integrity monitoring via AIDE with init/check/update workflow, and automated SCAP scanning against predefined security profiles from scap-security-guide.
RHEL 9 defense-in-depth extends from hardware-level security mitigations (SMT disable for L1TF/MDS, BPF JIT hardening, unprivileged BPF restrictions, MMIO buffer clearing) through software security controls (SELinux enforcing, firewalld active, system-wide crypto policies, granular audit logging), providing security assurance at every layer of the stack.
RHEL 9 ships with multiple security controls active by default: SELinux enforcing, firewalld active, SHA-1 disabled, and four predefined system-wide cryptographic policies (DEFAULT, LEGACY, FUTURE, FIPS).
Security updates can be filtered by severity using dnf update --security --sec-severity=Critical (levels: Critical, Important, Moderate, Low).
RHEL 9 runs SELinux in enforcing mode by default as part of its security baseline.
Sendmail is deprecated in RHEL 9; Postfix is the default MTA.
RHEL 9 infrastructure services require a coordinated set of firewall port openings: Cockpit web console (TCP 9090), HA cluster (TCP 2224/3121, UDP 5405), Tang NBDE server (TCP 80), databases (TCP 3306/5432), and IdM DNS (TCP/UDP 53).
SHA-1 is deprecated for cryptographic purposes across RHEL 9, but HMAC-SHA1 and UUID generation remain allowed.
SHA-1 is not allowed by default for cryptographic signatures in RHEL 9; enable with update-crypto-policies --set DEFAULT:SHA1 if needed.
Disabling SMT (Simultaneous Multi Threading) mitigates CPU side-channel attacks (L1TF, MDS) but reduces performance; can be configured via Cockpit web console.
sos clean <report-path> obfuscates sensitive data from a sos report before sharing.
sos report is the command to generate a diagnostic data bundle for Red Hat Technical Support; the sos package is installed via dnf install sos.
sos reports are saved to /var/tmp/ as compressed tarballs named sosreport-<hostname>-<date>-<hash>.tar.xz.
Running sos report requires root privileges.
To override SSH crypto policy on RHEL 9, use a drop-in config file with a numeric prefix less than 50 in /etc/ssh/sshd_config.d/.
SSSD caching on clients is the primary mechanism for reducing IdM server load by caching identity and authentication data locally.
SSSD is the default/recommended backend when using realmd for AD integration on RHEL 9.
RHEL 9 maintains the 5.14.0 kernel branch across minor releases (9.3 through 9.5) on a six-month cadence, delivering security and feature updates through patch-level increments rather than kernel version bumps.
STONITH/fencing is mandatory in production Pacemaker clusters; disabling it is unsupported.
RHEL 9 patch management requires subscription authentication before any updates flow: systems must register and receive entitlements to access BaseOS and AppStream repositories, which then enables the full advisory-filtered patch lifecycle (security severity filtering, updateinfo queries, dnf update operations), creating a trust chain from Red Hat subscription through content delivery to system-level package updates.
RHEL 9 requires a registration-to-content pipeline before systems can receive updates: registration via one of three methods (GUI/TUI, subscription-manager CLI, or activation key), per-architecture subscription assignment, and content delivery from either Red Hat CDN or Satellite Server.
RHEL 9 content access follows a subscription-gated lifecycle: systems must first register via one of three methods (GUI/TUI, subscription-manager CLI, or activation key) to access the architecturally split BaseOS/AppStream repository system, which then provides the foundation for package installation, module stream selection, and security update management.
RHEL 9 supports four architectures: x86_64, aarch64, ppc64le, and s390x.
RHEL 9 supports three relational database servers: MariaDB, MySQL, and PostgreSQL.
The sysctl vm.pagelockunfairness defaults to 5; after 5 lock steals, fair lock handoff applies.
RHEL System Roles provide Ansible-based consistent configuration across hosts, with dual naming conventions (legacy and collection), covering key subsystems (timesync, network, selinux, storage, firewall, logging, kdump).
systemctl enable makes a service persistent across reboots while systemctl start starts it immediately; both are needed to activate and persist a service.
Tang's default port is 80; custom ports require semanage port -a -t tangdportt -p tcp <port>.
Tang server keys are stored in /var/db/tang/ as .jwk files; key rotation hides old keys by prefixing with . (dot).
Tang keys are stored in /var/db/tang/ as .jwk files; key rotation hides old keys by prefixing with . (dot).
RHEL 9 interactive installation supports three sources: physical installation media (USB/DVD), ISO file, or Red Hat CDN.
RHEL 9 distributes content across two default repositories: BaseOS and AppStream.
RHEL 9 provides two ISO types: Installation ISO (full, contains BaseOS + AppStream) and Boot ISO (minimal, requires network repository access).
RHEL 9 provides a unified authentication service stack where SSSD serves as the central identity daemon for external identity providers, authselect configures the PAM/NSS authentication profile, and SSSD client-side caching reduces IdM server load by locally caching identity and authentication data.
In RHEL 9, unprivileged BPF access is restricted by default (unprivilegedbpfdisabled = 2), meaning the bpf() syscall is limited to privileged users but an admin can change this.
virt-manager is deprecated in RHEL 9; Cockpit (RHEL web console) is the replacement GUI for VM management.
The RHEL 9 virtualization stack consists of KVM (kernel module), QEMU (device emulation), and libvirt (management API/daemon).
RHEL 9 virtualization is supported on Intel 64 (x86_64), AMD64, and IBM Z, with varying feature availability per architecture.
Virtual consoles are accessed via Ctrl+Alt+F2 through F6; the graphical session typically runs on F1.
RHEL 9 provides a complete virtualization platform: KVM as the kernel-level hypervisor, QEMU for device emulation, libvirt as the management API/daemon, with multiple management interfaces (virsh CLI, virt-install for VM creation, Cockpit web console on port 9090).
RHEL 9 uses KVM (Kernel-based Virtual Machine) as its virtualization technology, not Xen or VMware.
RHEL 9 VMs can be managed via virsh (CLI), virt-install (VM creation), or the Cockpit web console at port 9090.
The inst.vnc boot parameter enables graphical installation on headless systems, supporting both Direct and Connect modes.
RHEL 9 supports both IPSec and WireGuard as VPN technologies.
The RHEL 9 web console is based on the upstream Cockpit project.
The RHEL 9 web console (Cockpit) provides browser-based system management through a defined deployment pattern: socket-activated service (not a persistent daemon), default listener on port 9090, and firewalld service integration for access control.
RHEL 9 requires x86-64-v2 as the minimum x86_64 microarchitecture level, meaning CPUs without SSE4.2 and POPCNT (roughly pre-2009 AMD, pre-2008 Intel) are not supported.
yum and dnf are interchangeable aliases in RHEL 9.
In RHEL 9.1+, fagenrules --load reloads fapolicy rules without requiring a manual fapolicyd restart.
In RHEL 9.1+, the free command calculates used memory as total minus available, accounting for unreclaimable cache and tmpfs objects.
In RHEL 9.1+, grubby --update-kernel=ALL --args="<argument>" correctly persists kernel command-line arguments across kernel upgrades.
NetworkManager in RHEL 9.1 orders IPv6 source addresses by priority: manual > dhcpv6 > autoconf6.
The command kdumpctl estimate checks estimated crashkernel memory reservation requirements.
In RHEL 9.1 FIPS mode, OpenSSL disallows 3DES, RSA keys smaller than 2048 bits, and RSA key exchange; the req tool uses AES-256-CBC for key encryption.
When the SELinux securemode boolean is enabled, staffu users cannot switch to the unconfined_r role.
SSSD option ldapignoreunreadable_references (default: false) controls whether unreadable LDAP group members cause errors.
RHEL 9.2 was released as Beta on March 29, 2023, with GA release notes published May 10, 2023.
RHEL 9.3 ships with kernel version 5.14.0-362.8.1.
RHEL 9.3 supports four architectures: x86_64 (min x86-64-v2), aarch64 (min ARMv8.0-A), ppc64le (min POWER9), and s390x (min z14).
RHEL 9.4 Application Streams include Python 3.12, Ruby 3.3, PHP 8.2, nginx 1.24, MariaDB 10.11, and PostgreSQL 16.
The chronyd-restricted service runs chrony without root privileges for minimal client-only NTP configurations.
The CNI network stack for Podman containers is deprecated in RHEL 9.4 in favor of Netavark; CNI will be removed in a future release.
FIPS mode for RHEL for Edge images must be enabled during image provisioning and cannot be changed after the build starts.
RHEL Image Builder supports custom mount points and partitioning modes: auto-lvm, lvm, and raw.
RHEL 9.4 ships with kernel version 5.14.0-427.13.1.
KVM virtualization on 64-bit ARM (aarch64) is fully supported in RHEL 9.4 (promoted from tech preview).
RHEL 9.4 modernizes the Podman container ecosystem across three infrastructure layers: SQLite replaces BoltDB as the default database backend, Netavark replaces CNI for container networking, and Quadlet gains .build, .pod, and .image unit types for declarative systemd-native container management.
The nft reset command can reset stateful objects (counters, quotas) in nftables rules.
nmstatectl gr new.yml > revert.yml generates a revert configuration file before applying network changes.
OpenSSH in RHEL 9.4 uses sysusers.d format for system user/group creation, replacing static useradd scripts.
OpenSSL provider configurations can be placed in /etc/pki/tls/openssl.d/*.conf as a drop-in directory without modifying the main config file.
Podman 4.9 in RHEL 9.4 supports podman farm build for building multi-architecture container images (Tech Preview).
Podman Quadlet in RHEL 9.4 supports .build, .pod, and .image unit types in addition to existing container units.
In RHEL 9.4, SQLite is the fully supported default database backend for Podman; BoltDB is deprecated.
SELinux userspace 3.6 in RHEL 9.4 introduces deny rules, allowing policies to explicitly deny access (not just allow/don't-allow).
semanage fcontext -l -C now lists local file context modifications in correct order (oldest to newest), matching restorecon processing order.
SSSD in RHEL 9.4 supports passwordless authentication via FIDO2-compatible devices (e.g., YubiKey).
RHEL supports in-place upgrade from RHEL 8.10 to RHEL 9.4; direct upgrade from RHEL 7 to RHEL 9 is not supported (requires two-stage upgrade via RHEL 8).
VM external snapshots are fully supported in RHEL 9.4 and are the default snapshot mechanism.
RHEL 9.5 minimum hardware versions: x86_64 requires x86-64-v2, aarch64 requires ARMv8.0-A, ppc64le requires POWER9, s390x requires z14.
RHEL 9.5 ships with kernel version 5.14.0-503.11.1.
RPM packages follow the Name-Version-Release (NVR) naming convention: name-version-release.arch.rpm.
Key rpm-ostree commands: rpm-ostree status (check deployment), rpm-ostree upgrade (pull/stage update), rpm-ostree rollback (revert to previous).
rpmbuild -bb builds binary RPMs only, rpmbuild -bs builds source RPMs only, and rpmbuild -ba builds both.
The rpmdev-setuptree command creates the rpmbuild directory tree at ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}.
rsyslogd -N 1 validates rsyslog configuration syntax on a managed node.
The Ansible system role for SELinux is redhat.rhelsystemroles.selinux.
SELinux AVC denials are logged to /var/log/audit/audit.log with entries prefixed type=AVC.
SELinux provides process and data isolation through the MAC framework (Type Enforcement + MCS category-based conjunction access control) complemented by polyinstantiation for per-user or per-security-level directory separation of shared paths like /tmp and /var/tmp.
SELinux on RHEL 9 provides a mandatory access control framework: layered enforcement (DAC → Type Enforcement → MCS), full mode lifecycle management (install-default enforcing → runtime toggle → persistent config → safe re-enable procedure), and fine-grained category-based isolation (1024 categories, conjunction access rule, post-DAC/TE evaluation).
The persistent SELinux configuration file is /etc/selinux/config, containing SELINUX= and SELINUXTYPE= directives.
Every SELinux context (label) has four fields: user, role, type, and security level.
DAC (traditional Unix permissions) rules are checked before SELinux (MAC) rules; if DAC denies access, SELinux is never consulted and no AVC denial is logged.
SELinux default action is deny; access requires an explicit allow rule in the policy.
The default SELinux policy on RHEL is targeted; the alternative is mls (Multi Level Security).
Three methods for deploying SELinux configuration across systems: Ansible system roles, web console (Cockpit), and semanage export/import.
SELinux configuration can be deployed and maintained at scale through an integrated automation toolkit: three deployment methods (Ansible system roles, Cockpit web console, semanage), the dedicated Ansible role (redhat.rhelsystemroles.selinux), portable settings transfer via semanage export/import, and filesystem relabeling orchestration via fixfiles — enabling consistent SELinux policy across fleet-wide deployments.
SELinux enforcing mode is the default when RHEL is initially installed.
The command fixfiles -F onboot creates the /.autorelabel file, triggering a full filesystem relabel on next boot.
The getenforce command returns the current SELinux mode: Enforcing, Permissive, or Disabled.
The kernel parameter enforcing=0 boots SELinux in permissive mode temporarily (boot-time only, not persistent).
The kernel parameter selinux=0 completely disables SELinux at the kernel level; set via grubby --update-kernel ALL --args selinux=0.
SELinux operates through a layered enforcement model: DAC is evaluated first, type is the primary policy mechanism, per-domain permissive mode enables targeted debugging, and AVC denials are logged for forensic analysis.
SELinux mode management spans four persistence levels with a defined safe transition procedure: enforcing-by-default on fresh install, non-persistent runtime toggling via setenforce, boot-time kernel parameter overrides, persistent configuration in /etc/selinux/config, and a safe re-enablement sequence (disabled → permissive → audit denials → fixfiles relabel → enforcing).
SELinux module priority defaults to 400 when deployed via the Ansible system role.
In RHEL 9.5, SELinux labels npm as bint (previously libt) to allow proper execution.
A single SELinux domain can be set to permissive mode with semanage permissive -a <domain_t> while the rest of the system remains enforcing.
The SELinux boolean allowpolyinstantiation must be enabled (setsebool -P allowpolyinstantiation 1) to use polyinstantiated directories.
SELinux polyinstantiation provides per-user or per-security-level directory isolation: configured in /etc/security/namespace.conf (not namespace.d), enforced via the pamnamespace.so PAM module, gated by the allowpolyinstantiation boolean, using the user method on non-MLS systems and the level method on MLS systems, verifiable with findmnt.
A reboot is required for persistent SELinux mode changes made in /etc/selinux/config to take effect.
The safe procedure to re-enable SELinux is: disabled → permissive (reboot) → check denials → fixfiles -F onboot → enforcing (reboot).
SELinux has three configuration values for the SELINUX= directive: enforcing, permissive, and disabled.
The type field (ending in _t) is the most important SELinux context field; most policy rules operate on types.
semanage export -f <file> and semanage import -f <file> transfer all custom SELinux settings (ports, fcontexts, booleans) between systems.
The policycoreutils-python-utils package is required for semanage export/import functionality.
setenforce 0 sets permissive mode and setenforce 1 sets enforcing mode, both non-persistently (does not survive reboot).
Set-GID bit (chmod g+s or octal 2775) on a directory causes new files to inherit the directory group ownership. Sticky bit (chmod +t) prevents users from deleting others files.
Simple Content Access (SCA) is the current default subscription model in RHEL; the legacy entitlement-based model is deprecated.
An RPM spec file contains sections %prep (source preparation), %build (compilation), %install (file installation to buildroot), %files (packaged file list), and %changelog (change history).
SSH key-based auth uses public/private key pairs. ssh-keygen generates keys (Ed25519 recommended). ssh-copy-id deploys public key. Permissions: ~/.ssh (700), authorized_keys (600). Private key never leaves client.
sssctl is the utility for managing and troubleshooting SSSD on RHEL 9.
SSSD (System Security Services Daemon) is the central service RHEL 9 uses to authenticate and authorize users against external identity backends (IdM, Active Directory, LDAP).
Stratis local storage management (thin provisioning, snapshots, auto-grow) is a Technology Preview in RHEL 9.2, managed via the stratis CLI and stratisd daemon.
Subscription-manager progress messages can be re-enabled with subscription-manager config --rhsm.progress_messages=1.
Systems are registered with subscription-manager register --activationkey=<key> --org=<org_id> and successful registration returns a system UUID.
The sysstat package provides sar, iostat, and mpstat and must be installed separately on RHEL 9.
Services must be started via systemctl to receive correct SELinux domain labels.
systemd is the init system and service manager for RHEL 9, managed via systemctl (enable, start, stop, status, mask).
systemd-resolved is available as a Technology Preview in RHEL 9 but is not the default DNS resolution mechanism.
tar creates and extracts archives. Flags: c (create), x (extract), t (list), f (file), z (gzip), j (bzip2), J (xz). Use -C for target directory. tar xf auto-detects compression format.
Technology Preview features in RHEL are not fully supported by Red Hat, are provided for testing and feedback, and may change or be removed without the standard deprecation process.
Technology Preview features in RHEL are functional but unsupported for production use; Red Hat's support scope is limited and features may change or be removed in future releases.
RHEL systems can be registered three ways: GUI/TUI during installation, CLI post-install with subscription-manager, or automated via Kickstart/activation keys.
TuneD profiles are managed with tuned-adm: list (available profiles), active (current), profile <name> (apply), recommend (suggested profile).
TuneD is enabled by default on RHEL 9.
File permissions use user/group/other (ugo) with read/write/execute (rwx). chmod sets permissions in symbolic (u+x) or octal (755) mode. chown changes ownership. umask sets default permissions.
Unified Kernel Image (UKI) via kernel-uki-virt package combines kernel, initramfs, and cmdline into one signed binary requiring UEFI; it is a Technology Preview in RHEL 9.2.
vim is the default text editor on RHEL 9 with Normal, Insert, and Command-line modes. Key commands: i (insert), Esc (normal), :wq (save and quit), dd (delete line), /pattern (search).
WireGuard VPN is a Technology Preview (not fully supported) in RHEL 9.
XDP (eXpress Data Path) is the highest-performance packet processing path in the Linux kernel, operating at the NIC driver level before the normal network stack.