# Belief Registry ## Claims ### amd-sev-requires-epyc-rome [IN] OBSERVATION AMD SEV/SEV-ES requires 2nd-generation AMD EPYC (Rome) or later; RHEL 9 provides memory encryption but not security attestation. ### anaconda-boot-parameter-framework [IN] OBSERVATION Anaconda installation is controlled through a layered boot parameter framework: inst.ks= for Kickstart automation, inst.repo= for installation source selection (supporting HTTP/FTP/NFS/CDN), inst.stage2= for runtime image location, inst.graphical/text/cmdline for UI mode control, and inst.sshd for remote access during installation. ### anaconda-ks-cfg-saved-after-install [IN] OBSERVATION After every interactive RHEL installation, a reference Kickstart file is saved at `/root/anaconda-ks.cfg`. ### ansible-freeipa-idm-automation-package [IN] OBSERVATION `ansible-freeipa` is the official Red Hat package for Ansible-based IdM automation on RHEL 9, providing roles (ipaserver, ipareplica, ipaclient) for installation and modules (ipauser, ipagroup, ipahost) for object management. ### audit-immutable-mode-e2-behavior [IN] OBSERVATION Audit immutable mode (`-e 2`) no longer prevents `auditd` from starting; `augenrules` returns exit code 0 in this mode. ### audit-immutable-mode-flag [IN] OBSERVATION Audit immutable mode (`-e 2`) with `augenrules` returns exit code 0 in RHEL 9.5, allowing `auditd` to start at boot. ### authselect-replaces-authconfig [IN] OBSERVATION `authselect` is the current tool for configuring authentication profiles (PAM/NSS) on RHEL 9, replacing the deprecated `authconfig`. ### autofs-on-demand-mounting [IN] OBSERVATION autofs mounts filesystems on demand when accessed. Master map /etc/auto.master.d/*.autofs references indirect or direct map files. Direct maps use /- entry. Enable with systemctl enable --now autofs. ### bash-command-substitution [IN] OBSERVATION Command substitution $(command) captures command stdout for use in variable assignments, conditionals, and loops. Preferred over backtick syntax. Can be nested. ### bash-conditional-if-test [IN] OBSERVATION Bash conditional execution uses if/then/elif/else/fi and test or [ ] brackets. File tests: -f (file exists), -d (directory). Numeric: -eq -ne -gt -lt. String: = != -z -n. ### bash-default-shell-rhel9 [IN] OBSERVATION The default shell in RHEL 9 is /bin/bash. Users access a shell prompt via terminal emulators, virtual consoles (Ctrl+Alt+F1-F6), or SSH. ### bash-positional-parameters [IN] OBSERVATION Bash script positional parameters: $1-$9 (arguments), $0 (script name), $# (argument count), "$@" (all args preserving word boundaries). shift removes first parameter. ### boot-ip-static-field-order [IN] OBSERVATION Static IP boot option syntax is `ip=IP::GATEWAY:NETMASK:HOSTNAME:INTERFACE:none` — seven colon-separated fields in that order. ### bootc-atomic-updates-and-rollback [IN] OBSERVATION bootc provides atomic updates (pull new image and reboot) and rollback to previous OS versions if an update causes problems. ### bootc-key-commands [IN] OBSERVATION Key bootc commands: `bootc install to-disk`, `bootc switch`, `bootc upgrade`, `bootc status`. ### bootdev-required-multiple-ip-options [IN] OBSERVATION `bootdev=` is mandatory when using multiple `ip=` boot options to designate the primary boot interface. ### bpf-jit-always-on-rhel9 [IN] OBSERVATION BPF JIT compilation is always enabled in RHEL 9 (`CONFIG_BPF_JIT_ALWAYS_ON=y`); BPF programs are compiled to native code, not interpreted. ### bpf-restricted-privileged-default-rhel9 [IN] OBSERVATION BPF is restricted to privileged users by default in RHEL 9 (`unprivileged_bpf_disabled=2`); values are 0=allowed, 1=disabled, 2=disabled but admin can change. ### bpftool-feature-command [IN] OBSERVATION `bpftool feature` enumerates all BPF features (program types, map types, helpers, kernel config) supported by the running RHEL kernel. ### chage-password-aging [IN] OBSERVATION chage manages password aging: -M (max days), -m (min days), -W (warning), -E (account expiry date), -d 0 (force change). chage -l shows current settings. Defaults in /etc/login.defs. ### chcat-manages-mcs-categories [IN] OBSERVATION The `chcat` command manages MCS categories on both users (`chcat -l`) and files; `chcat -L` lists category labels. ### chrony-ntp-time-sync [IN] OBSERVATION chrony is the default NTP time synchronization client on RHEL 9. Configure NTP servers in /etc/chrony.conf with iburst. Use timedatectl for timezone and NTP control. chronyc sources shows sync status. ### cockpit-default-port-9090 [IN] OBSERVATION The RHEL 9 web console (Cockpit) listens on port 9090 by default. ### cockpit-firewall-service-name [IN] OBSERVATION The firewalld service name for permitting web console access is `cockpit` (`firewall-cmd --add-service=cockpit`). ### cockpit-socket-activated [IN] OBSERVATION The web console is enabled via `cockpit.socket` (socket activation), not as a persistent daemon: `sudo systemctl enable --now cockpit.socket`. ### containers-use-mcs-for-isolation [IN] OBSERVATION SELinux uses MCS (via `container-selinux`) to isolate containers from each other. ### content-sources-cdn-or-satellite [IN] OBSERVATION Registered RHEL systems receive content from either Red Hat Content Delivery Network (CDN) or Red Hat Satellite Server. ### create-edit-text-files-vim [IN] OBSERVATION Create and edit text files using vim, the default editor on RHEL 9. Use i to insert, Esc to return to normal mode, :wq to save and quit. Also use touch to create empty files and cat > file for quick creation. ### database-default-ports [IN] OBSERVATION Default database ports on RHEL 9: MariaDB/MySQL use port 3306, PostgreSQL uses port 5432. ### database-packages-appstream [IN] OBSERVATION Database server packages on RHEL 9 come from the AppStream repository using module streams for version selection. ### database-packages-from-appstream [IN] OBSERVATION Database server packages on RHEL 9 are provided from the AppStream repository using module streams for version selection. ### dax-persistent-memory-mount-option [IN] OBSERVATION DAX (direct persistent memory mapping) for ext4/XFS requires NVDIMMs and the `dax` mount option (e.g., `mount -o dax /dev/pmem0 /mnt/dax`); it is a Technology Preview in RHEL 9.2. ### dax-requires-nvdimm-ext4-xfs [IN] OBSERVATION DAX (Direct Access) requires persistent memory hardware (NVDIMMs), a compatible file system (ext4 or XFS), and the `dax` mount option (`mount -o dax`). ### deprecated-not-removed [IN] OBSERVATION Deprecated functionality in RHEL remains functional in the current major version but is planned for removal in a future major release; it should not be relied upon for new deployments. ### dist-macro-appends-distribution-tag [IN] OBSERVATION The `%{?dist}` macro in spec files automatically appends the distribution tag (e.g., `.el9` for RHEL 9). ### dnf-autoremove-installonly-behavior [IN] OBSERVATION `dnf autoremove` does not automatically exclude `installonly` packages; use `dnf mark install ` to protect packages from autoremoval. ### dnf-builddep-installs-build-dependencies [IN] OBSERVATION The command `dnf builddep ` installs build dependencies listed in an RPM spec file. ### dnf-remove-duplicates-exit-code [IN] OBSERVATION `dnf remove --duplicates` exits with code 0 when no duplicates are found. ### efibootmgr-manages-uefi-boot-order [IN] OBSERVATION `efibootmgr` is used to view and modify the UEFI boot order on RHEL 9 systems. ### fapolicyd-rules-d-replaces-monolithic [IN] OBSERVATION `/etc/fapolicyd/rules.d/` replaces the monolithic `fapolicyd.rules` file; `fagenrules` merges rules into `compiled.rules`. ### file-directory-operations [IN] OBSERVATION File and directory operations: cp (copy), cp -r (recursive), cp -a (archive), mv (move/rename), rm (remove), rm -r (recursive), mkdir (create directory), mkdir -p (create parent dirs), touch (create/update). ### firewall-rules-three-directions [IN] OBSERVATION Firewall rules control traffic in three directions: incoming, outgoing, and forwarded. ### firewalld-controls-three-traffic-directions [IN] OBSERVATION `firewalld` rules control three directions of network traffic: incoming, outgoing, and forwarded. ### fstab-uuid-label-mounting [IN] OBSERVATION /etc/fstab configures persistent filesystem mounts at boot using UUID= or LABEL= for reliability. Format: device mountpoint fstype options dump pass. Test with mount -a before rebooting. ### getconf-pagesize-shows-kernel-page-size [IN] OBSERVATION `getconf PAGESIZE` returns `65536` for a 64k page kernel and `4096` for a 4k page kernel. ### greenboot-edge-health-check [IN] OBSERVATION Greenboot is the health-check framework for automated rollback on RHEL for Edge systems. ### grep-regex-search-tool [IN] OBSERVATION grep searches files for lines matching regular expressions. Key flags: -i (case-insensitive), -v (invert match), -r (recursive), -n (line numbers), -E (extended regex). Supports anchors ^ and $. ### group-management-usermod-groupadd [IN] OBSERVATION groupadd creates groups, groupdel removes them. usermod -aG adds user to supplementary group (without -a it replaces all groups). groups and id show group memberships. /etc/group stores group data. ### grubby-set-default-changes-boot-kernel [IN] OBSERVATION `grubby --set-default` is the command to change the default boot kernel on RHEL 9. ### hard-soft-links-differences [IN] OBSERVATION Hard links share the same inode, cannot cross filesystems or link to directories. Symbolic links have their own inode, can cross filesystems and link to directories. ln creates hard links, ln -s creates soft links. ### idm-api-requires-kerberos-credentials [IN] OBSERVATION IdM API access requires valid Kerberos credentials to establish a session. ### idm-api-uses-python-ipalib [IN] OBSERVATION The IdM API is consumed via Python scripts using the `ipalib` library, not a traditional REST client (it wraps JSON-RPC internally). ### idm-auth-requires-kerberos-ticket [IN] OBSERVATION Authenticating to Red Hat Identity Management (IdM) requires obtaining a Kerberos ticket with `kinit` before performing any administration tasks. ### idm-auto-creates-srv-records [IN] OBSERVATION IdM automatically creates DNS SRV records for Kerberos, LDAP, and other services when integrated DNS is enabled. ### idm-automount-maps-centrally-managed [IN] OBSERVATION Automount maps can be managed centrally through IdM rather than using local configuration files on each host. ### idm-backend-389ds-ldap [IN] OBSERVATION IdM stores identity data in a 389 Directory Server (LDAP) backend ### idm-backend-components [IN] OBSERVATION IdM integrates a Kerberos KDC, 389 Directory Server (LDAP), Dogtag CA, and SSSD for client-side credential caching. ### idm-centralizes-users-groups-hosts-access [IN] OBSERVATION IdM centralizes management of users, groups, hosts, and access policies (HBAC and sudo rules). ### idm-complete-identity-stack [IN] OBSERVATION IdM provides a unified identity management stack bundling 389 Directory Server (LDAP), MIT Kerberos KDC, Dogtag CA, and SSSD into a single integrated platform with centralized user/group/host/policy management. ### idm-dns-autodiscovery-framework [IN] OBSERVATION IdM provides automated service discovery when integrated DNS is deployed: the BIND-with-LDAP DNS subsystem automatically creates SRV records for Kerberos and LDAP services, enabling ipa-client-install to locate and join the IdM domain without explicit server specification via DNS SRV autodiscovery. ### idm-dns-forward-policy-options [IN] OBSERVATION IdM DNS forward policy options are `only` (forward only to forwarder) and `first` (try forwarder first, then resolve locally). ### idm-dns-is-optional [IN] OBSERVATION DNS is optional in IdM — an external DNS server can be used instead, but SRV and other records must then be managed manually. ### idm-dns-port-53-firewalld [IN] OBSERVATION DNS service (port 53 TCP/UDP) must be open in firewalld on IdM servers running integrated DNS. ### idm-dns-uses-bind-ldap-backend [IN] OBSERVATION IdM integrated DNS uses BIND with an LDAP backend, storing zone data in the IdM directory rather than in `/var/named/` zone files. ### idm-health-monitored-identity [IN] OBSERVATION IdM provides health-monitored identity services: the complete identity stack (389 DS/Kerberos/CA/SSSD) is monitored by automated health checks via `ipa-healthcheck` with systemd timer scheduling, enabling proactive detection of certificate expiration, replication failures, and service degradation before they impact authentication. ### idm-integrated-ca-dogtag [IN] OBSERVATION IdM includes an integrated Certificate Authority (Dogtag) for TLS and user certificates ### idm-integrated-dns-subsystem [IN] OBSERVATION IdM provides an integrated DNS subsystem: BIND with LDAP backend stores zone data in the IdM directory (not zone files), supports configurable forward policies (`only` and `first`), reverse DNS zones via `in-addr.arpa` naming, and requires port 53 TCP/UDP open in firewalld — all managed through the IdM interface rather than traditional BIND administration. ### idm-integrates-samba-ansible-automount [IN] OBSERVATION Red Hat Identity Management (IdM) on RHEL 9 can integrate with Samba, Ansible, and automount as external services for centralized authentication. ### idm-integrations-use-kerberos-ldap [IN] OBSERVATION IdM integration with external services relies on Kerberos authentication and LDAP directory as underlying mechanisms. ### idm-kerberos-commands-kinit-klist-kdestroy [IN] OBSERVATION IdM Kerberos authentication uses `kinit` to obtain tickets, `klist` to verify current tickets, and `kdestroy` to remove tickets. ### idm-kerberos-gated-administration [IN] OBSERVATION All IdM administration — both API and CLI — requires prior Kerberos authentication: kinit to obtain tickets, klist to verify, kdestroy to remove, with the API consuming credentials via ipalib. ### idm-kinit-required-before-admin [IN] OBSERVATION Users must authenticate with `kinit` to obtain a Kerberos ticket before performing any IdM administration tasks ### idm-klist-verifies-kdestroy-removes-ticket [IN] OBSERVATION `klist` verifies the current Kerberos ticket and `kdestroy` removes it ### idm-only-supported-on-rhel [IN] OBSERVATION Red Hat Identity Management (IdM) is only officially supported on RHEL, not on other Linux distributions. ### idm-reverse-zone-in-addr-arpa [IN] OBSERVATION IdM reverse DNS zones use the `in-addr.arpa` naming convention (e.g., `1.168.192.in-addr.arpa` for 192.168.1.0/24). ### idm-rhel-exclusive-deployment-model [IN] OBSERVATION IdM is a RHEL-exclusive deployment of upstream FreeIPA with three installable roles (server, replica, client), pre-tuned for typical deployments out of the box and officially supported only on RHEL. ### idm-supports-otp-second-factor [IN] OBSERVATION IdM supports one-time passwords (OTP) as a second factor alongside Kerberos passwords for two-factor authentication. ### idm-two-migration-paths [IN] OBSERVATION Two primary IdM migration paths exist: upgrading RHEL 8 IdM to RHEL 9 IdM, and migrating from an external LDAP directory to RHEL 9 IdM. ### idm-vault-archive-retrieve-commands [IN] OBSERVATION `ipa vault-archive` stores data in an IdM vault; `ipa vault-retrieve` retrieves it. ### idm-vault-client-side-encryption [IN] OBSERVATION IdM vault data is encrypted on the client side before transmission — the IdM server never has access to plaintext secrets. ### idm-vault-requires-kra [IN] OBSERVATION The Dogtag KRA (Key Recovery Authority) must be installed (`ipa-kra-install`) on at least one IdM server before vaults can be used. ### idm-vault-scopes [IN] OBSERVATION IdM vaults can be scoped as user vaults (single user), service vaults (single service), or shared vaults (multiple users/groups). ### idm-vault-secure-secret-storage [IN] OBSERVATION IdM vaults provide secure secret storage with client-side encryption (server never sees plaintext), multiple scopes (user/service/shared), KRA backend requirement, and archive/retrieve CLI operations. ### idm-vault-three-types [IN] OBSERVATION IdM vault types are standard (accessible by owner/members), symmetric (password-protected with symmetric key), and asymmetric (encrypted with public key, decrypted with private key). ### idm-web-ui-url-pattern [IN] OBSERVATION The IdM Web UI is accessed at `https:///ipa/ui/` and is functionally equivalent to the CLI for administration tasks. ### ifname-only-way-to-set-custom-interface-names [IN] OBSERVATION `ifname=interface:MAC` is the only supported way to set custom network interface names during Anaconda installation. ### image-builder-blueprint-toml [IN] OBSERVATION Image Builder blueprints are written in TOML format and define packages, groups, and customizations for image builds. ### image-builder-blueprints-toml-format [IN] OBSERVATION Image Builder blueprints are written in TOML format and define packages, groups, and customizations ### image-builder-complete-workflow [IN] OBSERVATION RHEL Image Builder provides a complete image creation pipeline: TOML blueprint definition, osbuild-composer backend with socket activation, multi-format output, and a push-then-compose CLI workflow. ### image-builder-composes-edge-images [IN] OBSERVATION Image Builder (osbuild-composer) is the supported tool for composing RHEL for Edge images, available via `composer-cli` and Cockpit web UI. ### image-builder-osbuild-composer [IN] OBSERVATION RHEL Image Builder uses `osbuild-composer` as the backend service and `composer-cli` as the command-line interface, enabled via `osbuild-composer.socket`. ### image-builder-osbuild-composer-backend [IN] OBSERVATION `osbuild-composer` is the backend service for RHEL Image Builder and `composer-cli` is its command-line interface ### image-builder-output-types [IN] OBSERVATION Image Builder supports multiple output formats from a single blueprint including qcow2, vmdk, ami, vhd, iso, and others, listed via `composer-cli compose types`. ### image-builder-socket-activation [IN] OBSERVATION The Image Builder service is enabled with `systemctl enable --now osbuild-composer.socket` ### image-builder-workflow [IN] OBSERVATION The Image Builder workflow is: create blueprint → push blueprint (`composer-cli blueprints push`) → start compose (`composer-cli compose start`) → download image (`composer-cli compose image `). ### inst-graphical-is-default-mode [IN] OBSERVATION `inst.graphical` is the default Anaconda installation mode; `inst.text` forces text mode, `inst.cmdline` forces non-interactive mode (requires Kickstart). ### inst-ks-boot-option [IN] OBSERVATION The `inst.ks=` boot option specifies the Kickstart file location for automated RHEL installations (e.g., `inst.ks=http://server/path/ks.cfg`). ### inst-ksstrict-turns-warnings-to-errors [IN] OBSERVATION The `inst.ksstrict` boot option turns deprecated Kickstart command warnings into errors. ### inst-repo-defines-installation-source [IN] OBSERVATION `inst.repo=` defines the primary installation source for Anaconda, supporting cdrom, hd, nfs, http, https, ftp, and hmc protocols. ### inst-repo-nfs-defaults-to-nfsv3 [IN] OBSERVATION `inst.repo=nfs` uses NFSv3 by default; use `nfsvers=X` to specify a different NFS version. ### inst-sshd-enables-ssh-during-install [IN] OBSERVATION `inst.sshd` enables SSH access during installation; on IBM Z it is auto-started by default; root has no password unless set via `sshpw` Kickstart command. ### inst-stage2-locates-runtime-image [IN] OBSERVATION `inst.stage2=` specifies the location of the installer runtime image (`install.img`), which is separate from the package repository specified by `inst.repo=`. ### installer-console-switching [IN] OBSERVATION During RHEL installation, Ctrl+Alt+F1 switches to the tmux console and Ctrl+Alt+F6 switches to the graphical installer. ### installer-defaults-dhcp [IN] OBSERVATION The RHEL installer defaults to DHCP for network configuration; the `ip=` boot option overrides this. ### installer-tmux-five-windows [IN] OBSERVATION The RHEL installer runs tmux in virtual console 1 with five windows: main program (Ctrl+b 1), root shell (Ctrl+b 2), anaconda.log (Ctrl+b 3), storage.log (Ctrl+b 4), program.log (Ctrl+b 5). ### io-redirection-operators [IN] OBSERVATION I/O redirection uses > (overwrite stdout to file), >> (append), 2> (redirect stderr), &> (redirect both stdout and stderr), | (pipe between commands), and < (stdin from file). ### io-redirection-stdin-stdout-stderr [IN] OBSERVATION Use input-output redirection to control where command output goes: > overwrites file, >> appends, 2> redirects stderr, &> redirects both stdout and stderr, | pipes output to another command, < reads stdin from file. ### io-uring-disabled-by-default-rhel9 [IN] OBSERVATION io_uring is disabled by default in RHEL 9 via `kernel.io_uring_disabled=2`; values are 0=all users, 1=privileged only, 2=disabled for all. ### ipa-client-install-dns-autodiscovery [IN] OBSERVATION `ipa-client-install` uses DNS SRV records for autodiscovery of the IdM domain when `--server` is not specified. ### ipa-healthcheck-detection-capabilities [IN] OBSERVATION ipa-healthcheck detects replication conflicts, expired certificates, misconfigured permissions, and stopped services across check sources including ipahealthcheck.ipa.certs, ipahealthcheck.ipa.dns, ipahealthcheck.ds.replication, and ipahealthcheck.meta.services. ### ipa-healthcheck-failures-only-flag [IN] OBSERVATION `ipa-healthcheck --failures-only` filters output to show only failed checks; `--source` targets specific check categories. ### ipa-healthcheck-json-output-with-severities [IN] OBSERVATION `ipa-healthcheck` outputs results in JSON format with severity levels: SUCCESS, WARNING, ERROR, CRITICAL. ### ipa-healthcheck-package-and-command [IN] OBSERVATION The `ipa-healthcheck` utility is installed via `dnf install ipa-healthcheck` and runs on IdM server/replica nodes (not clients). ### ipa-healthcheck-systemd-timer [IN] OBSERVATION Periodic automated health checks can be enabled via `systemctl enable --now ipa-healthcheck.timer`. ### kickstart-anaconda-ks-cfg-auto-created [IN] OBSERVATION `/root/anaconda-ks.cfg` is automatically created after every interactive RHEL installation and can be reused as a Kickstart file ### kickstart-anaconda-ks-cfg-location [IN] OBSERVATION After every interactive RHEL installation, a Kickstart file is automatically saved at `/root/anaconda-ks.cfg` and can be reused for future installations. ### kickstart-automated-deployment-pipeline [IN] OBSERVATION Kickstart provides a complete automated deployment pipeline: inst.ks= boot parameter, multiple installation sources (media/CDN/network), syntax validation via ksvalidator, fully unattended operation, and auto-generated template from prior installs. ### kickstart-cmdline-halts-on-interaction [IN] OBSERVATION `cmdline` mode halts the installation if any user interaction is required — all options must be pre-configured in the Kickstart file. ### kickstart-default-completion-halt [IN] OBSERVATION The default Kickstart completion method is `halt` (equivalent to `shutdown -H`) if no completion command is specified. ### kickstart-eula-agreed-required-unattended [IN] OBSERVATION `eula --agreed` is required in Kickstart for unattended installations to skip the EULA acceptance prompt. ### kickstart-harddrive-supported-filesystems [IN] OBSERVATION The `harddrive` Kickstart command supports `ext2`, `ext3`, `ext4`, `vfat`, and `xfs` filesystems for the installation source partition. ### kickstart-inst-ks-boot-parameter [IN] OBSERVATION The `inst.ks=` boot parameter specifies a Kickstart file location, supporting HTTP, HTTPS, FTP, NFS, hard drive, and CDROM sources. ### kickstart-install-command-removed-rhel9 [IN] OBSERVATION The `install` Kickstart command has been removed in RHEL 9; installation source commands (`cdrom`, `url`, `nfs`, etc.) are used directly. ### kickstart-installation-sources [IN] OBSERVATION Kickstart installations can pull content from local media (DVD/USB), ISO images, Red Hat CDN, or network servers (HTTP, FTP, NFS). ### kickstart-logging-tcp-only-port-514 [IN] OBSERVATION Kickstart `logging` command for remote syslog uses TCP only, with default port 514. ### kickstart-rhsm-direct-cdn-registration [IN] OBSERVATION The `rhsm` Kickstart command allows registering and installing directly from the Red Hat CDN without needing `%post` scripts. ### kickstart-sources-local-cdn-network [IN] OBSERVATION Kickstart supports installation sources: local media, ISO, Red Hat CDN, and network servers (HTTP/HTTPS/FTP/NFS) ### kickstart-unattended-install [IN] OBSERVATION Kickstart enables fully unattended RHEL installation when all required parameters are provided in the Kickstart file. ### kickstart-url-source-overrides-cdn [IN] OBSERVATION A URL-based installation source takes precedence over CDN even when `rhsm` is specified with valid credentials. ### ksvalidator-from-pykickstart [IN] OBSERVATION The `ksvalidator` command (from the `pykickstart` package) validates Kickstart file syntax before use. ### ktls-enable-modprobe-tls [IN] OBSERVATION kTLS (kernel TLS) is enabled by loading the `tls` kernel module (`modprobe tls`) and setting `ktls = true` in a gnutls crypto-policy local.d file. ### ktls-tech-preview-rhel92 [IN] OBSERVATION Kernel TLS (KTLS) is a Technology Preview in RHEL 9.2, appearing in both security (gnutls acceleration) and networking (kernel-level TLS offload) contexts. ### leapp-official-inplace-upgrade-tool [IN] OBSERVATION Leapp is the official Red Hat tool for performing in-place upgrades between major RHEL versions (e.g., RHEL 8 to RHEL 9). ### leapp-preupgrade-before-upgrade [IN] OBSERVATION `leapp preupgrade` should be run before `leapp upgrade` to identify inhibitors and potential issues without making changes. ### leapp-upgrade-constraints [IN] OBSERVATION RHEL in-place upgrades via Leapp require sequential major version progression (no skipping) with a mandatory preupgrade assessment before the actual upgrade. ### lpfc-driver-emulex-fibre-channel [IN] OBSERVATION The `lpfc` kernel driver is the Emulex driver for Fibre Channel HBAs in RHEL. ### lpfc-emulex-fibre-channel-driver [IN] OBSERVATION `lpfc` is the Emulex driver for Fibre Channel HBAs in RHEL. ### lvm-core-commands [IN] OBSERVATION Core LVM commands: `pvcreate` (init PV), `vgcreate` (create VG), `lvcreate -n name -L size vg` (create LV), `lvextend`/`lvresize` (resize), `pvs`/`vgs`/`lvs` (summary display). ### lvm-flexible-storage-management [IN] OBSERVATION LVM provides flexible, non-disruptive storage management through a three-layer abstraction (PV → VG → LV) that enables spanning multiple disks into unified volume groups, online extension without downtime, and a consistent command vocabulary (pvcreate, vgcreate, lvcreate, lvextend, lvreduce, vgextend) for all operations. ### lvm-lv-is-virtual-block-device [IN] OBSERVATION An LVM logical volume acts as a virtual block device that can hold any filesystem or be used as swap. ### lvm-online-extend-nondisruptive [IN] OBSERVATION LVM logical volumes can be extended online (non-disruptively) without downtime. ### lvm-three-layer-hierarchy [IN] OBSERVATION LVM uses a three-layer hierarchy: Physical Volumes (PV) → Volume Groups (VG) → Logical Volumes (LV). ### lvm-vg-spans-multiple-disks [IN] OBSERVATION Multiple physical volumes can be combined into a single volume group, enabling storage that spans multiple disks. ### man-info-documentation-system [IN] OBSERVATION man pages are organized in sections: 1 (user commands), 5 (file formats), 8 (admin commands). Use man -k or apropos to search. info provides detailed docs. /usr/share/doc has package documentation. ### mbr-gpt-partitioning-fdisk-parted [IN] OBSERVATION MBR supports 4 primary partitions, max 2 TiB. GPT supports 128 partitions, no size limit. fdisk, gdisk, and parted manage partitions. Run partprobe after partition table changes. ### mcs-access-requires-all-categories [IN] OBSERVATION A user must be assigned to all categories on a file to access it (conjunction rule — not just one matching category). ### mcs-categories-c0-to-c1023 [IN] OBSERVATION SELinux Multi-Category Security (MCS) categories range from c0 to c1023 (1024 possible categories). ### mcs-category-labels-setrans-conf [IN] OBSERVATION Human-readable MCS category labels are defined in `/etc/selinux//setrans.conf` and require restarting the `mcstrans` service to take effect. ### mcs-enforced-after-dac-and-te [IN] OBSERVATION MCS is evaluated after DAC and Type Enforcement — it can only further restrict access, never relax it. ### mcs-not-default-for-regular-users-targeted [IN] OBSERVATION In the `targeted` SELinux policy, MCS is not configured for regular users by default — a CIL module with `(typeattributeset mcs_constrained_type (user_t))` must be installed via `semodule -i`. ### mcs-restrictive-access-control [IN] OBSERVATION MCS provides a restrictive supplementary access layer: enforced only after DAC and Type Enforcement pass, requiring conjunction of all assigned categories, with session-boundary enforcement of changes. ### mcs-user-category-changes-at-next-login [IN] OBSERVATION MCS category changes for users take effect only at the next login, not on the current session. ### modprobe-blacklist-persists-after-install [IN] OBSERVATION `modprobe.blacklist=` disables kernel modules during installation and persists after installation (stored in `/etc/modprobe.d/`). ### multipathd-flush-on-last-del-values [IN] OBSERVATION The `multipathd` `flush_on_last_del` parameter accepts values: `always`/`yes`, `unused`/`no` (default), and `never`. ### nested-kvm-tech-preview-rhel9 [IN] OBSERVATION Nested KVM virtualization is a Technology Preview in RHEL 9, working on Intel, AMD64, and IBM Z hosts. ### nic-teaming-deprecated-rhel9 [IN] OBSERVATION NIC teaming (`team=`) is deprecated in RHEL 9; network bonding is the recommended alternative. ### oemdrv-volume-auto-kickstart [IN] OBSERVATION A volume labeled `OEMDRV` with a file named `ks.cfg` in its root is auto-detected by the Anaconda installer for Kickstart — no `inst.ks=` boot option is required. ### polyinstantiation-config-namespace-conf [IN] OBSERVATION Polyinstantiation is configured in `/etc/security/namespace.conf`; the `pam_namespace_helper` does NOT read files from `/etc/security/namespace.d/`. ### polyinstantiation-default-directories [IN] OBSERVATION Polyinstantiated directories in SELinux isolate /tmp, /var/tmp, and home directories per-user, preventing race condition attacks and information leaks. Instance directories (/tmp-inst/, /var/tmp/tmp-inst/) hold per-user subdirectories that get bind-mounted over the shared paths. ### polyinstantiation-instance-dirs-mode-000 [IN] OBSERVATION Polyinstantiation instance directories (`/tmp-inst/`, `/var/tmp/tmp-inst/`) must be created with mode 000 (`mkdir --mode 000`). ### polyinstantiation-pam-module-pam-namespace [IN] OBSERVATION Polyinstantiation is enforced via the `pam_namespace.so` PAM module with the `unmnt_remnt` option in the session stack. ### polyinstantiation-user-vs-level-method [IN] OBSERVATION Polyinstantiation uses the `user` method on non-MLS systems and the `level` method on MLS systems in `namespace.conf`. ### polyinstantiation-verify-with-findmnt [IN] OBSERVATION Polyinstantiation can be verified with `findmnt --mountpoint /tmp/`; the source should show `/tmp-inst/`. ### process-identification-kill [IN] OBSERVATION Use top and ps aux to identify CPU/memory intensive processes. kill PID sends SIGTERM (15, graceful). kill -9 PID sends SIGKILL (forced). nice/renice adjust scheduling priority (-20 to 19). ### process-output-shell-commands-script [IN] OBSERVATION Process output of shell commands within a script using command substitution $(command). Captures stdout for use in variable assignments, conditionals, and loops. Can be nested and is preferred over backticks. ### process-script-inputs-positional [IN] OBSERVATION Process script inputs using positional parameters $1, $2, etc. $0 is the script name, $# is the argument count, "$@" expands all arguments preserving word boundaries. Use shift to consume parameters. ### quadlet-systemd-podman-tech-preview [IN] OBSERVATION Quadlet generates systemd service files from Podman container descriptions and is a Technology Preview in RHEL 9.2. ### rd-break-boot-interrupt [IN] OBSERVATION rd.break interrupts the RHEL 9 boot process for emergency access. Procedure: edit GRUB entry, append rd.break, then remount /sysroot rw, chroot, passwd root, touch /.autorelabel. ### rear-backup-disaster-recovery [IN] OBSERVATION ReaR (Relax-and-Recover) is the Red Hat-supported tool for full system backup and bare-metal disaster recovery on RHEL 9. ### redhat-bugzilla-to-jira-migration [IN] OBSERVATION Red Hat migrated issue tracking from Bugzilla (BZ#) to Jira (RHEL-, RHELDOCS-, RHELPLAN- prefixes) for RHEL tracking. ### registration-issues-certificate [IN] OBSERVATION RHEL registration issues a certificate that identifies and authenticates the system to Red Hat. ### registration-required-for-repo-access [IN] OBSERVATION RHEL system registration is required before the system can access Red Hat repositories for updates via yum/dnf. ### registration-requires-root [IN] OBSERVATION RHEL system registration with subscription-manager requires root privileges. ### restorecon-f-forces-full-relabel-including-user [IN] OBSERVATION The `-F` flag on `restorecon` forces a full relabel including the SELinux user field, not just the type. ### rhcsa-cli-proficiency-toolkit [IN] OBSERVATION RHCSA candidates must master a core CLI toolkit: Bash scripting fundamentals (positional parameters $1-$9, $#, "$@"), I/O redirection (>, >>, 2>, &>, pipes), pattern matching (grep with -i/-v/-r and regex), and the documentation system (man pages with section conventions and apropos search) — these form the essential tools foundation of the RHCSA exam. ### rhel-doc-change-categories [IN] OBSERVATION RHEL release note changes are categorized as Known Issues, Deprecated Functionality, Technology Previews, Bug Fixes, and Enhancements/New Features. ### rhel-driver-management-commands [IN] OBSERVATION Kernel module management commands: `lsmod` lists loaded modules, `modprobe` loads modules, `modprobe -r` unloads modules, `modinfo` shows driver details/version/parameters. ### rhel-edge-uses-rpm-ostree [IN] OBSERVATION RHEL for Edge images use rpm-ostree for image-based atomic updates and rollbacks, not traditional RPM/DNF package management. ### rhel-image-mode-bootc-oci-containers [IN] OBSERVATION RHEL image mode (bootc) manages the OS as a standard OCI container image, built with Podman/Buildah and stored in container registries. ### rhel-kernel-module-management-commands [IN] OBSERVATION Kernel module management commands: `lsmod` lists loaded modules, `modprobe` loads modules, `modprobe -r` unloads modules, `modinfo` shows module details including version and parameters. ### rhel-kernel-modules-path [IN] OBSERVATION Kernel modules are stored in `/lib/modules/$(uname -r)/`. ### rhel-minor-release-cadence [IN] OBSERVATION RHEL 9 follows a minor release cadence (9.0, 9.1, 9.2, 9.3, 9.4, ...) delivering updates on a roughly 6-month cycle while maintaining ABI compatibility. ### rhel-no-skip-major-version-upgrade [IN] OBSERVATION RHEL does not support skipping major versions during in-place upgrades (e.g., RHEL 7 → 9 directly is not supported). ### rhel-release-notes-living-documents [IN] OBSERVATION RHEL release notes are living documents that receive ongoing updates well after the initial release; RHEL 9.3 (released November 2023) had release notes updated through November 2025. ### rhel-system-roles-ansible [IN] OBSERVATION RHEL System Roles are Ansible-based roles for consistent configuration management across multiple RHEL hosts. ### rhel-system-roles-install-path [IN] OBSERVATION RHEL system roles are installed to `/usr/share/ansible/roles/` and collections to `/usr/share/ansible/collections/` ### rhel-system-roles-key-roles [IN] OBSERVATION Key RHEL system roles include `timesync`, `network`, `selinux`, `storage`, `firewall`, `logging`, and `kdump`. ### rhel-system-roles-naming-convention [IN] OBSERVATION RHEL system roles can be referenced as legacy names (e.g., `rhel-system-roles.timesync`) or collection names (e.g., `redhat.rhel_system_roles.timesync`). ### rhel-system-roles-package [IN] OBSERVATION RHEL system roles are installed via the `rhel-system-roles` package and placed in `/usr/share/ansible/roles/` and `/usr/share/ansible/collections/`. ### rhel-system-roles-package-name [IN] OBSERVATION RHEL system roles are installed via the `rhel-system-roles` package ### rhel8-to-rhel9-inplace-upgrade-leapp [IN] OBSERVATION In-place upgrade from RHEL 8 to RHEL 9 is supported using the Leapp tool; Convert2RHEL handles conversions from CentOS/Alma/Rocky/Oracle Linux. ### rhel9-ad-integration-stack [IN] OBSERVATION RHEL 9 provides a complete AD integration stack: realmd orchestrates domain join, SSSD serves as default authentication backend, with a defined set of required packages. ### rhel9-ad-integration-two-methods [IN] OBSERVATION RHEL 9 supports two methods for direct Active Directory integration: SSSD and Samba Winbind. ### rhel9-ad-join-packages-sssd [IN] OBSERVATION Required packages for SSSD-based AD join: sssd, realmd, oddjob, oddjob-mkhomedir, adcli, samba-common-tools. ### rhel9-ad-msa-no-domain-join [IN] OBSERVATION Managed Service Accounts (MSA) allow access to AD resources without full domain membership on RHEL 9. ### rhel9-aide-config-and-db-paths [IN] OBSERVATION AIDE configuration is at `/etc/aide.conf` and the default database location is `/var/lib/aide/aide.db.gz`. ### rhel9-aide-config-file-path [IN] OBSERVATION AIDE configuration is controlled by `/etc/aide.conf`, which defines monitored paths and tracked attributes. ### rhel9-aide-database-rename-required [IN] OBSERVATION After `aide --init` or `aide --update`, the output file `/var/lib/aide/aide.db.new.gz` must be renamed to `/var/lib/aide/aide.db.gz` before it becomes active. ### rhel9-aide-detection-only [IN] OBSERVATION AIDE is a detection-only tool that identifies filesystem changes after they occur but does not prevent them; IMA provides both detection and prevention. ### rhel9-aide-detection-only-not-prevention [IN] OBSERVATION AIDE is a detection-only tool that identifies filesystem changes but does not prevent them; IMA provides both detection and prevention. ### rhel9-aide-file-integrity-commands [IN] OBSERVATION AIDE file integrity checking uses `aide --init` to initialize the database, `aide --check` to detect changes, and `aide --update` to update the database after review. ### rhel9-aide-integrity-workflow [IN] OBSERVATION AIDE provides a complete file integrity monitoring workflow: three operations (init/check/update), mandatory database rename after generation, AppStream package source, with the critical caveat that it is detection-only. ### rhel9-aide-requires-appstream [IN] OBSERVATION The `aide` package requires the AppStream repository for installation. ### rhel9-aide-three-operations [IN] OBSERVATION AIDE has three key operations: `--init` (create baseline database), `--check` (verify integrity), `--update` (refresh database after legitimate changes). ### rhel9-all-crypto-policies-disable-weak [IN] OBSERVATION All four predefined crypto policies disable IKEv1, 3DES, RC4, DSA, and TLS v1.1 and older. ### rhel9-anaconda-graphical-installer [IN] OBSERVATION RHEL 9 uses the Anaconda graphical installer for interactive GUI-based installation. ### rhel9-application-runtime-platform [IN] OBSERVATION RHEL 9 provides a managed application runtime platform with relational databases (MariaDB/MySQL/PostgreSQL via AppStream module streams), a controlled Python ecosystem (venv isolation, AppStream version selection, platform-python reserved), and RPM packaging tools for custom software distribution. ### rhel9-application-streams-independent-lifecycle [IN] OBSERVATION Application Streams allow multiple versions of user-space components to be updated independently of the core OS, each with its own lifecycle. ### rhel9-application-streams-plain-rpm-install [IN] OBSERVATION In RHEL 9, initial Application Stream versions install as plain RPMs via `dnf install` without needing to enable modules first (simplified from RHEL 8). ### rhel9-appstream-initial-versions-plain-rpm [IN] OBSERVATION In RHEL 9, initial Application Stream versions install as plain RPMs via `dnf install` without needing `dnf module enable` first. ### rhel9-appstream-modules-multiple-versions [IN] OBSERVATION AppStream uses modules to deliver multiple versions of the same software (e.g., different Python or Node.js streams); modularity is not present in BaseOS. ### rhel9-appstream-rpm-and-modules [IN] OBSERVATION The AppStream repository delivers additional applications, runtime languages, databases, and tools as both traditional RPMs and modules. ### rhel9-appstream-shorter-lifecycles [IN] OBSERVATION Some Application Streams have shorter support lifecycles than the base RHEL 9 OS. ### rhel9-arch-minimum-versions [IN] OBSERVATION RHEL 9 minimum hardware versions by architecture: x86_64 requires x86-64-v2, aarch64 requires ARMv8.0-A, ppc64le requires POWER9, s390x requires z14. ### rhel9-architecture-specific-subscriptions [IN] OBSERVATION Each RHEL 9 architecture requires its own separate Red Hat subscription. ### rhel9-arm-default-4k-page-kernel [IN] OBSERVATION RHEL 9 ships with a 4k page size kernel by default on ARM (AArch64) systems. ### rhel9-audisp-integrated-into-auditd [IN] OBSERVATION In RHEL 9, the audit dispatcher (audisp) functionality is integrated into `auditd`; plugin configs live in `/etc/audit/plugins.d/`. ### rhel9-audit-file-watch-command [IN] OBSERVATION File audit watches are added with `auditctl -w -p -k ` and searched with `ausearch -k `. ### rhel9-audit-log-default-location [IN] OBSERVATION The default audit log location is `/var/log/audit/audit.log`. ### rhel9-audit-log-location [IN] OBSERVATION The default audit log location is `/var/log/audit/audit.log`, configured via `/etc/audit/auditd.conf`. ### rhel9-audit-persistent-rules-directory [IN] OBSERVATION Persistent audit rules are placed in `/etc/audit/rules.d/`; `/etc/audit/audit.rules` is auto-generated by `augenrules` on service start. ### rhel9-audit-sample-compliance-rules [IN] OBSERVATION Pre-configured audit rules for compliance standards (OSPP, PCI-DSS, STIG) are available in `/usr/share/audit/sample-rules/`. ### rhel9-audit-subsystem-integrated [IN] OBSERVATION RHEL 9 provides a unified audit subsystem with integrated dispatcher, file watch rules, original login identity tracking via auid, dedicated service management (not systemctl), and configurable log location. ### rhel9-auditctl-enable-disable [IN] OBSERVATION `auditctl -e 0` temporarily disables auditing and `auditctl -e 1` re-enables it at runtime. ### rhel9-auditctl-file-watch-syntax [IN] OBSERVATION `auditctl -w -p -k ` creates file watch rules; permission flags are `w` (write), `a` (attribute), `r` (read), `x` (execute). ### rhel9-auditd-use-service-not-systemctl [IN] OBSERVATION `auditd` must be managed with `service auditd start/stop/restart` — `systemctl` is only valid for `enable` and `status`. ### rhel9-auid-tracks-original-login-identity [IN] OBSERVATION The `auid` (Audit UID / loginuid) is assigned at login and inherited across `su`/`sudo`, tracking the original login identity for accountability. ### rhel9-auid-tracks-original-login-user [IN] OBSERVATION The `auid` (audit UID / loginuid) is assigned at login and inherited across `su`/`sudo`, tracking the original login identity for accountability. ### rhel9-authentication-hardening-controls [IN] OBSERVATION RHEL 9 provides layered authentication hardening across three defense dimensions: account lockout policy via pam_faillock with configurable thresholds and admin unlock, password lifecycle management via chage with aging/expiry/force-change controls, and SSH key-based authentication with Ed25519 as the recommended algorithm. ### rhel9-automatable-defense-in-depth [IN] OBSERVATION RHEL 9 defense-in-depth security (SELinux enforcing, firewalld, crypto policies, granular audit) is fully automatable at fleet scale through Ansible system roles and SELinux deployment automation (semanage export/import, fixfiles autorelabel, Ansible roles), enabling consistent security posture across hundreds of hosts. ### rhel9-bare-metal-separate-partitions [IN] OBSERVATION For bare-metal RHEL 9 installations, `/boot`, `/`, `/home`, `/tmp`, and `/var/tmp` should be on separate partitions for security isolation. ### rhel9-baseos-appstream-both-required [IN] OBSERVATION Both BaseOS and AppStream repositories are required for a complete RHEL 9 installation. ### rhel9-baseos-appstream-required-repos [IN] OBSERVATION RHEL 9 content is split into two required repositories: BaseOS (core OS foundation) and AppStream (additional user-space applications, runtimes, databases). ### rhel9-baseos-core-os-rpm-only [IN] OBSERVATION The BaseOS repository contains core OS foundation packages delivered exclusively as traditional RPMs. ### rhel9-baseos-vs-appstream-purpose [IN] OBSERVATION BaseOS provides core OS functionality (full RHEL support lifecycle); AppStream provides additional user-space applications, runtime languages, and databases. ### rhel9-boot-iso-requires-network [IN] OBSERVATION The Boot ISO requires network access to BaseOS/AppStream repositories to install packages; the Installation ISO (Binary DVD) contains both repos. ### rhel9-boot-iso-requires-network-source [IN] OBSERVATION The RHEL 9 boot ISO (~700 MB) contains only the installer and kernel; it requires a network installation source and cannot install standalone. ### rhel9-boot-kernel-parameter-management [IN] OBSERVATION RHEL 9 manages kernel boot parameters through `grubby` as the central tool: changing the default boot kernel (`--set-default`), persistently adding kernel arguments (`--update-kernel --args`), controlling CPU vulnerability mitigations (`mitigations=`), tuning crashkernel memory reservation (`crashkernel=size,high/low`), and emergency access via `rd.break` boot interrupt. ### rhel9-boot-partition-cannot-be-encrypted [IN] OBSERVATION The `/boot` partition cannot be encrypted with LUKS; if `/boot` is part of an encrypted `/` partition, the system cannot boot. ### rhel9-bpf-jit-always-on [IN] OBSERVATION RHEL 9 has `CONFIG_BPF_JIT_ALWAYS_ON=y`, meaning the BPF JIT compiler is mandatory and the BPF interpreter is not available (security hardening). ### rhel9-cdn-install-inst-rhsm [IN] OBSERVATION CDN-based RHEL 9 installations use the `inst.rhsm` boot parameter and require registering with Red Hat during installation. ### rhel9-centralized-logging-and-audit-observability [IN] OBSERVATION RHEL 9 provides centralized observability through two complementary subsystems: the audit framework (file watches, auid login tracking, compliance rules, dedicated service management) and the logging system role (rsyslog configuration via Ansible with structured input/output/flow variable groups and SELinux-aware port management). ### rhel9-cgroups-v2-default [IN] OBSERVATION RHEL 9 uses cgroups v2 (unified hierarchy) by default. ### rhel9-cgroupsv1-deprecated [IN] OBSERVATION cgroupsv1 is deprecated in RHEL 9 (which defaults to cgroupsv2); RHEL 10 will only support cgroupsv2. ### rhel9-chrony-default-ntp [IN] OBSERVATION chrony is the default NTP implementation in RHEL 9, replacing ntpd. ### rhel9-clevis-client-tang-server [IN] OBSERVATION Clevis is the client-side framework for automated decryption; Tang is the stateless server that never stores or learns client keys. ### rhel9-clevis-luks-bind-command [IN] OBSERVATION Binding a LUKS volume to a Tang server: `clevis luks bind -d /dev/ tang '{"url":"http://tang.srv"}'`. ### rhel9-clevis-pins-available [IN] OBSERVATION Clevis pins available in RHEL 9 are: `tang` (network server), `tpm2` (TPM 2.0 chip), `pkcs11` (smart cards), and `sss` (Shamir's Secret Sharing for threshold-based high availability). ### rhel9-cluster-services-not-systemctl [IN] OBSERVATION Cluster-managed services must not be started or enabled via `systemctl`; Pacemaker controls their lifecycle. ### rhel9-codeready-builder-unsupported [IN] OBSERVATION The CodeReady Linux Builder repository is available with all RHEL subscriptions but its packages are unsupported. ### rhel9-compatibility-levels-1-through-4 [IN] OBSERVATION RHEL 9 packages are assigned Application Compatibility Levels 1–4, where Level 1 provides the highest ABI stability guarantee across the major release. ### rhel9-complete-installer-control-framework [IN] OBSERVATION RHEL 9 installation is controlled through a comprehensive boot parameter framework combining installer directives (inst.ks, inst.repo, inst.stage2, inst.graphical/text/cmdline, inst.sshd, inst.vnc) with network configuration parameters (DHCP default, seven-field ip= static override, bootdev= for multi-NIC, ifname= for custom interface naming). ### rhel9-comprehensive-deprecation-trajectory [IN] OBSERVATION RHEL 9 is undergoing systematic modernization through coordinated deprecation across networking (ifcfg to keyfile, iptables to nftables, teaming to bonding) and infrastructure (cgroups v1 to v2, monolithic libvirtd to modular daemons, virt-manager to Cockpit). ### rhel9-comprehensive-security-posture [IN] OBSERVATION RHEL 9 provides a comprehensive security posture integrating defense-in-depth hardened defaults (SELinux, firewalld, crypto policies, audit), continuous compliance monitoring (audit logging, AIDE integrity, OpenSCAP scanning), and layered authentication hardening (pam_faillock, password aging, SSH key-based auth) into a unified security architecture. ### rhel9-container-mcs-isolation [IN] OBSERVATION RHEL 9 container isolation leverages the full MCS restrictive access control model: container-selinux assigns unique MCS categories per container, enforced only after DAC and Type Enforcement pass, requiring conjunction of all assigned categories for inter-container access. ### rhel9-container-runtime-podman [IN] OBSERVATION Podman (not Docker) is the standard container runtime in RHEL 9, along with Buildah and Skopeo. ### rhel9-content-delivery-architecture [IN] OBSERVATION RHEL 9 content is architecturally split into two mandatory repositories: BaseOS (core OS foundation, RPMs only) and AppStream (user-space applications delivered as both RPMs and modules), with modules enabling multiple concurrent software versions and some Application Streams having shorter support lifecycles than the base OS. ### rhel9-continuous-os-evolution-strategy [IN] OBSERVATION RHEL 9 supports continuous OS evolution from routine security patches (DNF advisory-filtered updates across BaseOS/AppStream with severity filtering) through major version transitions (Leapp sequential in-place upgrades with mandatory preupgrade assessment) to image-based atomic updates (rpm-ostree/bootc with health-check rollback for Edge deployments). ### rhel9-continuously-observable-compliance [IN] OBSERVATION RHEL 9 compliance is observable through complementary mechanisms: continuous audit logging (file watches, auid tracking, pre-configured compliance rule sets for OSPP/PCI-DSS/STIG) provides ongoing evidence collection, while periodic AIDE integrity checks and OpenSCAP scanning provide point-in-time compliance verification. ### rhel9-cpu-security-mitigation-framework [IN] OBSERVATION RHEL 9 addresses CPU-level security vulnerabilities through multiple coordinated mechanisms: SMT disabling for L1TF/MDS mitigation, shared buffer clearing for MMIO/MDS/TAA with interdependent mitigation toggles, restricted unprivileged BPF access by default, and mandatory BPF JIT compilation that eliminates the interpreter as an attack surface. ### rhel9-crashkernel-high-low-parameters [IN] OBSERVATION `crashkernel=size,high` and `crashkernel=size,low` control kdump memory reservation above/below 4 GB; `crashkernel=X` without high/low takes precedence. ### rhel9-crypto-default-min-key-2048 [IN] OBSERVATION The DEFAULT and LEGACY crypto policies require minimum 2048-bit RSA/DH keys; FUTURE requires minimum 3072-bit. ### rhel9-crypto-policy-command-set [IN] OBSERVATION The command `update-crypto-policies --set POLICY` changes the system-wide cryptographic policy and requires root privileges. ### rhel9-crypto-policy-command-show [IN] OBSERVATION The command `update-crypto-policies --show` displays the current system-wide cryptographic policy on RHEL 9. ### rhel9-crypto-policy-lifecycle [IN] OBSERVATION RHEL 9 provides complete crypto policy lifecycle management: four predefined policies, set/show CLI commands, persistent state file verification, and extensibility via custom .pmod subpolicies. ### rhel9-crypto-reboot-recommended [IN] OBSERVATION A reboot is recommended after changing the system-wide cryptographic policy for full effect. ### rhel9-crypto-scoped-directives-at-syntax [IN] OBSERVATION Scoped cryptographic policy directives use `@` syntax to restrict settings to specific protocols or libraries (e.g., `cipher@TLS`, `group@SSH`). ### rhel9-current-crypto-policy-state-file [IN] OBSERVATION The current effective cryptographic policy can be verified at `/etc/crypto-policies/state/CURRENT.pol`. ### rhel9-custom-subpolicy-pmod-location [IN] OBSERVATION Custom cryptographic subpolicy files use the `.pmod` extension with uppercase filenames and are stored in `/etc/crypto-policies/policies/modules/`. ### rhel9-default-display-protocol-wayland [IN] OBSERVATION RHEL 9 defaults to Wayland as the display protocol for GNOME, with X11/Xorg available as a fallback. ### rhel9-default-filesystem-xfs [IN] OBSERVATION XFS is the default file system in RHEL 9. ### rhel9-default-package-manager-dnf [IN] OBSERVATION RHEL 9 uses DNF (not yum) as the primary package management tool. ### rhel9-default-policy-tls12-minimum [IN] OBSERVATION The DEFAULT crypto policy enforces TLS 1.2 as the minimum TLS version. ### rhel9-defense-in-depth-container-isolation [IN] OBSERVATION RHEL 9 containers operate within a defense-in-depth security stack where per-container MCS categories (assigned by container-selinux) provide inter-container isolation, layered on top of SELinux type enforcement, firewalld network controls, system-wide crypto policies, and continuous audit logging — meaning container breakout must defeat not just the container boundary but every surrounding security layer. ### rhel9-defense-in-depth-security-framework [IN] OBSERVATION RHEL 9 enforces defense-in-depth through four integrated security layers: hardened defaults (SELinux enforcing, firewalld, crypto policies), granular cryptographic policy lifecycle management, layered SELinux MAC enforcement with type-based policy, and a unified audit subsystem with original-identity tracking across privilege escalation. ### rhel9-diagnostic-reporting-workflow [IN] OBSERVATION RHEL 9 provides a structured diagnostic reporting workflow: sos report (requiring root privileges) collects comprehensive system state into compressed tarballs in /var/tmp/, and sos clean obfuscates hostnames, IP addresses, and other sensitive data before the report is shared with Red Hat support. ### rhel9-direct-vs-indirect-ad-integration [IN] OBSERVATION Direct AD integration means the RHEL host joins AD directly; indirect integration uses IdM/IPA as a broker with a cross-realm trust to AD. ### rhel9-dnf-check-update-security [IN] OBSERVATION `dnf check-update --security` lists available security updates; `dnf update --security` installs all available security updates. ### rhel9-dnf-list-and-rpm-qa-query-packages [IN] OBSERVATION Installed packages can be queried with `dnf list installed` or `rpm -qa`; available packages with `dnf list available` or `dnf repoquery`. ### rhel9-dnf-replaces-yum [IN] OBSERVATION The `dnf` package manager replaces `yum` in RHEL 9 for all package and update operations. ### rhel9-dnf-updateinfo-advisory-query [IN] OBSERVATION `dnf updateinfo info ` displays details about a specific advisory; `dnf updateinfo` is the subcommand for querying errata metadata. ### rhel9-drivers-loadable-kernel-modules [IN] OBSERVATION RHEL ships device drivers as loadable kernel modules, not compiled monolithically into the kernel. ### rhel9-dual-management-interface [IN] OBSERVATION RHEL 9 system administration operates through complementary local and remote interfaces: the GNOME desktop on Wayland with systemd target switching for interactive console management, and the Cockpit web console with socket activation and firewall integration for browser-based remote management. ### rhel9-dual-upgrade-paradigm [IN] OBSERVATION RHEL 9 supports two complementary OS upgrade paradigms: sequential in-place upgrades via Leapp (with mandatory preupgrade assessment and no major version skipping) for traditional RPM-based systems, and atomic image-based updates via rpm-ostree/bootc with automated health-check rollback (Greenboot) for Edge deployments. ### rhel9-dual-workload-isolation-platform [IN] OBSERVATION RHEL 9 provides dual workload isolation with distinct security models: virtual machines via the managed KVM/QEMU/libvirt stack with Cockpit web management and hardware-level isolation, and containers via Podman with MCS-enforced category-based separation where each container receives unique SELinux categories enforced after DAC and Type Enforcement. ### rhel9-dump-utility-deprecated [IN] OBSERVATION The `dump` backup utility is deprecated in RHEL 9; use `tar`, `dd`, or `bacula` instead (`restore` remains available). ### rhel9-edge-image-based-os [IN] OBSERVATION RHEL for Edge uses an image-based OS model with rpm-ostree for atomic updates/rollbacks, Greenboot for automated health-check rollback, and bootc for container-native image management. ### rhel9-encrypted-storage-lifecycle [IN] OBSERVATION RHEL 9 provides end-to-end encrypted storage lifecycle management: NBDE with Clevis/Tang for automated decryption across multiple pin types, volume-type-specific unlock requirements (dracut for root, systemd for non-root), and system-wide cryptographic policy governance ensuring encryption algorithms comply with organizational standards. ### rhel9-enterprise-identity-ecosystem [IN] OBSERVATION RHEL 9 provides a comprehensive enterprise identity ecosystem: IdM as a unified stack (LDAP/Kerberos/CA/SSSD), Kerberos-gated administration for all management interfaces, encrypted secret storage via vaults with client-side encryption and KRA backend, and direct Active Directory integration via SSSD/realmd for hybrid environments. ### rhel9-errata-three-types [IN] OBSERVATION Red Hat advisories come in three types: RHSA (security), RHBA (bug fix), and RHEA (enhancement). ### rhel9-filesystem-mounting-model [IN] OBSERVATION RHEL 9 provides a layered filesystem mounting model: XFS as the default filesystem, persistent mounts via /etc/fstab with UUID/LABEL identification for reliability, and on-demand network mounting via autofs for filesystems accessed infrequently. ### rhel9-fips-enable-at-install [IN] OBSERVATION FIPS mode should be enabled at install time using the `fips=1` kernel parameter; the `fips-mode-setup` tool is deprecated. ### rhel9-fips-mode-kernel-parameter [IN] OBSERVATION FIPS mode in RHEL 9 is enabled via `fips=1` kernel parameter at install time (not `/etc/system-fips`); check status with `fips-mode-setup --check`. ### rhel9-fips-mode-setup-enable [IN] OBSERVATION FIPS mode is enabled on RHEL 9 using `fips-mode-setup --enable` and verified with `fips-mode-setup --check`; a reboot is required after enabling. ### rhel9-fips-policy-not-fips-compliant-alone [IN] OBSERVATION Setting the FIPS crypto policy alone does not guarantee FIPS 140 compliance; cryptographic keys must be regenerated. ### rhel9-firewalld-active-by-default [IN] OBSERVATION RHEL 9 has `firewalld` active by default as part of its security baseline. ### rhel9-firewalld-enabled-by-default [IN] OBSERVATION `firewalld` is enabled by default on RHEL 9 but may be disabled by Kickstart configurations. ### rhel9-firewalld-nftables-backend [IN] OBSERVATION RHEL 9 uses firewalld with an nftables backend as the firewall framework. ### rhel9-four-predefined-crypto-policies [IN] OBSERVATION RHEL 9 provides four predefined system-wide cryptographic policies: DEFAULT, LEGACY, FUTURE, and FIPS. ### rhel9-four-supported-architectures [IN] OBSERVATION RHEL 9 supports four architectures: x86-64 (minimum v2), ARM aarch64 (minimum ARMv8.0-A), IBM Power ppc64le (minimum POWER9), and IBM Z s390x (minimum z14). ### rhel9-full-life-app-streams-level-3 [IN] OBSERVATION Key application stream packages (httpd, mariadb, postgresql, python, ruby, php, perl) are designated as Full Life Application Streams at Compatibility Level 3. ### rhel9-full-stack-hardware-to-data-defense [IN] OBSERVATION RHEL 9 defense-in-depth extends from hardware-level CPU mitigations (SMT disable for L1TF/MDS, BPF JIT hardening, unprivileged BPF restrictions) through cryptographic policy enforcement to data-at-rest protection (LUKS2/NBDE encryption and SELinux/MCS mandatory access control), ensuring no single layer's compromise alone exposes stored data. ### rhel9-gnome-default-wayland [IN] OBSERVATION RHEL 9 GNOME defaults to Wayland as the display server, with X11 available as a fallback. ### rhel9-gnome-defaults-wayland [IN] OBSERVATION RHEL 9 GNOME defaults to Wayland as the display server with X11 as fallback ### rhel9-graphical-target-commands [IN] OBSERVATION Switching between GUI and text mode at boot uses `systemctl set-default graphical.target` or `systemctl set-default multi-user.target`. ### rhel9-graphical-target-controls-gui-boot [IN] OBSERVATION `systemctl set-default graphical.target` enables GUI at boot; `systemctl set-default multi-user.target` disables it ### rhel9-graphical-vs-multiuser-target [IN] OBSERVATION `systemctl isolate graphical.target` starts the GNOME/display manager; `systemctl isolate multi-user.target` switches to text-only mode. ### rhel9-gui-desktop-management [IN] OBSERVATION RHEL 9 provides a single managed desktop environment (GNOME on Wayland by default) with systemd target control for boot mode selection and virtual console switching for multi-session access. ### rhel9-ha-cluster-requirements [IN] OBSERVATION Production HA clusters on RHEL 9 require mandatory STONITH fencing, pcs as the primary management CLI, dedicated firewall ports (TCP 2224/3121, UDP 5405), and Pacemaker-controlled service lifecycle (no systemctl). ### rhel9-ha-corosync-membership-layer [IN] OBSERVATION Corosync provides the cluster communication and membership layer underneath Pacemaker in RHEL 9 HA clusters. ### rhel9-ha-firewall-ports [IN] OBSERVATION RHEL 9 HA clusters require firewall ports TCP 2224 (pcsd), UDP 5405 (corosync), and TCP 3121 (pacemaker-remoted). ### rhel9-ha-uses-pacemaker-crm [IN] OBSERVATION RHEL 9 High Availability Add-On uses Pacemaker as its cluster resource manager. ### rhel9-hardened-kernel-runtime [IN] OBSERVATION RHEL 9 manages a hardened kernel runtime through coordinated boot parameter management (grubby for default kernel and persistent args, mitigations= for CPU vulnerability controls, crashkernel= for dump reservation) and explicit security-vs-performance equilibrium controls (TuneD profiles, BPF restrictions with JIT-only enforcement, io_uring default-disabled). ### rhel9-hardware-security-performance-equilibrium [IN] OBSERVATION RHEL 9 explicitly manages the hardware security-vs-performance equilibrium: CPU vulnerability mitigations (SMT disable for L1TF/MDS, BPF restrictions, io_uring disabled by default) reduce attack surface at performance cost, while TuneD profiles provide compensating performance optimization. ### rhel9-health-monitored-enterprise-identity [IN] OBSERVATION RHEL 9 enterprise identity services are health-monitored end-to-end: the full identity ecosystem (IdM with AD cross-forest trust, Kerberos-gated administration, vault client-side encryption) is continuously verified by automated ipa-healthcheck with systemd timer scheduling, JSON output with severity grading, and failure-only filtering for operational alerting. ### rhel9-identity-enabled-service-discovery [IN] OBSERVATION RHEL 9 enterprise identity provides automated service discovery: IdM's integrated DNS subsystem (BIND with LDAP backend, configurable forward policies, auto-created SRV records) enables clients to locate and enroll into the identity ecosystem via ipa-client-install without explicit server specification. ### rhel9-idm-ad-cross-forest-trust [IN] OBSERVATION IdM-AD trust is a cross-forest trust (not a simple domain trust) that integrates Kerberos, LDAP, DNS, and certificate services between the two environments. ### rhel9-idm-ad-trust-one-way [IN] OBSERVATION IdM typically establishes a one-way trust where AD users can authenticate to IdM-managed services, not the reverse. ### rhel9-idm-ad-trust-prerequisites [IN] OBSERVATION Establishing an IdM-AD trust requires common Kerberos encryption types, firewall ports (389/636, 88/464, 53, 135, 138, 139, 445, 3268), proper DNS resolution between domains, and Kerberos realm configuration. ### rhel9-idm-bundled-components [IN] OBSERVATION Red Hat Identity Management (IdM) bundles 389 Directory Server, MIT Kerberos KDC, SSSD, and Certmonger into one integrated identity solution. ### rhel9-idm-is-freeipa [IN] OBSERVATION Red Hat IdM is the upstream FreeIPA project packaged by Red Hat. ### rhel9-idm-optional-dns-ca [IN] OBSERVATION IdM can optionally provide its own integrated DNS and Certificate Authority (Dogtag CA), or integrate with existing external DNS and CA infrastructure; this choice is made at install time. ### rhel9-idm-pretuned-for-typical-deployments [IN] OBSERVATION IdM is pre-tuned for typical deployments by default; manual performance tuning is only needed for large-scale, high-load, or latency-sensitive environments. ### rhel9-idm-three-roles [IN] OBSERVATION IdM (Identity Management) has three installable roles: server, replica, and client, installed via `ipa-server-install`, `ipa-replica-install`, and `ipa-client-install` respectively. ### rhel9-ifcfg-deprecated-keyfile [IN] OBSERVATION The ifcfg format for NetworkManager profiles is deprecated in RHEL 9; use `nmcli connection migrate` to convert to keyfile format. ### rhel9-ifcfg-deprecated-keyfile-default [IN] OBSERVATION The `ifcfg` format for NetworkManager profiles is deprecated in RHEL 9; keyfile format in `/etc/NetworkManager/system-connections/` is the default. ### rhel9-infrastructure-deprecation-landscape [IN] OBSERVATION RHEL 9 has deprecated core infrastructure components beyond networking: cgroups v1 (replaced by v2), the dump backup utility (replaced by tar/dd/bacula), ISC DHCP (replaced by Kea/dhcpcd), monolithic libvirtd (replaced by modular daemons), and virt-manager (replaced by Cockpit) — representing a systematic modernization of virtualization, storage, and service management subsystems. ### rhel9-inst-repo-protocols [IN] OBSERVATION Valid protocols for the `inst.repo=` kernel boot parameter: http, https, ftp, nfs, hmc (and cdrom for local media). ### rhel9-install-gnome-group [IN] OBSERVATION Installing GNOME on a minimal RHEL 9 system uses `dnf groupinstall "Server with GUI"`. ### rhel9-install-gnome-groupinstall [IN] OBSERVATION Installing GNOME on a minimal RHEL 9 system is done with `dnf groupinstall "Server with GUI"` ### rhel9-installer-network-configuration [IN] OBSERVATION RHEL 9 installer supports layered network configuration via boot parameters: DHCP by default, static IP override via the seven-field ip= syntax (IP::GATEWAY:NETMASK:HOSTNAME:INTERFACE:none), custom interface naming via ifname=interface:MAC, and bootdev= required for designating the primary boot interface in multi-NIC environments. ### rhel9-iptables-deprecated-nftables-replacement [IN] OBSERVATION The `iptables` backend in `firewalld` is deprecated in RHEL 9; `nftables` is the replacement. ### rhel9-isc-dhcp-deprecated [IN] OBSERVATION ISC DHCP (client and server) is deprecated in RHEL 9; replacements are ISC Kea (server) and `dhcpcd` (client). ### rhel9-kernel-configuration-management [IN] OBSERVATION RHEL 9 manages kernel configuration across two complementary dimensions: runtime module lifecycle (loadable drivers with lsmod/modprobe, persistent blacklisting) and boot parameter management (grubby for persistent kernel args, CPU vulnerability mitigations, crashkernel memory reservation). ### rhel9-kernel-hz-1000 [IN] OBSERVATION RHEL 9 kernel is configured with `CONFIG_HZ = 1000` (timer interrupt frequency). ### rhel9-kernel-module-lifecycle [IN] OBSERVATION RHEL 9 manages kernel drivers as loadable modules with a complete lifecycle: modules stored in `/lib/modules/$(uname -r)/`, managed via lsmod/modprobe/modprobe -r/modinfo commands, with persistent blacklisting via `modprobe.blacklist=` that survives installation. ### rhel9-kernel-module-management-commands [IN] OBSERVATION Kernel modules are managed with `lsmod` (list loaded), `modprobe` (load), `modprobe -r` (unload), and `modinfo` (query info); persistent config goes in `/etc/modprobe.d/*.conf`. ### rhel9-kickstart-automated-install [IN] OBSERVATION RHEL 9 supports automatic installation via Kickstart, which provides predefined configuration for Anaconda. ### rhel9-kickstart-for-many-systems [IN] OBSERVATION Kickstart is the preferred automated installation method for deploying many RHEL systems; the graphical installer is for one or a few systems. ### rhel9-layered-data-protection [IN] OBSERVATION RHEL 9 protects data at rest through two independent and complementary layers: cryptographic protection (LUKS2 encryption with NBDE automated decryption governed by system-wide crypto policies) and mandatory access control (SELinux DAC → Type Enforcement → MCS enforcement chain) — ensuring that even if one layer is bypassed, the other independently restricts unauthorized access. ### rhel9-legacy-allows-sha1-signatures [IN] OBSERVATION LEGACY is the only predefined crypto policy that allows SHA-1 in digital signatures; the `DEFAULT:SHA1` subpolicy is the targeted alternative. ### rhel9-libvirtd-deprecated-modular-daemons [IN] OBSERVATION The monolithic `libvirtd` daemon is deprecated in RHEL 9; modular libvirt daemons are the replacement. ### rhel9-lightspeed-ai-cli-assistant [IN] OBSERVATION RHEL Lightspeed is an AI-powered command-line assistant for RHEL 9 that uses natural language input, grounded in RHEL documentation and the Red Hat Knowledgebase. ### rhel9-logging-input-types [IN] OBSERVATION Logging system role input types are: `basics` (local journal/socket), `remote` (network receiver), and `files` (specific file paths). ### rhel9-logging-output-types [IN] OBSERVATION Logging system role output types are: `files` (local), `remote_files` (per-host remote storage organized by `%FROMHOST%`), and `forwards` (send to remote server). ### rhel9-logging-role-name [IN] OBSERVATION The RHEL logging system role is `redhat.rhel_system_roles.logging` and configures rsyslog on managed nodes. ### rhel9-logging-role-three-variable-groups [IN] OBSERVATION The logging system role uses three variable groups: `logging_inputs` (log sources), `logging_outputs` (log destinations), and `logging_flows` (connecting inputs to outputs). ### rhel9-logging-selinux-syslog-ports [IN] OBSERVATION Default SELinux-allowed syslog ports are 601, 514, 6514, 10514, and 20514. ### rhel9-logging-system-role-framework [IN] OBSERVATION The RHEL 9 logging system role (redhat.rhel_system_roles.logging) provides a structured rsyslog configuration framework organized around three variable groups: inputs (basics/remote/files as log sources), outputs (files/remote_files/forwards as destinations), and flows connecting them, with SELinux constraining allowed syslog ports to 601, 514, 6514, 10514, and 20514. ### rhel9-logging-tls-requires-idm [IN] OBSERVATION TLS for the logging system role requires managed nodes to be enrolled in an IdM domain for CA-signed certificates. ### rhel9-logging-tls-requires-idm-enrollment [IN] OBSERVATION TLS for the logging system role requires managed nodes to be enrolled in an IdM domain for CA-signed certificates. ### rhel9-logging-udp-overrides-tcp [IN] OBSERVATION In the logging system role, if both `udp_ports` and `tcp_ports` are set on a remote input, `udp_ports` is used and `tcp_ports` is dropped. ### rhel9-logging-udp-tcp-conflict [IN] OBSERVATION When both `udp_ports` and `tcp_ports` are set on a logging system role remote input, `udp_ports` is used and `tcp_ports` is dropped. ### rhel9-lspci-k-shows-device-drivers [IN] OBSERVATION The command `lspci -k` lists PCI devices and their associated kernel driver modules. ### rhel9-luks2-default-disk-encryption [IN] OBSERVATION LUKS2 is the default disk-encryption format in RHEL 9; LUKS1 volumes use the `luksmeta` package for NBDE state storage. ### rhel9-luks2-default-format [IN] OBSERVATION LUKS2 is the default disk-encryption format in RHEL 9; LUKS1 volumes use the `luksmeta` package for NBDE state storage. ### rhel9-managed-database-platform [IN] OBSERVATION RHEL 9 provides a managed relational database platform: three supported RDBMS (MariaDB, MySQL, PostgreSQL) delivered via AppStream repository module streams for version selection, with standardized default ports (3306 for MariaDB/MySQL, 5432 for PostgreSQL). ### rhel9-managed-virtualization-stack [IN] OBSERVATION RHEL 9 provides a fully managed virtualization stack: KVM/QEMU/libvirt for VM execution with virsh/virt-install for CLI management, and the Cockpit web console (socket-activated on port 9090, firewall-integrated) as the modern browser-based management interface replacing the deprecated virt-manager. ### rhel9-minor-release-cadence-6-months [IN] OBSERVATION RHEL 9 follows a minor release cadence of approximately every 6 months (9.0 May 2022 through 9.7 Nov 2025). ### rhel9-minor-releases-9-0-through-9-7 [IN] OBSERVATION RHEL 9 has minor releases from 9.0 through 9.7. ### rhel9-mitigations-boot-parameter [IN] OBSERVATION The `mitigations=` kernel boot parameter controls all CPU vulnerability mitigations: `off` disables all, `auto` (default) enables with SMT on, `auto,nosmt` disables SMT if needed. ### rhel9-mmio-mds-taa-shared-mitigation [IN] OBSERVATION MMIO stale data, MDS, and TAA mitigations share the same CPU buffer clearing mechanism; disabling one may require disabling the others. ### rhel9-modernizing-application-platform [IN] OBSERVATION RHEL 9 application platform is actively modernizing: runtime infrastructure (databases via AppStream streams, managed Python ecosystem, RPM packaging lifecycle) evolves in parallel with systematic deprecation of legacy components (ifcfg, iptables, teaming, cgroups v1, monolithic libvirtd) driving migration to modern replacements. ### rhel9-mptcp-support [IN] OBSERVATION RHEL 9 supports Multipath TCP (MPTCP), enabling a single TCP connection to use multiple network paths simultaneously. ### rhel9-multi-architecture-hardened-platform [IN] OBSERVATION RHEL 9 delivers a security-hardened platform across four supported architectures (x86-64, ARM, POWER, Z) with per-architecture CPU minimums and separate subscription requirements, sharing common defense-in-depth defaults (SELinux enforcing, firewalld active, SHA-1 disabled, system-wide crypto policies) though per-architecture differences exist in kernel configuration. ### rhel9-multi-architecture-platform-requirements [IN] OBSERVATION RHEL 9 supports four architectures with per-architecture minimum CPU microarchitecture versions, separate subscription requirements, and architecture-specific kernel configurations (e.g., 4k page size default on ARM). ### rhel9-nbde-decryption-stack [IN] OBSERVATION RHEL 9 provides a complete Network-Bound Disk Encryption stack: Clevis client-side framework, Tang stateless server on port 80, multiple pin types (tang/tpm2/pkcs11/sss), and JWK-based key management. ### rhel9-nbde-nonroot-unlock-requires-clevis-systemd [IN] OBSERVATION Non-root volume auto-unlock requires `clevis-systemd` package, `systemctl enable clevis-luks-askpass.path`, and `_netdev` in fstab/crypttab. ### rhel9-nbde-nonroot-volume-unlock-requirements [IN] OBSERVATION Automated non-root volume unlock with NBDE requires the `clevis-systemd` package, enabling `clevis-luks-askpass.path`, and adding `_netdev` to fstab/crypttab. ### rhel9-nbde-root-unlock-requires-clevis-dracut [IN] OBSERVATION Root volume auto-unlock with NBDE requires the `clevis-dracut` package and running `dracut -fv --regenerate-all`. ### rhel9-nbde-root-volume-unlock-requirements [IN] OBSERVATION Automated root volume unlock with NBDE requires the `clevis-dracut` package and running `dracut -fv --regenerate-all`. ### rhel9-nbde-volume-unlock-requirements [IN] OBSERVATION NBDE auto-unlock diverges by volume type: root volumes require clevis-dracut and initramfs regeneration, while non-root volumes require clevis-systemd and _netdev mount option. ### rhel9-network-teaming-deprecated [IN] OBSERVATION Network teaming (`teamd`/`libteam`) is deprecated in RHEL 9; bonding is the recommended replacement. ### rhel9-network-teaming-deprecated-use-bonding [IN] OBSERVATION Network teaming (`teamd`/`libteam`) is deprecated in RHEL 9; bonding is the replacement. ### rhel9-networking-deprecation-shift [IN] OBSERVATION RHEL 9 networking has undergone a systematic deprecation of legacy technologies: ifcfg replaced by keyfile, iptables by nftables, network teaming by bonding, and SCP by SFTP. ### rhel9-networking-stack-networkmanager [IN] OBSERVATION NetworkManager (nmcli, nmtui) is the networking stack in RHEL 9. ### rhel9-networkmanager-default [IN] OBSERVATION NetworkManager is the default networking service in RHEL 9, replacing legacy network-scripts. ### rhel9-ntp-time-synchronization-stack [IN] OBSERVATION RHEL 9 provides a secure NTP time synchronization stack with chrony as the default implementation and a restricted-privilege service mode for minimal client configurations. ### rhel9-observable-security-compliance-posture [IN] OBSERVATION RHEL 9 enables continuously observable and verifiable security by combining operational visibility (audit subsystem with login tracking and diagnostic reporting via sos) with compliance verification (AIDE file integrity monitoring, OpenSCAP policy scanning, pre-configured compliance rules for OSPP/PCI-DSS/STIG) into a single observable security posture. ### rhel9-only-desktop-gnome [IN] OBSERVATION GNOME is the only desktop environment available in RHEL 9; no KDE or other alternative DE is shipped. ### rhel9-openldap-downgraded-level-4 [IN] OBSERVATION openldap was downgraded to Compatibility Level 4 in RHEL 9 due to upstream instability. ### rhel9-operational-visibility-framework [IN] OBSERVATION RHEL 9 provides operational visibility through an integrated audit subsystem (file watches, login identity tracking via auid, pre-configured compliance rules) combined with structured diagnostic reporting (sos report with root-privilege collection and sos clean data obfuscation). ### rhel9-oscap-scanning-with-ssg [IN] OBSERVATION OpenSCAP compliance scanning on RHEL 9 uses the `oscap` command with profiles from the `scap-security-guide` package located at `/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml`. ### rhel9-pam-faillock-conf-path [IN] OBSERVATION Account lockout policy on RHEL 9 is configured via `pam_faillock` in `/etc/security/faillock.conf`; locked accounts can be reset with `faillock --user username --reset`. ### rhel9-pam-pwquality-conf-path [IN] OBSERVATION Password quality requirements on RHEL 9 are configured via `pam_pwquality` in `/etc/security/pwquality.conf`. ### rhel9-patch-management-lifecycle [IN] OBSERVATION RHEL 9 provides a structured patch management lifecycle: the content delivery architecture splits packages across BaseOS and AppStream repositories, DNF serves as the unified package manager, and security-specific tooling (`dnf check-update --security`, `dnf updateinfo info`) enables targeted security patching with advisory-level granularity. ### rhel9-pcs-primary-cluster-cli [IN] OBSERVATION The `pcs` command is the primary CLI tool for configuring and managing Pacemaker/Corosync clusters on RHEL 9. ### rhel9-pcsd-must-be-enabled [IN] OBSERVATION The `pcsd` service must be running and enabled on all nodes before Pacemaker cluster setup. ### rhel9-per-architecture-subscription [IN] OBSERVATION Each RHEL 9 architecture requires its own separate subscription. ### rhel9-per-architecture-subscriptions [IN] OBSERVATION RHEL subscriptions are per-architecture — each architecture requires its own subscription type. ### rhel9-performance-security-tradeoff-controls [IN] OBSERVATION RHEL 9 exposes explicit performance-vs-security tradeoff controls: TuneD (enabled by default) provides profile-based system performance tuning, while security restrictions constrain high-performance subsystems — io_uring disabled by default (`kernel.io_uring_disabled=2`) and BPF restricted to privileged users (`unprivileged_bpf_disabled=2`) — requiring administrators to consciously relax security for performance gains. ### rhel9-platform-python-internal [IN] OBSERVATION `/usr/libexec/platform-python` is a minimal internal Python for system tools and is not intended for user use. ### rhel9-point-releases-backward-compatible [IN] OBSERVATION RHEL 9 point releases (9.0, 9.1, 9.2, …) maintain backward ABI/API compatibility within the major version. ### rhel9-post-install-hardening-sequence [IN] OBSERVATION The post-installation hardening sequence is: update system (`dnf update`) → verify/enable firewall → disable unneeded services. ### rhel9-process-to-data-isolation-framework [IN] OBSERVATION RHEL 9 isolates both processes and persistent data: SELinux Type Enforcement with MCS categories and polyinstantiation isolates running processes and their filesystem views, while LUKS2/NBDE encryption and AIDE integrity monitoring protect data at rest independently of process-level controls. ### rhel9-python-appstream-versions [IN] OBSERVATION Additional Python versions (e.g., 3.11, 3.12) are available as separate packages from AppStream (e.g., `python3.11`, `python3.12`). ### rhel9-python-managed-ecosystem [IN] OBSERVATION RHEL 9 provides a managed Python ecosystem: Python 3 only (no Python 2), internal platform-python reserved for system tools, /usr/bin/python symlink via dedicated package, and additional versions available from AppStream. ### rhel9-python-unversioned-command [IN] OBSERVATION RHEL 9 provides `/usr/bin/python` as a symlink to `python3` via the `python-unversioned-command` package. ### rhel9-python-venv-recommended [IN] OBSERVATION `python3 -m venv` is the recommended way to create isolated Python environments on RHEL 9; pip should be used inside virtual environments rather than system-wide. ### rhel9-python3-default-no-python2 [IN] OBSERVATION RHEL 9 ships Python 3 only; Python 2 is not included in the base repositories. ### rhel9-rcu-nocbs-offload-callbacks [IN] OBSERVATION The `rcu_nocbs=` boot parameter offloads RCU callbacks from specified CPUs to dedicated kthreads, reducing OS jitter for real-time workloads. ### rhel9-realmd-orchestrates-domain-join [IN] OBSERVATION The `realmd` tool orchestrates AD domain join operations for both SSSD and Winbind backends using commands `realm join`, `realm discover`, and `realm list`. ### rhel9-requires-x86-64-v2 [IN] OBSERVATION RHEL 9 requires x86-64-v2 as the minimum CPU microarchitecture level for x86_64, meaning older CPUs lacking SSE4.2, POPCNT, etc. are unsupported. ### rhel9-resilient-compute-platform [IN] OBSERVATION RHEL 9 provides resilient compute infrastructure by combining the managed KVM/QEMU/libvirt virtualization stack (with Cockpit web management and virsh CLI) and Pacemaker/Corosync HA clustering with mandatory STONITH fencing and pcs-managed service lifecycle. ### rhel9-rpm-packaging-lifecycle [IN] OBSERVATION RHEL 9 provides a complete RPM packaging lifecycle: the rpmbuild directory tree (~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}) hosts spec files following the NVR naming convention with automatic distribution tagging via %{?dist}, build dependencies resolved through `dnf builddep`, and flexible output options (binary-only, source-only, or both RPMs). ### rhel9-rsyslogd-validate-config [IN] OBSERVATION The command `rsyslogd -N 1` validates rsyslog configuration syntax on a managed node. ### rhel9-scp-deprecated-sftp-default [IN] OBSERVATION The SCP protocol is deprecated in RHEL 9; SFTP is the default replacement in OpenSSH. ### rhel9-security-automatable-at-scale [IN] OBSERVATION RHEL 9 security configuration is automatable at fleet scale through SELinux deployment automation (Ansible roles, semanage export/import, fixfiles autorelabel) integrated with RHEL System Roles for consistent cross-host configuration management. ### rhel9-security-compliance-triad [IN] OBSERVATION RHEL 9 provides three complementary security compliance mechanisms: continuous audit logging with original-identity tracking and pre-configured compliance rule sets (OSPP, PCI-DSS, STIG), file integrity monitoring via AIDE with init/check/update workflow, and automated SCAP scanning against predefined security profiles from scap-security-guide. ### rhel9-security-from-hardware-to-policy [IN] OBSERVATION RHEL 9 defense-in-depth extends from hardware-level security mitigations (SMT disable for L1TF/MDS, BPF JIT hardening, unprivileged BPF restrictions, MMIO buffer clearing) through software security controls (SELinux enforcing, firewalld active, system-wide crypto policies, granular audit logging), providing security assurance at every layer of the stack. ### rhel9-security-hardened-defaults [IN] OBSERVATION RHEL 9 ships with multiple security controls active by default: SELinux enforcing, firewalld active, SHA-1 disabled, and four predefined system-wide cryptographic policies (DEFAULT, LEGACY, FUTURE, FIPS). ### rhel9-security-update-severity-filter [IN] OBSERVATION Security updates can be filtered by severity using `dnf update --security --sec-severity=Critical` (levels: Critical, Important, Moderate, Low). ### rhel9-selinux-enforcing-by-default [IN] OBSERVATION RHEL 9 runs SELinux in enforcing mode by default as part of its security baseline. ### rhel9-sendmail-deprecated-postfix-default [IN] OBSERVATION Sendmail is deprecated in RHEL 9; Postfix is the default MTA. ### rhel9-service-firewall-port-matrix [IN] OBSERVATION RHEL 9 infrastructure services require a coordinated set of firewall port openings: Cockpit web console (TCP 9090), HA cluster (TCP 2224/3121, UDP 5405), Tang NBDE server (TCP 80), databases (TCP 3306/5432), and IdM DNS (TCP/UDP 53). ### rhel9-sha1-deprecated-hmac-exception [IN] OBSERVATION SHA-1 is deprecated for cryptographic purposes across RHEL 9, but HMAC-SHA1 and UUID generation remain allowed. ### rhel9-sha1-disabled-by-default [IN] OBSERVATION SHA-1 is not allowed by default for cryptographic signatures in RHEL 9; enable with `update-crypto-policies --set DEFAULT:SHA1` if needed. ### rhel9-smt-disable-mitigates-l1tf-mds [IN] OBSERVATION Disabling SMT (Simultaneous Multi Threading) mitigates CPU side-channel attacks (L1TF, MDS) but reduces performance; can be configured via Cockpit web console. ### rhel9-sos-clean-obfuscate [IN] OBSERVATION `sos clean ` obfuscates sensitive data from a sos report before sharing. ### rhel9-sos-report-command [IN] OBSERVATION `sos report` is the command to generate a diagnostic data bundle for Red Hat Technical Support; the `sos` package is installed via `dnf install sos`. ### rhel9-sos-report-output-path [IN] OBSERVATION sos reports are saved to `/var/tmp/` as compressed tarballs named `sosreport---.tar.xz`. ### rhel9-sos-report-requires-root [IN] OBSERVATION Running `sos report` requires root privileges. ### rhel9-ssh-crypto-override-prefix-below-50 [IN] OBSERVATION To override SSH crypto policy on RHEL 9, use a drop-in config file with a numeric prefix less than 50 in `/etc/ssh/sshd_config.d/`. ### rhel9-sssd-caching-reduces-idm-load [IN] OBSERVATION SSSD caching on clients is the primary mechanism for reducing IdM server load by caching identity and authentication data locally. ### rhel9-sssd-default-realmd-backend [IN] OBSERVATION SSSD is the default/recommended backend when using `realmd` for AD integration on RHEL 9. ### rhel9-stable-kernel-branch-across-releases [IN] OBSERVATION RHEL 9 maintains the 5.14.0 kernel branch across minor releases (9.3 through 9.5) on a six-month cadence, delivering security and feature updates through patch-level increments rather than kernel version bumps. ### rhel9-stonith-fencing-mandatory [IN] OBSERVATION STONITH/fencing is mandatory in production Pacemaker clusters; disabling it is unsupported. ### rhel9-subscription-authenticated-patch-pipeline [IN] OBSERVATION RHEL 9 patch management requires subscription authentication before any updates flow: systems must register and receive entitlements to access BaseOS and AppStream repositories, which then enables the full advisory-filtered patch lifecycle (security severity filtering, updateinfo queries, dnf update operations), creating a trust chain from Red Hat subscription through content delivery to system-level package updates. ### rhel9-subscription-content-pipeline [IN] OBSERVATION RHEL 9 requires a registration-to-content pipeline before systems can receive updates: registration via one of three methods (GUI/TUI, subscription-manager CLI, or activation key), per-architecture subscription assignment, and content delivery from either Red Hat CDN or Satellite Server. ### rhel9-subscription-gated-content-lifecycle [IN] OBSERVATION RHEL 9 content access follows a subscription-gated lifecycle: systems must first register via one of three methods (GUI/TUI, subscription-manager CLI, or activation key) to access the architecturally split BaseOS/AppStream repository system, which then provides the foundation for package installation, module stream selection, and security update management. ### rhel9-supported-architectures [IN] OBSERVATION RHEL 9 supports four architectures: x86_64, aarch64, ppc64le, and s390x. ### rhel9-supported-databases [IN] OBSERVATION RHEL 9 supports three relational database servers: MariaDB, MySQL, and PostgreSQL. ### rhel9-sysctl-page-lock-unfairness-default-5 [IN] OBSERVATION The sysctl `vm.page_lock_unfairness` defaults to 5; after 5 lock steals, fair lock handoff applies. ### rhel9-system-roles-configuration-management [IN] OBSERVATION RHEL System Roles provide Ansible-based consistent configuration across hosts, with dual naming conventions (legacy and collection), covering key subsystems (timesync, network, selinux, storage, firewall, logging, kdump). ### rhel9-systemctl-enable-vs-start [IN] OBSERVATION `systemctl enable` makes a service persistent across reboots while `systemctl start` starts it immediately; both are needed to activate and persist a service. ### rhel9-tang-default-port-80 [IN] OBSERVATION Tang's default port is 80; custom ports require `semanage port -a -t tangd_port_t -p tcp `. ### rhel9-tang-keys-location [IN] OBSERVATION Tang server keys are stored in `/var/db/tang/` as `.jwk` files; key rotation hides old keys by prefixing with `.` (dot). ### rhel9-tang-keys-stored-var-db-tang [IN] OBSERVATION Tang keys are stored in `/var/db/tang/` as `.jwk` files; key rotation hides old keys by prefixing with `.` (dot). ### rhel9-three-installation-sources [IN] OBSERVATION RHEL 9 interactive installation supports three sources: physical installation media (USB/DVD), ISO file, or Red Hat CDN. ### rhel9-two-default-repos-baseos-appstream [IN] OBSERVATION RHEL 9 distributes content across two default repositories: BaseOS and AppStream. ### rhel9-two-iso-types [IN] OBSERVATION RHEL 9 provides two ISO types: Installation ISO (full, contains BaseOS + AppStream) and Boot ISO (minimal, requires network repository access). ### rhel9-unified-authentication-service-stack [IN] OBSERVATION RHEL 9 provides a unified authentication service stack where SSSD serves as the central identity daemon for external identity providers, authselect configures the PAM/NSS authentication profile, and SSSD client-side caching reduces IdM server load by locally caching identity and authentication data. ### rhel9-unprivileged-bpf-disabled-default [IN] OBSERVATION In RHEL 9, unprivileged BPF access is restricted by default (`unprivileged_bpf_disabled = 2`), meaning the `bpf()` syscall is limited to privileged users but an admin can change this. ### rhel9-virt-manager-deprecated-cockpit-replacement [IN] OBSERVATION `virt-manager` is deprecated in RHEL 9; Cockpit (RHEL web console) is the replacement GUI for VM management. ### rhel9-virt-stack-components [IN] OBSERVATION The RHEL 9 virtualization stack consists of KVM (kernel module), QEMU (device emulation), and libvirt (management API/daemon). ### rhel9-virt-supported-architectures [IN] OBSERVATION RHEL 9 virtualization is supported on Intel 64 (x86_64), AMD64, and IBM Z, with varying feature availability per architecture. ### rhel9-virtual-console-switch [IN] OBSERVATION Virtual consoles are accessed via Ctrl+Alt+F2 through F6; the graphical session typically runs on F1. ### rhel9-virtualization-platform [IN] OBSERVATION RHEL 9 provides a complete virtualization platform: KVM as the kernel-level hypervisor, QEMU for device emulation, libvirt as the management API/daemon, with multiple management interfaces (virsh CLI, virt-install for VM creation, Cockpit web console on port 9090). ### rhel9-virtualization-uses-kvm [IN] OBSERVATION RHEL 9 uses KVM (Kernel-based Virtual Machine) as its virtualization technology, not Xen or VMware. ### rhel9-vm-management-virsh-cockpit [IN] OBSERVATION RHEL 9 VMs can be managed via `virsh` (CLI), `virt-install` (VM creation), or the Cockpit web console at port 9090. ### rhel9-vnc-headless-install [IN] OBSERVATION The `inst.vnc` boot parameter enables graphical installation on headless systems, supporting both Direct and Connect modes. ### rhel9-vpn-ipsec-wireguard [IN] OBSERVATION RHEL 9 supports both IPSec and WireGuard as VPN technologies. ### rhel9-web-console-based-on-cockpit [IN] OBSERVATION The RHEL 9 web console is based on the upstream Cockpit project. ### rhel9-web-console-management-stack [IN] OBSERVATION The RHEL 9 web console (Cockpit) provides browser-based system management through a defined deployment pattern: socket-activated service (not a persistent daemon), default listener on port 9090, and firewalld service integration for access control. ### rhel9-x86-64-v2-minimum [IN] OBSERVATION RHEL 9 requires x86-64-v2 as the minimum x86_64 microarchitecture level, meaning CPUs without SSE4.2 and POPCNT (roughly pre-2009 AMD, pre-2008 Intel) are not supported. ### rhel9-yum-dnf-aliases [IN] OBSERVATION `yum` and `dnf` are interchangeable aliases in RHEL 9. ### rhel91-fagenrules-load-no-restart [IN] OBSERVATION In RHEL 9.1+, `fagenrules --load` reloads fapolicy rules without requiring a manual `fapolicyd` restart. ### rhel91-free-command-used-memory-calculation [IN] OBSERVATION In RHEL 9.1+, the `free` command calculates used memory as total minus available, accounting for unreclaimable cache and tmpfs objects. ### rhel91-grubby-persists-kernel-args [IN] OBSERVATION In RHEL 9.1+, `grubby --update-kernel=ALL --args=""` correctly persists kernel command-line arguments across kernel upgrades. ### rhel91-ipv6-address-priority-order [IN] OBSERVATION NetworkManager in RHEL 9.1 orders IPv6 source addresses by priority: manual > dhcpv6 > autoconf6. ### rhel91-kdumpctl-estimate-crashkernel [IN] OBSERVATION The command `kdumpctl estimate` checks estimated crashkernel memory reservation requirements. ### rhel91-openssl-fips-restrictions [IN] OBSERVATION In RHEL 9.1 FIPS mode, OpenSSL disallows 3DES, RSA keys smaller than 2048 bits, and RSA key exchange; the `req` tool uses AES-256-CBC for key encryption. ### rhel91-selinux-staff-u-secure-mode [IN] OBSERVATION When the SELinux `secure_mode` boolean is enabled, `staff_u` users cannot switch to the `unconfined_r` role. ### rhel91-sssd-ldap-ignore-unreadable-references [IN] OBSERVATION SSSD option `ldap_ignore_unreadable_references` (default: false) controls whether unreadable LDAP group members cause errors. ### rhel92-beta-march-2023-ga-may-2023 [IN] OBSERVATION RHEL 9.2 was released as Beta on March 29, 2023, with GA release notes published May 10, 2023. ### rhel93-kernel-version [IN] OBSERVATION RHEL 9.3 ships with kernel version 5.14.0-362.8.1. ### rhel93-supported-architectures [IN] OBSERVATION RHEL 9.3 supports four architectures: x86_64 (min x86-64-v2), aarch64 (min ARMv8.0-A), ppc64le (min POWER9), and s390x (min z14). ### rhel94-appstream-versions [IN] OBSERVATION RHEL 9.4 Application Streams include Python 3.12, Ruby 3.3, PHP 8.2, nginx 1.24, MariaDB 10.11, and PostgreSQL 16. ### rhel94-chronyd-restricted-service [IN] OBSERVATION The `chronyd-restricted` service runs chrony without root privileges for minimal client-only NTP configurations. ### rhel94-cni-deprecated-netavark-default [IN] OBSERVATION The CNI network stack for Podman containers is deprecated in RHEL 9.4 in favor of Netavark; CNI will be removed in a future release. ### rhel94-fips-edge-provisioning-only [IN] OBSERVATION FIPS mode for RHEL for Edge images must be enabled during image provisioning and cannot be changed after the build starts. ### rhel94-image-builder-partitioning-modes [IN] OBSERVATION RHEL Image Builder supports custom mount points and partitioning modes: `auto-lvm`, `lvm`, and `raw`. ### rhel94-kernel-version [IN] OBSERVATION RHEL 9.4 ships with kernel version 5.14.0-427.13.1. ### rhel94-kvm-64bit-arm-fully-supported [IN] OBSERVATION KVM virtualization on 64-bit ARM (aarch64) is fully supported in RHEL 9.4 (promoted from tech preview). ### rhel94-modernized-podman-ecosystem [IN] OBSERVATION RHEL 9.4 modernizes the Podman container ecosystem across three infrastructure layers: SQLite replaces BoltDB as the default database backend, Netavark replaces CNI for container networking, and Quadlet gains .build, .pod, and .image unit types for declarative systemd-native container management. ### rhel94-nft-reset-command [IN] OBSERVATION The `nft reset` command can reset stateful objects (counters, quotas) in nftables rules. ### rhel94-nmstatectl-gr-revert [IN] OBSERVATION `nmstatectl gr new.yml > revert.yml` generates a revert configuration file before applying network changes. ### rhel94-openssh-sysusers-d [IN] OBSERVATION OpenSSH in RHEL 9.4 uses `sysusers.d` format for system user/group creation, replacing static `useradd` scripts. ### rhel94-openssl-dropin-directory [IN] OBSERVATION OpenSSL provider configurations can be placed in `/etc/pki/tls/openssl.d/*.conf` as a drop-in directory without modifying the main config file. ### rhel94-podman-farm-build-multiarch [IN] OBSERVATION Podman 4.9 in RHEL 9.4 supports `podman farm build` for building multi-architecture container images (Tech Preview). ### rhel94-podman-quadlet-new-units [IN] OBSERVATION Podman Quadlet in RHEL 9.4 supports `.build`, `.pod`, and `.image` unit types in addition to existing container units. ### rhel94-podman-sqlite-default-boltdb-deprecated [IN] OBSERVATION In RHEL 9.4, SQLite is the fully supported default database backend for Podman; BoltDB is deprecated. ### rhel94-selinux-userspace-36-deny-rules [IN] OBSERVATION SELinux userspace 3.6 in RHEL 9.4 introduces deny rules, allowing policies to explicitly deny access (not just allow/don't-allow). ### rhel94-semanage-fcontext-lc-order [IN] OBSERVATION `semanage fcontext -l -C` now lists local file context modifications in correct order (oldest to newest), matching `restorecon` processing order. ### rhel94-sssd-fido2-passwordless [IN] OBSERVATION SSSD in RHEL 9.4 supports passwordless authentication via FIDO2-compatible devices (e.g., YubiKey). ### rhel94-upgrade-path-810-to-94 [IN] OBSERVATION RHEL supports in-place upgrade from RHEL 8.10 to RHEL 9.4; direct upgrade from RHEL 7 to RHEL 9 is not supported (requires two-stage upgrade via RHEL 8). ### rhel94-vm-external-snapshots-default [IN] OBSERVATION VM external snapshots are fully supported in RHEL 9.4 and are the default snapshot mechanism. ### rhel95-arch-minimum-versions [IN] OBSERVATION RHEL 9.5 minimum hardware versions: x86_64 requires x86-64-v2, aarch64 requires ARMv8.0-A, ppc64le requires POWER9, s390x requires z14. ### rhel95-kernel-version [IN] OBSERVATION RHEL 9.5 ships with kernel version 5.14.0-503.11.1. ### rpm-nvr-naming-convention [IN] OBSERVATION RPM packages follow the Name-Version-Release (NVR) naming convention: `name-version-release.arch.rpm`. ### rpm-ostree-status-upgrade-rollback [IN] OBSERVATION Key rpm-ostree commands: `rpm-ostree status` (check deployment), `rpm-ostree upgrade` (pull/stage update), `rpm-ostree rollback` (revert to previous). ### rpmbuild-bb-bs-ba-flags [IN] OBSERVATION `rpmbuild -bb` builds binary RPMs only, `rpmbuild -bs` builds source RPMs only, and `rpmbuild -ba` builds both. ### rpmbuild-directory-structure [IN] OBSERVATION The `rpmdev-setuptree` command creates the rpmbuild directory tree at `~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}`. ### rsyslogd-validate-config-syntax [IN] OBSERVATION `rsyslogd -N 1` validates rsyslog configuration syntax on a managed node. ### selinux-ansible-role-name [IN] OBSERVATION The Ansible system role for SELinux is `redhat.rhel_system_roles.selinux`. ### selinux-avc-denials-logged-audit-log [IN] OBSERVATION SELinux AVC denials are logged to `/var/log/audit/audit.log` with entries prefixed `type=AVC`. ### selinux-complete-isolation-framework [IN] OBSERVATION SELinux provides process and data isolation through the MAC framework (Type Enforcement + MCS category-based conjunction access control) complemented by polyinstantiation for per-user or per-security-level directory separation of shared paths like /tmp and /var/tmp. ### selinux-complete-mac-framework [IN] OBSERVATION SELinux on RHEL 9 provides a mandatory access control framework: layered enforcement (DAC → Type Enforcement → MCS), full mode lifecycle management (install-default enforcing → runtime toggle → persistent config → safe re-enable procedure), and fine-grained category-based isolation (1024 categories, conjunction access rule, post-DAC/TE evaluation). ### selinux-config-file-location [IN] OBSERVATION The persistent SELinux configuration file is `/etc/selinux/config`, containing `SELINUX=` and `SELINUXTYPE=` directives. ### selinux-context-four-fields [IN] OBSERVATION Every SELinux context (label) has four fields: user, role, type, and security level. ### selinux-dac-checked-before-mac [IN] OBSERVATION DAC (traditional Unix permissions) rules are checked before SELinux (MAC) rules; if DAC denies access, SELinux is never consulted and no AVC denial is logged. ### selinux-default-action-deny [IN] OBSERVATION SELinux default action is deny; access requires an explicit allow rule in the policy. ### selinux-default-policy-targeted [IN] OBSERVATION The default SELinux policy on RHEL is `targeted`; the alternative is `mls` (Multi Level Security). ### selinux-deploy-three-methods [IN] OBSERVATION Three methods for deploying SELinux configuration across systems: Ansible system roles, web console (Cockpit), and `semanage export/import`. ### selinux-deployment-automation-toolkit [IN] OBSERVATION SELinux configuration can be deployed and maintained at scale through an integrated automation toolkit: three deployment methods (Ansible system roles, Cockpit web console, semanage), the dedicated Ansible role (redhat.rhel_system_roles.selinux), portable settings transfer via semanage export/import, and filesystem relabeling orchestration via fixfiles — enabling consistent SELinux policy across fleet-wide deployments. ### selinux-enforcing-default-on-rhel-install [IN] OBSERVATION SELinux enforcing mode is the default when RHEL is initially installed. ### selinux-fixfiles-f-onboot-creates-autorelabel [IN] OBSERVATION The command `fixfiles -F onboot` creates the `/.autorelabel` file, triggering a full filesystem relabel on next boot. ### selinux-getenforce-returns-current-mode [IN] OBSERVATION The `getenforce` command returns the current SELinux mode: Enforcing, Permissive, or Disabled. ### selinux-kernel-param-enforcing0-temporary-permissive [IN] OBSERVATION The kernel parameter `enforcing=0` boots SELinux in permissive mode temporarily (boot-time only, not persistent). ### selinux-kernel-param-selinux0-disables [IN] OBSERVATION The kernel parameter `selinux=0` completely disables SELinux at the kernel level; set via `grubby --update-kernel ALL --args selinux=0`. ### selinux-layered-enforcement-model [IN] OBSERVATION SELinux operates through a layered enforcement model: DAC is evaluated first, type is the primary policy mechanism, per-domain permissive mode enables targeted debugging, and AVC denials are logged for forensic analysis. ### selinux-mode-management-lifecycle [IN] OBSERVATION SELinux mode management spans four persistence levels with a defined safe transition procedure: enforcing-by-default on fresh install, non-persistent runtime toggling via setenforce, boot-time kernel parameter overrides, persistent configuration in /etc/selinux/config, and a safe re-enablement sequence (disabled → permissive → audit denials → fixfiles relabel → enforcing). ### selinux-module-priority-default-400 [IN] OBSERVATION SELinux module priority defaults to `400` when deployed via the Ansible system role. ### selinux-npm-label-bin-t [IN] OBSERVATION In RHEL 9.5, SELinux labels `npm` as `bin_t` (previously `lib_t`) to allow proper execution. ### selinux-per-domain-permissive-mode [IN] OBSERVATION A single SELinux domain can be set to permissive mode with `semanage permissive -a ` while the rest of the system remains enforcing. ### selinux-polyinstantiation-boolean [IN] OBSERVATION The SELinux boolean `allow_polyinstantiation` must be enabled (`setsebool -P allow_polyinstantiation 1`) to use polyinstantiated directories. ### selinux-polyinstantiation-isolation-mechanism [IN] OBSERVATION SELinux polyinstantiation provides per-user or per-security-level directory isolation: configured in `/etc/security/namespace.conf` (not `namespace.d`), enforced via the `pam_namespace.so` PAM module, gated by the `allow_polyinstantiation` boolean, using the `user` method on non-MLS systems and the `level` method on MLS systems, verifiable with `findmnt`. ### selinux-reboot-required-for-config-changes [IN] OBSERVATION A reboot is required for persistent SELinux mode changes made in `/etc/selinux/config` to take effect. ### selinux-safe-reenable-procedure [IN] OBSERVATION The safe procedure to re-enable SELinux is: disabled → permissive (reboot) → check denials → `fixfiles -F onboot` → enforcing (reboot). ### selinux-three-states-enforcing-permissive-disabled [IN] OBSERVATION SELinux has three configuration values for the SELINUX= directive: `enforcing`, `permissive`, and `disabled`. ### selinux-type-most-important-context-field [IN] OBSERVATION The type field (ending in `_t`) is the most important SELinux context field; most policy rules operate on types. ### semanage-export-import-transfers-settings [IN] OBSERVATION `semanage export -f ` and `semanage import -f ` transfer all custom SELinux settings (ports, fcontexts, booleans) between systems. ### semanage-export-requires-policycoreutils-python-utils [IN] OBSERVATION The `policycoreutils-python-utils` package is required for `semanage export/import` functionality. ### setenforce-non-persistent [IN] OBSERVATION `setenforce 0` sets permissive mode and `setenforce 1` sets enforcing mode, both non-persistently (does not survive reboot). ### setgid-directory-collaboration [IN] OBSERVATION Set-GID bit (chmod g+s or octal 2775) on a directory causes new files to inherit the directory group ownership. Sticky bit (chmod +t) prevents users from deleting others files. ### simple-content-access-default [IN] OBSERVATION Simple Content Access (SCA) is the current default subscription model in RHEL; the legacy entitlement-based model is deprecated. ### spec-file-sections-purpose [IN] OBSERVATION An RPM spec file contains sections `%prep` (source preparation), `%build` (compilation), `%install` (file installation to buildroot), `%files` (packaged file list), and `%changelog` (change history). ### ssh-key-based-authentication [IN] OBSERVATION SSH key-based auth uses public/private key pairs. ssh-keygen generates keys (Ed25519 recommended). ssh-copy-id deploys public key. Permissions: ~/.ssh (700), authorized_keys (600). Private key never leaves client. ### sssctl-sssd-troubleshooting [IN] OBSERVATION `sssctl` is the utility for managing and troubleshooting SSSD on RHEL 9. ### sssd-central-identity-daemon [IN] OBSERVATION SSSD (System Security Services Daemon) is the central service RHEL 9 uses to authenticate and authorize users against external identity backends (IdM, Active Directory, LDAP). ### stratis-tech-preview-rhel92 [IN] OBSERVATION Stratis local storage management (thin provisioning, snapshots, auto-grow) is a Technology Preview in RHEL 9.2, managed via the `stratis` CLI and `stratisd` daemon. ### subscription-manager-progress-messages [IN] OBSERVATION Subscription-manager progress messages can be re-enabled with `subscription-manager config --rhsm.progress_messages=1`. ### subscription-manager-register-activationkey-org [IN] OBSERVATION Systems are registered with `subscription-manager register --activationkey= --org=` and successful registration returns a system UUID. ### sysstat-package-provides-sar-iostat-mpstat [IN] OBSERVATION The `sysstat` package provides `sar`, `iostat`, and `mpstat` and must be installed separately on RHEL 9. ### systemctl-required-for-correct-selinux-labels [IN] OBSERVATION Services must be started via `systemctl` to receive correct SELinux domain labels. ### systemd-init-system-rhel9 [IN] OBSERVATION systemd is the init system and service manager for RHEL 9, managed via `systemctl` (enable, start, stop, status, mask). ### systemd-resolved-tech-preview-rhel9 [IN] OBSERVATION systemd-resolved is available as a Technology Preview in RHEL 9 but is not the default DNS resolution mechanism. ### tar-archive-compress-extract [IN] OBSERVATION tar creates and extracts archives. Flags: c (create), x (extract), t (list), f (file), z (gzip), j (bzip2), J (xz). Use -C for target directory. tar xf auto-detects compression format. ### tech-preview-not-fully-supported [IN] OBSERVATION Technology Preview features in RHEL are not fully supported by Red Hat, are provided for testing and feedback, and may change or be removed without the standard deprecation process. ### tech-preview-unsupported-production [IN] OBSERVATION Technology Preview features in RHEL are functional but unsupported for production use; Red Hat's support scope is limited and features may change or be removed in future releases. ### three-registration-methods [IN] OBSERVATION RHEL systems can be registered three ways: GUI/TUI during installation, CLI post-install with subscription-manager, or automated via Kickstart/activation keys. ### tuned-adm-manage-profiles [IN] OBSERVATION TuneD profiles are managed with `tuned-adm`: `list` (available profiles), `active` (current), `profile ` (apply), `recommend` (suggested profile). ### tuned-enabled-by-default-rhel9 [IN] OBSERVATION TuneD is enabled by default on RHEL 9. ### ugo-rwx-permissions-chmod [IN] OBSERVATION File permissions use user/group/other (ugo) with read/write/execute (rwx). chmod sets permissions in symbolic (u+x) or octal (755) mode. chown changes ownership. umask sets default permissions. ### uki-kernel-package-rhel9 [IN] OBSERVATION Unified Kernel Image (UKI) via `kernel-uki-virt` package combines kernel, initramfs, and cmdline into one signed binary requiring UEFI; it is a Technology Preview in RHEL 9.2. ### vim-default-text-editor [IN] OBSERVATION vim is the default text editor on RHEL 9 with Normal, Insert, and Command-line modes. Key commands: i (insert), Esc (normal), :wq (save and quit), dd (delete line), /pattern (search). ### wireguard-tech-preview-rhel9 [IN] OBSERVATION WireGuard VPN is a Technology Preview (not fully supported) in RHEL 9. ### xdp-highest-performance-packet-path [IN] OBSERVATION XDP (eXpress Data Path) is the highest-performance packet processing path in the Linux kernel, operating at the NIC driver level before the normal network stack.