{"nodes":[{"id":"aide-provides-integrity-protection","text":"AIDE provides complete file integrity protection by both detecting and preventing unauthorized filesystem changes.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/aide-provides-integrity-protection.json"},{"id":"amd-sev-requires-epyc-rome","text":"AMD SEV/SEV-ES requires 2nd-generation AMD EPYC (Rome) or later; RHEL 9 provides memory encryption but not security attestation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/amd-sev-requires-epyc-rome.json"},{"id":"anaconda-boot-parameter-framework","text":"Anaconda installation is controlled through a layered boot parameter framework: inst.ks= for Kickstart automation, inst.repo= for installation source selection (supporting HTTP/FTP/NFS/CDN), inst.stage2= for runtime image location, inst.graphical/text/cmdline for UI mode control, and inst.sshd for remote access during installation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/anaconda-boot-parameter-framework.json"},{"id":"anaconda-ks-cfg-saved-after-install","text":"After every interactive RHEL installation, a reference Kickstart file is saved at `/root/anaconda-ks.cfg`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/anaconda-ks-cfg-saved-after-install.json"},{"id":"ansible-freeipa-idm-automation-package","text":"`ansible-freeipa` is the official Red Hat package for Ansible-based IdM automation on RHEL 9, providing roles (ipaserver, ipareplica, ipaclient) for installation and modules (ipauser, ipagroup, ipahost) for object management.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/ansible-freeipa-idm-automation-package.json"},{"id":"audit-immutable-mode-e2-behavior","text":"Audit immutable mode (`-e 2`) no longer prevents `auditd` from starting; `augenrules` returns exit code 0 in this mode.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/audit-immutable-mode-e2-behavior.json"},{"id":"audit-immutable-mode-flag","text":"Audit immutable mode (`-e 2`) with `augenrules` returns exit code 0 in RHEL 9.5, allowing `auditd` to start at boot.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/audit-immutable-mode-flag.json"},{"id":"authselect-replaces-authconfig","text":"`authselect` is the current tool for configuring authentication profiles (PAM/NSS) on RHEL 9, replacing the deprecated `authconfig`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/authselect-replaces-authconfig.json"},{"id":"autofs-on-demand-mounting","text":"autofs mounts filesystems on demand when accessed. Master map /etc/auto.master.d/*.autofs references indirect or direct map files. Direct maps use /- entry. Enable with systemctl enable --now autofs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/autofs-on-demand-mounting.json"},{"id":"bash-command-substitution","text":"Command substitution $(command) captures command stdout for use in variable assignments, conditionals, and loops. Preferred over backtick syntax. Can be nested.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/bash-command-substitution.json"},{"id":"bash-conditional-if-test","text":"Bash conditional execution uses if/then/elif/else/fi and test or [ ] brackets. File tests: -f (file exists), -d (directory). Numeric: -eq -ne -gt -lt. String: = != -z -n.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/bash-conditional-if-test.json"},{"id":"bash-default-shell-rhel9","text":"The default shell in RHEL 9 is /bin/bash. Users access a shell prompt via terminal emulators, virtual consoles (Ctrl+Alt+F1-F6), or SSH.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/bash-default-shell-rhel9.json"},{"id":"bash-positional-parameters","text":"Bash script positional parameters: $1-$9 (arguments), $0 (script name), $# (argument count), \"$@\" (all args preserving word boundaries). shift removes first parameter.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/bash-positional-parameters.json"},{"id":"boot-ip-static-field-order","text":"Static IP boot option syntax is `ip=IP::GATEWAY:NETMASK:HOSTNAME:INTERFACE:none` — seven colon-separated fields in that order.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/boot-ip-static-field-order.json"},{"id":"bootc-atomic-updates-and-rollback","text":"bootc provides atomic updates (pull new image and reboot) and rollback to previous OS versions if an update causes problems.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/bootc-atomic-updates-and-rollback.json"},{"id":"bootc-key-commands","text":"Key bootc commands: `bootc install to-disk`, `bootc switch`, `bootc upgrade`, `bootc status`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/bootc-key-commands.json"},{"id":"bootdev-required-multiple-ip-options","text":"`bootdev=` is mandatory when using multiple `ip=` boot options to designate the primary boot interface.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/bootdev-required-multiple-ip-options.json"},{"id":"bpf-jit-always-on-rhel9","text":"BPF JIT compilation is always enabled in RHEL 9 (`CONFIG_BPF_JIT_ALWAYS_ON=y`); BPF programs are compiled to native code, not interpreted.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/bpf-jit-always-on-rhel9.json"},{"id":"bpf-restricted-privileged-default-rhel9","text":"BPF is restricted to privileged users by default in RHEL 9 (`unprivileged_bpf_disabled=2`); values are 0=allowed, 1=disabled, 2=disabled but admin can change.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/bpf-restricted-privileged-default-rhel9.json"},{"id":"bpftool-feature-command","text":"`bpftool feature` enumerates all BPF features (program types, map types, helpers, kernel config) supported by the running RHEL kernel.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/bpftool-feature-command.json"},{"id":"chage-password-aging","text":"chage manages password aging: -M (max days), -m (min days), -W (warning), -E (account expiry date), -d 0 (force change). chage -l shows current settings. Defaults in /etc/login.defs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/chage-password-aging.json"},{"id":"chcat-manages-mcs-categories","text":"The `chcat` command manages MCS categories on both users (`chcat -l`) and files; `chcat -L` lists category labels.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/chcat-manages-mcs-categories.json"},{"id":"chrony-ntp-time-sync","text":"chrony is the default NTP time synchronization client on RHEL 9. Configure NTP servers in /etc/chrony.conf with iburst. Use timedatectl for timezone and NTP control. chronyc sources shows sync status.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/chrony-ntp-time-sync.json"},{"id":"cockpit-default-port-9090","text":"The RHEL 9 web console (Cockpit) listens on port 9090 by default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/cockpit-default-port-9090.json"},{"id":"cockpit-firewall-service-name","text":"The firewalld service name for permitting web console access is `cockpit` (`firewall-cmd --add-service=cockpit`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/cockpit-firewall-service-name.json"},{"id":"cockpit-socket-activated","text":"The web console is enabled via `cockpit.socket` (socket activation), not as a persistent daemon: `sudo systemctl enable --now cockpit.socket`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/cockpit-socket-activated.json"},{"id":"containers-use-mcs-for-isolation","text":"SELinux uses MCS (via `container-selinux`) to isolate containers from each other.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/containers-use-mcs-for-isolation.json"},{"id":"content-sources-cdn-or-satellite","text":"Registered RHEL systems receive content from either Red Hat Content Delivery Network (CDN) or Red Hat Satellite Server.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/content-sources-cdn-or-satellite.json"},{"id":"create-edit-text-files-vim","text":"Create and edit text files using vim, the default editor on RHEL 9. Use i to insert, Esc to return to normal mode, :wq to save and quit. Also use touch to create empty files and cat > file for quick creation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/create-edit-text-files-vim.json"},{"id":"database-default-ports","text":"Default database ports on RHEL 9: MariaDB/MySQL use port 3306, PostgreSQL uses port 5432.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/database-default-ports.json"},{"id":"database-packages-appstream","text":"Database server packages on RHEL 9 come from the AppStream repository using module streams for version selection.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/database-packages-appstream.json"},{"id":"database-packages-from-appstream","text":"Database server packages on RHEL 9 are provided from the AppStream repository using module streams for version selection.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/database-packages-from-appstream.json"},{"id":"dax-persistent-memory-mount-option","text":"DAX (direct persistent memory mapping) for ext4/XFS requires NVDIMMs and the `dax` mount option (e.g., `mount -o dax /dev/pmem0 /mnt/dax`); it is a Technology Preview in RHEL 9.2.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/dax-persistent-memory-mount-option.json"},{"id":"dax-requires-nvdimm-ext4-xfs","text":"DAX (Direct Access) requires persistent memory hardware (NVDIMMs), a compatible file system (ext4 or XFS), and the `dax` mount option (`mount -o dax`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/dax-requires-nvdimm-ext4-xfs.json"},{"id":"deprecated-not-removed","text":"Deprecated functionality in RHEL remains functional in the current major version but is planned for removal in a future major release; it should not be relied upon for new deployments.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/deprecated-not-removed.json"},{"id":"dist-macro-appends-distribution-tag","text":"The `%{?dist}` macro in spec files automatically appends the distribution tag (e.g., `.el9` for RHEL 9).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/dist-macro-appends-distribution-tag.json"},{"id":"dnf-autoremove-installonly-behavior","text":"`dnf autoremove` does not automatically exclude `installonly` packages; use `dnf mark install <pkg>` to protect packages from autoremoval.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/dnf-autoremove-installonly-behavior.json"},{"id":"dnf-builddep-installs-build-dependencies","text":"The command `dnf builddep <spec>` installs build dependencies listed in an RPM spec file.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/dnf-builddep-installs-build-dependencies.json"},{"id":"dnf-remove-duplicates-exit-code","text":"`dnf remove --duplicates` exits with code 0 when no duplicates are found.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/dnf-remove-duplicates-exit-code.json"},{"id":"efibootmgr-manages-uefi-boot-order","text":"`efibootmgr` is used to view and modify the UEFI boot order on RHEL 9 systems.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/efibootmgr-manages-uefi-boot-order.json"},{"id":"fapolicyd-rules-d-replaces-monolithic","text":"`/etc/fapolicyd/rules.d/` replaces the monolithic `fapolicyd.rules` file; `fagenrules` merges rules into `compiled.rules`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/fapolicyd-rules-d-replaces-monolithic.json"},{"id":"file-directory-operations","text":"File and directory operations: cp (copy), cp -r (recursive), cp -a (archive), mv (move/rename), rm (remove), rm -r (recursive), mkdir (create directory), mkdir -p (create parent dirs), touch (create/update).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/file-directory-operations.json"},{"id":"fips-crypto-policy-sufficient","text":"Setting the FIPS system-wide crypto policy is sufficient to achieve FIPS 140 compliance on RHEL 9.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/fips-crypto-policy-sufficient.json"},{"id":"firewall-rules-three-directions","text":"Firewall rules control traffic in three directions: incoming, outgoing, and forwarded.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/firewall-rules-three-directions.json"},{"id":"firewalld-controls-three-traffic-directions","text":"`firewalld` rules control three directions of network traffic: incoming, outgoing, and forwarded.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/firewalld-controls-three-traffic-directions.json"},{"id":"fstab-uuid-label-mounting","text":"/etc/fstab configures persistent filesystem mounts at boot using UUID= or LABEL= for reliability. Format: device mountpoint fstype options dump pass. Test with mount -a before rebooting.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/fstab-uuid-label-mounting.json"},{"id":"getconf-pagesize-shows-kernel-page-size","text":"`getconf PAGESIZE` returns `65536` for a 64k page kernel and `4096` for a 4k page kernel.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/getconf-pagesize-shows-kernel-page-size.json"},{"id":"greenboot-edge-health-check","text":"Greenboot is the health-check framework for automated rollback on RHEL for Edge systems.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/greenboot-edge-health-check.json"},{"id":"grep-regex-search-tool","text":"grep searches files for lines matching regular expressions. Key flags: -i (case-insensitive), -v (invert match), -r (recursive), -n (line numbers), -E (extended regex). Supports anchors ^ and $.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/grep-regex-search-tool.json"},{"id":"group-management-usermod-groupadd","text":"groupadd creates groups, groupdel removes them. usermod -aG adds user to supplementary group (without -a it replaces all groups). groups and id show group memberships. /etc/group stores group data.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/group-management-usermod-groupadd.json"},{"id":"grubby-set-default-changes-boot-kernel","text":"`grubby --set-default` is the command to change the default boot kernel on RHEL 9.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/grubby-set-default-changes-boot-kernel.json"},{"id":"hard-soft-links-differences","text":"Hard links share the same inode, cannot cross filesystems or link to directories. Symbolic links have their own inode, can cross filesystems and link to directories. ln creates hard links, ln -s creates soft links.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/hard-soft-links-differences.json"},{"id":"idm-api-requires-kerberos-credentials","text":"IdM API access requires valid Kerberos credentials to establish a session.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-api-requires-kerberos-credentials.json"},{"id":"idm-api-uses-python-ipalib","text":"The IdM API is consumed via Python scripts using the `ipalib` library, not a traditional REST client (it wraps JSON-RPC internally).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-api-uses-python-ipalib.json"},{"id":"idm-auth-requires-kerberos-ticket","text":"Authenticating to Red Hat Identity Management (IdM) requires obtaining a Kerberos ticket with `kinit` before performing any administration tasks.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-auth-requires-kerberos-ticket.json"},{"id":"idm-auto-creates-srv-records","text":"IdM automatically creates DNS SRV records for Kerberos, LDAP, and other services when integrated DNS is enabled.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-auto-creates-srv-records.json"},{"id":"idm-automount-maps-centrally-managed","text":"Automount maps can be managed centrally through IdM rather than using local configuration files on each host.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-automount-maps-centrally-managed.json"},{"id":"idm-backend-389ds-ldap","text":"IdM stores identity data in a 389 Directory Server (LDAP) backend","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-backend-389ds-ldap.json"},{"id":"idm-backend-components","text":"IdM integrates a Kerberos KDC, 389 Directory Server (LDAP), Dogtag CA, and SSSD for client-side credential caching.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-backend-components.json"},{"id":"idm-centralizes-users-groups-hosts-access","text":"IdM centralizes management of users, groups, hosts, and access policies (HBAC and sudo rules).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-centralizes-users-groups-hosts-access.json"},{"id":"idm-complete-identity-stack","text":"IdM provides a unified identity management stack bundling 389 Directory Server (LDAP), MIT Kerberos KDC, Dogtag CA, and SSSD into a single integrated platform with centralized user/group/host/policy management.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-complete-identity-stack.json"},{"id":"idm-cross-platform-identity-provider","text":"IdM can serve as the enterprise identity provider for any Linux distribution in the data center, providing unified LDAP/Kerberos/CA/SSSD services with AD cross-forest trust integration.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-cross-platform-identity-provider.json"},{"id":"idm-dns-autodiscovery-framework","text":"IdM provides automated service discovery when integrated DNS is deployed: the BIND-with-LDAP DNS subsystem automatically creates SRV records for Kerberos and LDAP services, enabling ipa-client-install to locate and join the IdM domain without explicit server specification via DNS SRV autodiscovery.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-dns-autodiscovery-framework.json"},{"id":"idm-dns-forward-policy-options","text":"IdM DNS forward policy options are `only` (forward only to forwarder) and `first` (try forwarder first, then resolve locally).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-dns-forward-policy-options.json"},{"id":"idm-dns-is-optional","text":"DNS is optional in IdM — an external DNS server can be used instead, but SRV and other records must then be managed manually.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-dns-is-optional.json"},{"id":"idm-dns-port-53-firewalld","text":"DNS service (port 53 TCP/UDP) must be open in firewalld on IdM servers running integrated DNS.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-dns-port-53-firewalld.json"},{"id":"idm-dns-uses-bind-ldap-backend","text":"IdM integrated DNS uses BIND with an LDAP backend, storing zone data in the IdM directory rather than in `/var/named/` zone files.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-dns-uses-bind-ldap-backend.json"},{"id":"idm-health-monitored-identity","text":"IdM provides health-monitored identity services: the complete identity stack (389 DS/Kerberos/CA/SSSD) is monitored by automated health checks via `ipa-healthcheck` with systemd timer scheduling, enabling proactive detection of certificate expiration, replication failures, and service degradation before they impact authentication.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-health-monitored-identity.json"},{"id":"idm-integrated-ca-dogtag","text":"IdM includes an integrated Certificate Authority (Dogtag) for TLS and user certificates","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-integrated-ca-dogtag.json"},{"id":"idm-integrated-dns-subsystem","text":"IdM provides an integrated DNS subsystem: BIND with LDAP backend stores zone data in the IdM directory (not zone files), supports configurable forward policies (`only` and `first`), reverse DNS zones via `in-addr.arpa` naming, and requires port 53 TCP/UDP open in firewalld — all managed through the IdM interface rather than traditional BIND administration.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-integrated-dns-subsystem.json"},{"id":"idm-integrates-samba-ansible-automount","text":"Red Hat Identity Management (IdM) on RHEL 9 can integrate with Samba, Ansible, and automount as external services for centralized authentication.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-integrates-samba-ansible-automount.json"},{"id":"idm-integrations-use-kerberos-ldap","text":"IdM integration with external services relies on Kerberos authentication and LDAP directory as underlying mechanisms.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-integrations-use-kerberos-ldap.json"},{"id":"idm-kerberos-commands-kinit-klist-kdestroy","text":"IdM Kerberos authentication uses `kinit` to obtain tickets, `klist` to verify current tickets, and `kdestroy` to remove tickets.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-kerberos-commands-kinit-klist-kdestroy.json"},{"id":"idm-kerberos-gated-administration","text":"All IdM administration — both API and CLI — requires prior Kerberos authentication: kinit to obtain tickets, klist to verify, kdestroy to remove, with the API consuming credentials via ipalib.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-kerberos-gated-administration.json"},{"id":"idm-kinit-required-before-admin","text":"Users must authenticate with `kinit` to obtain a Kerberos ticket before performing any IdM administration tasks","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-kinit-required-before-admin.json"},{"id":"idm-klist-verifies-kdestroy-removes-ticket","text":"`klist` verifies the current Kerberos ticket and `kdestroy` removes it","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-klist-verifies-kdestroy-removes-ticket.json"},{"id":"idm-only-supported-on-rhel","text":"Red Hat Identity Management (IdM) is only officially supported on RHEL, not on other Linux distributions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-only-supported-on-rhel.json"},{"id":"idm-reverse-zone-in-addr-arpa","text":"IdM reverse DNS zones use the `in-addr.arpa` naming convention (e.g., `1.168.192.in-addr.arpa` for 192.168.1.0/24).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-reverse-zone-in-addr-arpa.json"},{"id":"idm-rhel-exclusive-deployment-model","text":"IdM is a RHEL-exclusive deployment of upstream FreeIPA with three installable roles (server, replica, client), pre-tuned for typical deployments out of the box and officially supported only on RHEL.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-rhel-exclusive-deployment-model.json"},{"id":"idm-supports-otp-second-factor","text":"IdM supports one-time passwords (OTP) as a second factor alongside Kerberos passwords for two-factor authentication.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-supports-otp-second-factor.json"},{"id":"idm-two-migration-paths","text":"Two primary IdM migration paths exist: upgrading RHEL 8 IdM to RHEL 9 IdM, and migrating from an external LDAP directory to RHEL 9 IdM.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-two-migration-paths.json"},{"id":"idm-vault-archive-retrieve-commands","text":"`ipa vault-archive` stores data in an IdM vault; `ipa vault-retrieve` retrieves it.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-vault-archive-retrieve-commands.json"},{"id":"idm-vault-client-side-encryption","text":"IdM vault data is encrypted on the client side before transmission — the IdM server never has access to plaintext secrets.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-vault-client-side-encryption.json"},{"id":"idm-vault-requires-kra","text":"The Dogtag KRA (Key Recovery Authority) must be installed (`ipa-kra-install`) on at least one IdM server before vaults can be used.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-vault-requires-kra.json"},{"id":"idm-vault-scopes","text":"IdM vaults can be scoped as user vaults (single user), service vaults (single service), or shared vaults (multiple users/groups).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-vault-scopes.json"},{"id":"idm-vault-secure-secret-storage","text":"IdM vaults provide secure secret storage with client-side encryption (server never sees plaintext), multiple scopes (user/service/shared), KRA backend requirement, and archive/retrieve CLI operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-vault-secure-secret-storage.json"},{"id":"idm-vault-three-types","text":"IdM vault types are standard (accessible by owner/members), symmetric (password-protected with symmetric key), and asymmetric (encrypted with public key, decrypted with private key).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-vault-three-types.json"},{"id":"idm-web-ui-url-pattern","text":"The IdM Web UI is accessed at `https://<idm-server>/ipa/ui/` and is functionally equivalent to the CLI for administration tasks.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-web-ui-url-pattern.json"},{"id":"idm-zero-config-client-enrollment","text":"IdM achieves zero-configuration client enrollment through DNS autodiscovery: ipa-client-install automatically locates the IdM domain via SRV records created by the integrated DNS subsystem, requiring no explicit server or domain parameters.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/idm-zero-config-client-enrollment.json"},{"id":"ifname-only-way-to-set-custom-interface-names","text":"`ifname=interface:MAC` is the only supported way to set custom network interface names during Anaconda installation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/ifname-only-way-to-set-custom-interface-names.json"},{"id":"image-builder-blueprint-toml","text":"Image Builder blueprints are written in TOML format and define packages, groups, and customizations for image builds.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/image-builder-blueprint-toml.json"},{"id":"image-builder-blueprints-toml-format","text":"Image Builder blueprints are written in TOML format and define packages, groups, and customizations","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/image-builder-blueprints-toml-format.json"},{"id":"image-builder-complete-workflow","text":"RHEL Image Builder provides a complete image creation pipeline: TOML blueprint definition, osbuild-composer backend with socket activation, multi-format output, and a push-then-compose CLI workflow.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/image-builder-complete-workflow.json"},{"id":"image-builder-composes-edge-images","text":"Image Builder (osbuild-composer) is the supported tool for composing RHEL for Edge images, available via `composer-cli` and Cockpit web UI.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/image-builder-composes-edge-images.json"},{"id":"image-builder-osbuild-composer","text":"RHEL Image Builder uses `osbuild-composer` as the backend service and `composer-cli` as the command-line interface, enabled via `osbuild-composer.socket`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/image-builder-osbuild-composer.json"},{"id":"image-builder-osbuild-composer-backend","text":"`osbuild-composer` is the backend service for RHEL Image Builder and `composer-cli` is its command-line interface","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/image-builder-osbuild-composer-backend.json"},{"id":"image-builder-output-types","text":"Image Builder supports multiple output formats from a single blueprint including qcow2, vmdk, ami, vhd, iso, and others, listed via `composer-cli compose types`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/image-builder-output-types.json"},{"id":"image-builder-socket-activation","text":"The Image Builder service is enabled with `systemctl enable --now osbuild-composer.socket`","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/image-builder-socket-activation.json"},{"id":"image-builder-workflow","text":"The Image Builder workflow is: create blueprint → push blueprint (`composer-cli blueprints push`) → start compose (`composer-cli compose start`) → download image (`composer-cli compose image <UUID>`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/image-builder-workflow.json"},{"id":"inst-graphical-is-default-mode","text":"`inst.graphical` is the default Anaconda installation mode; `inst.text` forces text mode, `inst.cmdline` forces non-interactive mode (requires Kickstart).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/inst-graphical-is-default-mode.json"},{"id":"inst-ks-boot-option","text":"The `inst.ks=` boot option specifies the Kickstart file location for automated RHEL installations (e.g., `inst.ks=http://server/path/ks.cfg`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/inst-ks-boot-option.json"},{"id":"inst-ksstrict-turns-warnings-to-errors","text":"The `inst.ksstrict` boot option turns deprecated Kickstart command warnings into errors.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/inst-ksstrict-turns-warnings-to-errors.json"},{"id":"inst-repo-defines-installation-source","text":"`inst.repo=` defines the primary installation source for Anaconda, supporting cdrom, hd, nfs, http, https, ftp, and hmc protocols.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/inst-repo-defines-installation-source.json"},{"id":"inst-repo-nfs-defaults-to-nfsv3","text":"`inst.repo=nfs` uses NFSv3 by default; use `nfsvers=X` to specify a different NFS version.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/inst-repo-nfs-defaults-to-nfsv3.json"},{"id":"inst-sshd-enables-ssh-during-install","text":"`inst.sshd` enables SSH access during installation; on IBM Z it is auto-started by default; root has no password unless set via `sshpw` Kickstart command.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/inst-sshd-enables-ssh-during-install.json"},{"id":"inst-stage2-locates-runtime-image","text":"`inst.stage2=` specifies the location of the installer runtime image (`install.img`), which is separate from the package repository specified by `inst.repo=`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/inst-stage2-locates-runtime-image.json"},{"id":"installer-console-switching","text":"During RHEL installation, Ctrl+Alt+F1 switches to the tmux console and Ctrl+Alt+F6 switches to the graphical installer.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/installer-console-switching.json"},{"id":"installer-defaults-dhcp","text":"The RHEL installer defaults to DHCP for network configuration; the `ip=` boot option overrides this.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/installer-defaults-dhcp.json"},{"id":"installer-tmux-five-windows","text":"The RHEL installer runs tmux in virtual console 1 with five windows: main program (Ctrl+b 1), root shell (Ctrl+b 2), anaconda.log (Ctrl+b 3), storage.log (Ctrl+b 4), program.log (Ctrl+b 5).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/installer-tmux-five-windows.json"},{"id":"io-redirection-operators","text":"I/O redirection uses > (overwrite stdout to file), >> (append), 2> (redirect stderr), &> (redirect both stdout and stderr), | (pipe between commands), and < (stdin from file).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/io-redirection-operators.json"},{"id":"io-redirection-stdin-stdout-stderr","text":"Use input-output redirection to control where command output goes: > overwrites file, >> appends, 2> redirects stderr, &> redirects both stdout and stderr, | pipes output to another command, < reads stdin from file.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/io-redirection-stdin-stdout-stderr.json"},{"id":"io-uring-disabled-by-default-rhel9","text":"io_uring is disabled by default in RHEL 9 via `kernel.io_uring_disabled=2`; values are 0=all users, 1=privileged only, 2=disabled for all.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/io-uring-disabled-by-default-rhel9.json"},{"id":"ipa-client-install-dns-autodiscovery","text":"`ipa-client-install` uses DNS SRV records for autodiscovery of the IdM domain when `--server` is not specified.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/ipa-client-install-dns-autodiscovery.json"},{"id":"ipa-healthcheck-detection-capabilities","text":"ipa-healthcheck detects replication conflicts, expired certificates, misconfigured permissions, and stopped services across check sources including ipahealthcheck.ipa.certs, ipahealthcheck.ipa.dns, ipahealthcheck.ds.replication, and ipahealthcheck.meta.services.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/ipa-healthcheck-detection-capabilities.json"},{"id":"ipa-healthcheck-failures-only-flag","text":"`ipa-healthcheck --failures-only` filters output to show only failed checks; `--source` targets specific check categories.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/ipa-healthcheck-failures-only-flag.json"},{"id":"ipa-healthcheck-json-output-with-severities","text":"`ipa-healthcheck` outputs results in JSON format with severity levels: SUCCESS, WARNING, ERROR, CRITICAL.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/ipa-healthcheck-json-output-with-severities.json"},{"id":"ipa-healthcheck-package-and-command","text":"The `ipa-healthcheck` utility is installed via `dnf install ipa-healthcheck` and runs on IdM server/replica nodes (not clients).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/ipa-healthcheck-package-and-command.json"},{"id":"ipa-healthcheck-systemd-timer","text":"Periodic automated health checks can be enabled via `systemctl enable --now ipa-healthcheck.timer`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/ipa-healthcheck-systemd-timer.json"},{"id":"kickstart-anaconda-ks-cfg-auto-created","text":"`/root/anaconda-ks.cfg` is automatically created after every interactive RHEL installation and can be reused as a Kickstart file","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/kickstart-anaconda-ks-cfg-auto-created.json"},{"id":"kickstart-anaconda-ks-cfg-location","text":"After every interactive RHEL installation, a Kickstart file is automatically saved at `/root/anaconda-ks.cfg` and can be reused for future installations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/kickstart-anaconda-ks-cfg-location.json"},{"id":"kickstart-automated-deployment-pipeline","text":"Kickstart provides a complete automated deployment pipeline: inst.ks= boot parameter, multiple installation sources (media/CDN/network), syntax validation via ksvalidator, fully unattended operation, and auto-generated template from prior installs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/kickstart-automated-deployment-pipeline.json"},{"id":"kickstart-cmdline-halts-on-interaction","text":"`cmdline` mode halts the installation if any user interaction is required — all options must be pre-configured in the Kickstart file.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/kickstart-cmdline-halts-on-interaction.json"},{"id":"kickstart-default-completion-halt","text":"The default Kickstart completion method is `halt` (equivalent to `shutdown -H`) if no completion command is specified.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/kickstart-default-completion-halt.json"},{"id":"kickstart-eula-agreed-required-unattended","text":"`eula --agreed` is required in Kickstart for unattended installations to skip the EULA acceptance prompt.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/kickstart-eula-agreed-required-unattended.json"},{"id":"kickstart-harddrive-supported-filesystems","text":"The `harddrive` Kickstart command supports `ext2`, `ext3`, `ext4`, `vfat`, and `xfs` filesystems for the installation source partition.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/kickstart-harddrive-supported-filesystems.json"},{"id":"kickstart-inst-ks-boot-parameter","text":"The `inst.ks=` boot parameter specifies a Kickstart file location, supporting HTTP, HTTPS, FTP, NFS, hard drive, and CDROM sources.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/kickstart-inst-ks-boot-parameter.json"},{"id":"kickstart-install-command-removed-rhel9","text":"The `install` Kickstart command has been removed in RHEL 9; installation source commands (`cdrom`, `url`, `nfs`, etc.) are used directly.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/kickstart-install-command-removed-rhel9.json"},{"id":"kickstart-installation-sources","text":"Kickstart installations can pull content from local media (DVD/USB), ISO images, Red Hat CDN, or network servers (HTTP, FTP, NFS).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/kickstart-installation-sources.json"},{"id":"kickstart-logging-tcp-only-port-514","text":"Kickstart `logging` command for remote syslog uses TCP only, with default port 514.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/kickstart-logging-tcp-only-port-514.json"},{"id":"kickstart-rhsm-direct-cdn-registration","text":"The `rhsm` Kickstart command allows registering and installing directly from the Red Hat CDN without needing `%post` scripts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/kickstart-rhsm-direct-cdn-registration.json"},{"id":"kickstart-sources-local-cdn-network","text":"Kickstart supports installation sources: local media, ISO, Red Hat CDN, and network servers (HTTP/HTTPS/FTP/NFS)","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/kickstart-sources-local-cdn-network.json"},{"id":"kickstart-unattended-install","text":"Kickstart enables fully unattended RHEL installation when all required parameters are provided in the Kickstart file.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/kickstart-unattended-install.json"},{"id":"kickstart-url-source-overrides-cdn","text":"A URL-based installation source takes precedence over CDN even when `rhsm` is specified with valid credentials.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/kickstart-url-source-overrides-cdn.json"},{"id":"ksvalidator-from-pykickstart","text":"The `ksvalidator` command (from the `pykickstart` package) validates Kickstart file syntax before use.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/ksvalidator-from-pykickstart.json"},{"id":"ktls-enable-modprobe-tls","text":"kTLS (kernel TLS) is enabled by loading the `tls` kernel module (`modprobe tls`) and setting `ktls = true` in a gnutls crypto-policy local.d file.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/ktls-enable-modprobe-tls.json"},{"id":"ktls-production-tls-offload","text":"Kernel TLS (kTLS) is production-ready for TLS offload on RHEL 9, providing kernel-level cryptographic acceleration that operates within the system-wide crypto policy framework.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/ktls-production-tls-offload.json"},{"id":"ktls-tech-preview-rhel92","text":"Kernel TLS (KTLS) is a Technology Preview in RHEL 9.2, appearing in both security (gnutls acceleration) and networking (kernel-level TLS offload) contexts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/ktls-tech-preview-rhel92.json"},{"id":"leapp-official-inplace-upgrade-tool","text":"Leapp is the official Red Hat tool for performing in-place upgrades between major RHEL versions (e.g., RHEL 8 to RHEL 9).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/leapp-official-inplace-upgrade-tool.json"},{"id":"leapp-preupgrade-before-upgrade","text":"`leapp preupgrade` should be run before `leapp upgrade` to identify inhibitors and potential issues without making changes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/leapp-preupgrade-before-upgrade.json"},{"id":"leapp-upgrade-constraints","text":"RHEL in-place upgrades via Leapp require sequential major version progression (no skipping) with a mandatory preupgrade assessment before the actual upgrade.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/leapp-upgrade-constraints.json"},{"id":"logging-reliable-dual-protocol-transport","text":"The RHEL 9 logging system role supports reliable concurrent TCP and UDP remote transport configuration, allowing administrators to specify both protocols on a single remote input.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/logging-reliable-dual-protocol-transport.json"},{"id":"logging-tls-universal-deployment","text":"The RHEL 9 logging system role can deploy TLS-encrypted remote log transport in any environment regardless of identity infrastructure.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/logging-tls-universal-deployment.json"},{"id":"lpfc-driver-emulex-fibre-channel","text":"The `lpfc` kernel driver is the Emulex driver for Fibre Channel HBAs in RHEL.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/lpfc-driver-emulex-fibre-channel.json"},{"id":"lpfc-emulex-fibre-channel-driver","text":"`lpfc` is the Emulex driver for Fibre Channel HBAs in RHEL.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/lpfc-emulex-fibre-channel-driver.json"},{"id":"lvm-core-commands","text":"Core LVM commands: `pvcreate` (init PV), `vgcreate` (create VG), `lvcreate -n name -L size vg` (create LV), `lvextend`/`lvresize` (resize), `pvs`/`vgs`/`lvs` (summary display).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/lvm-core-commands.json"},{"id":"lvm-flexible-storage-management","text":"LVM provides flexible, non-disruptive storage management through a three-layer abstraction (PV → VG → LV) that enables spanning multiple disks into unified volume groups, online extension without downtime, and a consistent command vocabulary (pvcreate, vgcreate, lvcreate, lvextend, lvreduce, vgextend) for all operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/lvm-flexible-storage-management.json"},{"id":"lvm-lv-is-virtual-block-device","text":"An LVM logical volume acts as a virtual block device that can hold any filesystem or be used as swap.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/lvm-lv-is-virtual-block-device.json"},{"id":"lvm-online-extend-nondisruptive","text":"LVM logical volumes can be extended online (non-disruptively) without downtime.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/lvm-online-extend-nondisruptive.json"},{"id":"lvm-three-layer-hierarchy","text":"LVM uses a three-layer hierarchy: Physical Volumes (PV) → Volume Groups (VG) → Logical Volumes (LV).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/lvm-three-layer-hierarchy.json"},{"id":"lvm-vg-spans-multiple-disks","text":"Multiple physical volumes can be combined into a single volume group, enabling storage that spans multiple disks.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/lvm-vg-spans-multiple-disks.json"},{"id":"man-info-documentation-system","text":"man pages are organized in sections: 1 (user commands), 5 (file formats), 8 (admin commands). Use man -k or apropos to search. info provides detailed docs. /usr/share/doc has package documentation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/man-info-documentation-system.json"},{"id":"mbr-gpt-partitioning-fdisk-parted","text":"MBR supports 4 primary partitions, max 2 TiB. GPT supports 128 partitions, no size limit. fdisk, gdisk, and parted manage partitions. Run partprobe after partition table changes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/mbr-gpt-partitioning-fdisk-parted.json"},{"id":"mcs-access-requires-all-categories","text":"A user must be assigned to all categories on a file to access it (conjunction rule — not just one matching category).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/mcs-access-requires-all-categories.json"},{"id":"mcs-categories-c0-to-c1023","text":"SELinux Multi-Category Security (MCS) categories range from c0 to c1023 (1024 possible categories).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/mcs-categories-c0-to-c1023.json"},{"id":"mcs-category-labels-setrans-conf","text":"Human-readable MCS category labels are defined in `/etc/selinux/<policy>/setrans.conf` and require restarting the `mcstrans` service to take effect.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/mcs-category-labels-setrans-conf.json"},{"id":"mcs-enforced-after-dac-and-te","text":"MCS is evaluated after DAC and Type Enforcement — it can only further restrict access, never relax it.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/mcs-enforced-after-dac-and-te.json"},{"id":"mcs-not-default-for-regular-users-targeted","text":"In the `targeted` SELinux policy, MCS is not configured for regular users by default — a CIL module with `(typeattributeset mcs_constrained_type (user_t))` must be installed via `semodule -i`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/mcs-not-default-for-regular-users-targeted.json"},{"id":"mcs-restrictive-access-control","text":"MCS provides a restrictive supplementary access layer: enforced only after DAC and Type Enforcement pass, requiring conjunction of all assigned categories, with session-boundary enforcement of changes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/mcs-restrictive-access-control.json"},{"id":"mcs-user-category-changes-at-next-login","text":"MCS category changes for users take effect only at the next login, not on the current session.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/mcs-user-category-changes-at-next-login.json"},{"id":"modprobe-blacklist-persists-after-install","text":"`modprobe.blacklist=` disables kernel modules during installation and persists after installation (stored in `/etc/modprobe.d/`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/modprobe-blacklist-persists-after-install.json"},{"id":"multipathd-flush-on-last-del-values","text":"The `multipathd` `flush_on_last_del` parameter accepts values: `always`/`yes`, `unused`/`no` (default), and `never`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/multipathd-flush-on-last-del-values.json"},{"id":"nested-kvm-production-viable","text":"Nested KVM virtualization is viable for production workloads on RHEL 9.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/nested-kvm-production-viable.json"},{"id":"nested-kvm-tech-preview-rhel9","text":"Nested KVM virtualization is a Technology Preview in RHEL 9, working on Intel, AMD64, and IBM Z hosts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/nested-kvm-tech-preview-rhel9.json"},{"id":"nic-teaming-deprecated-rhel9","text":"NIC teaming (`team=`) is deprecated in RHEL 9; network bonding is the recommended alternative.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/nic-teaming-deprecated-rhel9.json"},{"id":"oemdrv-volume-auto-kickstart","text":"A volume labeled `OEMDRV` with a file named `ks.cfg` in its root is auto-detected by the Anaconda installer for Kickstart — no `inst.ks=` boot option is required.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/oemdrv-volume-auto-kickstart.json"},{"id":"polyinstantiation-config-namespace-conf","text":"Polyinstantiation is configured in `/etc/security/namespace.conf`; the `pam_namespace_helper` does NOT read files from `/etc/security/namespace.d/`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/polyinstantiation-config-namespace-conf.json"},{"id":"polyinstantiation-default-directories","text":"Polyinstantiated directories in SELinux isolate /tmp, /var/tmp, and home directories per-user, preventing race condition attacks and information leaks. Instance directories (/tmp-inst/, /var/tmp/tmp-inst/) hold per-user subdirectories that get bind-mounted over the shared paths.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/polyinstantiation-default-directories.json"},{"id":"polyinstantiation-instance-dirs-mode-000","text":"Polyinstantiation instance directories (`/tmp-inst/`, `/var/tmp/tmp-inst/`) must be created with mode 000 (`mkdir --mode 000`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/polyinstantiation-instance-dirs-mode-000.json"},{"id":"polyinstantiation-pam-module-pam-namespace","text":"Polyinstantiation is enforced via the `pam_namespace.so` PAM module with the `unmnt_remnt` option in the session stack.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/polyinstantiation-pam-module-pam-namespace.json"},{"id":"polyinstantiation-user-vs-level-method","text":"Polyinstantiation uses the `user` method on non-MLS systems and the `level` method on MLS systems in `namespace.conf`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/polyinstantiation-user-vs-level-method.json"},{"id":"polyinstantiation-verify-with-findmnt","text":"Polyinstantiation can be verified with `findmnt --mountpoint /tmp/`; the source should show `/tmp-inst/<user>`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/polyinstantiation-verify-with-findmnt.json"},{"id":"process-identification-kill","text":"Use top and ps aux to identify CPU/memory intensive processes. kill PID sends SIGTERM (15, graceful). kill -9 PID sends SIGKILL (forced). nice/renice adjust scheduling priority (-20 to 19).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/process-identification-kill.json"},{"id":"process-output-shell-commands-script","text":"Process output of shell commands within a script using command substitution $(command). Captures stdout for use in variable assignments, conditionals, and loops. Can be nested and is preferred over backticks.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/process-output-shell-commands-script.json"},{"id":"process-script-inputs-positional","text":"Process script inputs using positional parameters $1, $2, etc. $0 is the script name, $# is the argument count, \"$@\" expands all arguments preserving word boundaries. Use shift to consume parameters.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/process-script-inputs-positional.json"},{"id":"quadlet-production-container-management","text":"Quadlet is production-ready for declarative systemd-native container lifecycle management on RHEL 9, supporting container, build, pod, and image unit types with Podman as the runtime.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/quadlet-production-container-management.json"},{"id":"quadlet-systemd-podman-tech-preview","text":"Quadlet generates systemd service files from Podman container descriptions and is a Technology Preview in RHEL 9.2.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/quadlet-systemd-podman-tech-preview.json"},{"id":"rd-break-boot-interrupt","text":"rd.break interrupts the RHEL 9 boot process for emergency access. Procedure: edit GRUB entry, append rd.break, then remount /sysroot rw, chroot, passwd root, touch /.autorelabel.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rd-break-boot-interrupt.json"},{"id":"rear-backup-disaster-recovery","text":"ReaR (Relax-and-Recover) is the Red Hat-supported tool for full system backup and bare-metal disaster recovery on RHEL 9.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rear-backup-disaster-recovery.json"},{"id":"redhat-bugzilla-to-jira-migration","text":"Red Hat migrated issue tracking from Bugzilla (BZ#) to Jira (RHEL-, RHELDOCS-, RHELPLAN- prefixes) for RHEL tracking.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/redhat-bugzilla-to-jira-migration.json"},{"id":"registration-issues-certificate","text":"RHEL registration issues a certificate that identifies and authenticates the system to Red Hat.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/registration-issues-certificate.json"},{"id":"registration-required-for-repo-access","text":"RHEL system registration is required before the system can access Red Hat repositories for updates via yum/dnf.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/registration-required-for-repo-access.json"},{"id":"registration-requires-root","text":"RHEL system registration with subscription-manager requires root privileges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/registration-requires-root.json"},{"id":"restorecon-f-forces-full-relabel-including-user","text":"The `-F` flag on `restorecon` forces a full relabel including the SELinux user field, not just the type.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/restorecon-f-forces-full-relabel-including-user.json"},{"id":"rhcsa-cli-proficiency-toolkit","text":"RHCSA candidates must master a core CLI toolkit: Bash scripting fundamentals (positional parameters $1-$9, $#, \"$@\"), I/O redirection (>, >>, 2>, &>, pipes), pattern matching (grep with -i/-v/-r and regex), and the documentation system (man pages with section conventions and apropos search) — these form the essential tools foundation of the RHCSA exam.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhcsa-cli-proficiency-toolkit.json"},{"id":"rhel-doc-change-categories","text":"RHEL release note changes are categorized as Known Issues, Deprecated Functionality, Technology Previews, Bug Fixes, and Enhancements/New Features.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel-doc-change-categories.json"},{"id":"rhel-driver-management-commands","text":"Kernel module management commands: `lsmod` lists loaded modules, `modprobe` loads modules, `modprobe -r` unloads modules, `modinfo` shows driver details/version/parameters.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel-driver-management-commands.json"},{"id":"rhel-edge-post-deployment-fips-enablement","text":"RHEL for Edge images support enabling FIPS mode after initial deployment using standard `fips-mode-setup --enable` tooling, allowing deferred compliance configuration.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel-edge-post-deployment-fips-enablement.json"},{"id":"rhel-edge-uses-rpm-ostree","text":"RHEL for Edge images use rpm-ostree for image-based atomic updates and rollbacks, not traditional RPM/DNF package management.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel-edge-uses-rpm-ostree.json"},{"id":"rhel-image-mode-bootc-oci-containers","text":"RHEL image mode (bootc) manages the OS as a standard OCI container image, built with Podman/Buildah and stored in container registries.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel-image-mode-bootc-oci-containers.json"},{"id":"rhel-kernel-module-management-commands","text":"Kernel module management commands: `lsmod` lists loaded modules, `modprobe` loads modules, `modprobe -r` unloads modules, `modinfo` shows module details including version and parameters.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel-kernel-module-management-commands.json"},{"id":"rhel-kernel-modules-path","text":"Kernel modules are stored in `/lib/modules/$(uname -r)/`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel-kernel-modules-path.json"},{"id":"rhel-minor-release-cadence","text":"RHEL 9 follows a minor release cadence (9.0, 9.1, 9.2, 9.3, 9.4, ...) delivering updates on a roughly 6-month cycle while maintaining ABI compatibility.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel-minor-release-cadence.json"},{"id":"rhel-no-skip-major-version-upgrade","text":"RHEL does not support skipping major versions during in-place upgrades (e.g., RHEL 7 → 9 directly is not supported).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel-no-skip-major-version-upgrade.json"},{"id":"rhel-release-notes-living-documents","text":"RHEL release notes are living documents that receive ongoing updates well after the initial release; RHEL 9.3 (released November 2023) had release notes updated through November 2025.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel-release-notes-living-documents.json"},{"id":"rhel-system-roles-ansible","text":"RHEL System Roles are Ansible-based roles for consistent configuration management across multiple RHEL hosts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel-system-roles-ansible.json"},{"id":"rhel-system-roles-install-path","text":"RHEL system roles are installed to `/usr/share/ansible/roles/` and collections to `/usr/share/ansible/collections/`","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel-system-roles-install-path.json"},{"id":"rhel-system-roles-key-roles","text":"Key RHEL system roles include `timesync`, `network`, `selinux`, `storage`, `firewall`, `logging`, and `kdump`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel-system-roles-key-roles.json"},{"id":"rhel-system-roles-naming-convention","text":"RHEL system roles can be referenced as legacy names (e.g., `rhel-system-roles.timesync`) or collection names (e.g., `redhat.rhel_system_roles.timesync`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel-system-roles-naming-convention.json"},{"id":"rhel-system-roles-package","text":"RHEL system roles are installed via the `rhel-system-roles` package and placed in `/usr/share/ansible/roles/` and `/usr/share/ansible/collections/`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel-system-roles-package.json"},{"id":"rhel-system-roles-package-name","text":"RHEL system roles are installed via the `rhel-system-roles` package","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel-system-roles-package-name.json"},{"id":"rhel8-to-rhel9-inplace-upgrade-leapp","text":"In-place upgrade from RHEL 8 to RHEL 9 is supported using the Leapp tool; Convert2RHEL handles conversions from CentOS/Alma/Rocky/Oracle Linux.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel8-to-rhel9-inplace-upgrade-leapp.json"},{"id":"rhel9-ad-integration-stack","text":"RHEL 9 provides a complete AD integration stack: realmd orchestrates domain join, SSSD serves as default authentication backend, with a defined set of required packages.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-ad-integration-stack.json"},{"id":"rhel9-ad-integration-two-methods","text":"RHEL 9 supports two methods for direct Active Directory integration: SSSD and Samba Winbind.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-ad-integration-two-methods.json"},{"id":"rhel9-ad-join-packages-sssd","text":"Required packages for SSSD-based AD join: sssd, realmd, oddjob, oddjob-mkhomedir, adcli, samba-common-tools.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-ad-join-packages-sssd.json"},{"id":"rhel9-ad-msa-no-domain-join","text":"Managed Service Accounts (MSA) allow access to AD resources without full domain membership on RHEL 9.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-ad-msa-no-domain-join.json"},{"id":"rhel9-aide-config-and-db-paths","text":"AIDE configuration is at `/etc/aide.conf` and the default database location is `/var/lib/aide/aide.db.gz`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-aide-config-and-db-paths.json"},{"id":"rhel9-aide-config-file-path","text":"AIDE configuration is controlled by `/etc/aide.conf`, which defines monitored paths and tracked attributes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-aide-config-file-path.json"},{"id":"rhel9-aide-database-rename-required","text":"After `aide --init` or `aide --update`, the output file `/var/lib/aide/aide.db.new.gz` must be renamed to `/var/lib/aide/aide.db.gz` before it becomes active.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-aide-database-rename-required.json"},{"id":"rhel9-aide-detection-only","text":"AIDE is a detection-only tool that identifies filesystem changes after they occur but does not prevent them; IMA provides both detection and prevention.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-aide-detection-only.json"},{"id":"rhel9-aide-detection-only-not-prevention","text":"AIDE is a detection-only tool that identifies filesystem changes but does not prevent them; IMA provides both detection and prevention.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-aide-detection-only-not-prevention.json"},{"id":"rhel9-aide-file-integrity-commands","text":"AIDE file integrity checking uses `aide --init` to initialize the database, `aide --check` to detect changes, and `aide --update` to update the database after review.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-aide-file-integrity-commands.json"},{"id":"rhel9-aide-integrity-workflow","text":"AIDE provides a complete file integrity monitoring workflow: three operations (init/check/update), mandatory database rename after generation, AppStream package source, with the critical caveat that it is detection-only.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-aide-integrity-workflow.json"},{"id":"rhel9-aide-requires-appstream","text":"The `aide` package requires the AppStream repository for installation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-aide-requires-appstream.json"},{"id":"rhel9-aide-three-operations","text":"AIDE has three key operations: `--init` (create baseline database), `--check` (verify integrity), `--update` (refresh database after legitimate changes).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-aide-three-operations.json"},{"id":"rhel9-all-crypto-policies-disable-weak","text":"All four predefined crypto policies disable IKEv1, 3DES, RC4, DSA, and TLS v1.1 and older.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-all-crypto-policies-disable-weak.json"},{"id":"rhel9-anaconda-graphical-installer","text":"RHEL 9 uses the Anaconda graphical installer for interactive GUI-based installation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-anaconda-graphical-installer.json"},{"id":"rhel9-application-runtime-platform","text":"RHEL 9 provides a managed application runtime platform with relational databases (MariaDB/MySQL/PostgreSQL via AppStream module streams), a controlled Python ecosystem (venv isolation, AppStream version selection, platform-python reserved), and RPM packaging tools for custom software distribution.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-application-runtime-platform.json"},{"id":"rhel9-application-streams-independent-lifecycle","text":"Application Streams allow multiple versions of user-space components to be updated independently of the core OS, each with its own lifecycle.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-application-streams-independent-lifecycle.json"},{"id":"rhel9-application-streams-plain-rpm-install","text":"In RHEL 9, initial Application Stream versions install as plain RPMs via `dnf install` without needing to enable modules first (simplified from RHEL 8).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-application-streams-plain-rpm-install.json"},{"id":"rhel9-appstream-initial-versions-plain-rpm","text":"In RHEL 9, initial Application Stream versions install as plain RPMs via `dnf install` without needing `dnf module enable` first.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-appstream-initial-versions-plain-rpm.json"},{"id":"rhel9-appstream-modules-multiple-versions","text":"AppStream uses modules to deliver multiple versions of the same software (e.g., different Python or Node.js streams); modularity is not present in BaseOS.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-appstream-modules-multiple-versions.json"},{"id":"rhel9-appstream-rpm-and-modules","text":"The AppStream repository delivers additional applications, runtime languages, databases, and tools as both traditional RPMs and modules.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-appstream-rpm-and-modules.json"},{"id":"rhel9-appstream-shorter-lifecycles","text":"Some Application Streams have shorter support lifecycles than the base RHEL 9 OS.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-appstream-shorter-lifecycles.json"},{"id":"rhel9-arch-minimum-versions","text":"RHEL 9 minimum hardware versions by architecture: x86_64 requires x86-64-v2, aarch64 requires ARMv8.0-A, ppc64le requires POWER9, s390x requires z14.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-arch-minimum-versions.json"},{"id":"rhel9-architecture-specific-subscriptions","text":"Each RHEL 9 architecture requires its own separate Red Hat subscription.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-architecture-specific-subscriptions.json"},{"id":"rhel9-arm-default-4k-page-kernel","text":"RHEL 9 ships with a 4k page size kernel by default on ARM (AArch64) systems.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-arm-default-4k-page-kernel.json"},{"id":"rhel9-audisp-integrated-into-auditd","text":"In RHEL 9, the audit dispatcher (audisp) functionality is integrated into `auditd`; plugin configs live in `/etc/audit/plugins.d/`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-audisp-integrated-into-auditd.json"},{"id":"rhel9-audit-file-watch-command","text":"File audit watches are added with `auditctl -w <path> -p <permissions> -k <key>` and searched with `ausearch -k <key>`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-audit-file-watch-command.json"},{"id":"rhel9-audit-log-default-location","text":"The default audit log location is `/var/log/audit/audit.log`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-audit-log-default-location.json"},{"id":"rhel9-audit-log-location","text":"The default audit log location is `/var/log/audit/audit.log`, configured via `/etc/audit/auditd.conf`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-audit-log-location.json"},{"id":"rhel9-audit-persistent-rules-directory","text":"Persistent audit rules are placed in `/etc/audit/rules.d/`; `/etc/audit/audit.rules` is auto-generated by `augenrules` on service start.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-audit-persistent-rules-directory.json"},{"id":"rhel9-audit-sample-compliance-rules","text":"Pre-configured audit rules for compliance standards (OSPP, PCI-DSS, STIG) are available in `/usr/share/audit/sample-rules/`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-audit-sample-compliance-rules.json"},{"id":"rhel9-audit-subsystem-integrated","text":"RHEL 9 provides a unified audit subsystem with integrated dispatcher, file watch rules, original login identity tracking via auid, dedicated service management (not systemctl), and configurable log location.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-audit-subsystem-integrated.json"},{"id":"rhel9-auditctl-enable-disable","text":"`auditctl -e 0` temporarily disables auditing and `auditctl -e 1` re-enables it at runtime.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-auditctl-enable-disable.json"},{"id":"rhel9-auditctl-file-watch-syntax","text":"`auditctl -w <path> -p <perms> -k <key>` creates file watch rules; permission flags are `w` (write), `a` (attribute), `r` (read), `x` (execute).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-auditctl-file-watch-syntax.json"},{"id":"rhel9-auditd-use-service-not-systemctl","text":"`auditd` must be managed with `service auditd start/stop/restart` — `systemctl` is only valid for `enable` and `status`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-auditd-use-service-not-systemctl.json"},{"id":"rhel9-auid-tracks-original-login-identity","text":"The `auid` (Audit UID / loginuid) is assigned at login and inherited across `su`/`sudo`, tracking the original login identity for accountability.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-auid-tracks-original-login-identity.json"},{"id":"rhel9-auid-tracks-original-login-user","text":"The `auid` (audit UID / loginuid) is assigned at login and inherited across `su`/`sudo`, tracking the original login identity for accountability.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-auid-tracks-original-login-user.json"},{"id":"rhel9-authenticated-observable-security-operations","text":"RHEL 9 security operations are both identity-governed (enterprise identity ecosystem controlling access, Kerberos-gated administration, IdM vault secrets management) and continuously observable (audit subsystem with auid tracking, sos diagnostic reporting), creating an accountability chain from identity authentication through security action to audit trail.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-authenticated-observable-security-operations.json"},{"id":"rhel9-authenticated-security-monitoring","text":"RHEL 9 connects identity management to security monitoring: IdM provides verified user identities via Kerberos authentication, the audit subsystem tracks all privileged actions via loginuid (auid) which survives su/sudo, and system roles enable consistent security configuration across all managed hosts — creating an end-to-end chain from identity verification through action tracking to configuration enforcement.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-authenticated-security-monitoring.json"},{"id":"rhel9-authentication-hardening-controls","text":"RHEL 9 provides layered authentication hardening across three defense dimensions: account lockout policy via pam_faillock with configurable thresholds and admin unlock, password lifecycle management via chage with aging/expiry/force-change controls, and SSH key-based authentication with Ed25519 as the recommended algorithm.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-authentication-hardening-controls.json"},{"id":"rhel9-automatable-defense-in-depth","text":"RHEL 9 defense-in-depth security (SELinux enforcing, firewalld, crypto policies, granular audit) is fully automatable at fleet scale through Ansible system roles and SELinux deployment automation (semanage export/import, fixfiles autorelabel, Ansible roles), enabling consistent security posture across hundreds of hosts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-automatable-defense-in-depth.json"},{"id":"rhel9-bare-metal-separate-partitions","text":"For bare-metal RHEL 9 installations, `/boot`, `/`, `/home`, `/tmp`, and `/var/tmp` should be on separate partitions for security isolation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-bare-metal-separate-partitions.json"},{"id":"rhel9-baseos-appstream-both-required","text":"Both BaseOS and AppStream repositories are required for a complete RHEL 9 installation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-baseos-appstream-both-required.json"},{"id":"rhel9-baseos-appstream-required-repos","text":"RHEL 9 content is split into two required repositories: BaseOS (core OS foundation) and AppStream (additional user-space applications, runtimes, databases).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-baseos-appstream-required-repos.json"},{"id":"rhel9-baseos-core-os-rpm-only","text":"The BaseOS repository contains core OS foundation packages delivered exclusively as traditional RPMs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-baseos-core-os-rpm-only.json"},{"id":"rhel9-baseos-vs-appstream-purpose","text":"BaseOS provides core OS functionality (full RHEL support lifecycle); AppStream provides additional user-space applications, runtime languages, and databases.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-baseos-vs-appstream-purpose.json"},{"id":"rhel9-boot-iso-requires-network","text":"The Boot ISO requires network access to BaseOS/AppStream repositories to install packages; the Installation ISO (Binary DVD) contains both repos.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-boot-iso-requires-network.json"},{"id":"rhel9-boot-iso-requires-network-source","text":"The RHEL 9 boot ISO (~700 MB) contains only the installer and kernel; it requires a network installation source and cannot install standalone.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-boot-iso-requires-network-source.json"},{"id":"rhel9-boot-kernel-parameter-management","text":"RHEL 9 manages kernel boot parameters through `grubby` as the central tool: changing the default boot kernel (`--set-default`), persistently adding kernel arguments (`--update-kernel --args`), controlling CPU vulnerability mitigations (`mitigations=`), tuning crashkernel memory reservation (`crashkernel=size,high/low`), and emergency access via `rd.break` boot interrupt.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-boot-kernel-parameter-management.json"},{"id":"rhel9-boot-partition-cannot-be-encrypted","text":"The `/boot` partition cannot be encrypted with LUKS; if `/boot` is part of an encrypted `/` partition, the system cannot boot.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-boot-partition-cannot-be-encrypted.json"},{"id":"rhel9-bpf-jit-always-on","text":"RHEL 9 has `CONFIG_BPF_JIT_ALWAYS_ON=y`, meaning the BPF JIT compiler is mandatory and the BPF interpreter is not available (security hardening).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-bpf-jit-always-on.json"},{"id":"rhel9-cdn-install-inst-rhsm","text":"CDN-based RHEL 9 installations use the `inst.rhsm` boot parameter and require registering with Red Hat during installation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-cdn-install-inst-rhsm.json"},{"id":"rhel9-centralized-logging-and-audit-observability","text":"RHEL 9 provides centralized observability through two complementary subsystems: the audit framework (file watches, auid login tracking, compliance rules, dedicated service management) and the logging system role (rsyslog configuration via Ansible with structured input/output/flow variable groups and SELinux-aware port management).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-centralized-logging-and-audit-observability.json"},{"id":"rhel9-cgroups-v2-default","text":"RHEL 9 uses cgroups v2 (unified hierarchy) by default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-cgroups-v2-default.json"},{"id":"rhel9-cgroupsv1-deprecated","text":"cgroupsv1 is deprecated in RHEL 9 (which defaults to cgroupsv2); RHEL 10 will only support cgroupsv2.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-cgroupsv1-deprecated.json"},{"id":"rhel9-chrony-default-ntp","text":"chrony is the default NTP implementation in RHEL 9, replacing ntpd.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-chrony-default-ntp.json"},{"id":"rhel9-clevis-client-tang-server","text":"Clevis is the client-side framework for automated decryption; Tang is the stateless server that never stores or learns client keys.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-clevis-client-tang-server.json"},{"id":"rhel9-clevis-luks-bind-command","text":"Binding a LUKS volume to a Tang server: `clevis luks bind -d /dev/<device> tang '{\"url\":\"http://tang.srv\"}'`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-clevis-luks-bind-command.json"},{"id":"rhel9-clevis-pins-available","text":"Clevis pins available in RHEL 9 are: `tang` (network server), `tpm2` (TPM 2.0 chip), `pkcs11` (smart cards), and `sss` (Shamir's Secret Sharing for threshold-based high availability).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-clevis-pins-available.json"},{"id":"rhel9-closed-loop-fleet-security-operations","text":"RHEL 9 enables closed-loop fleet security operations where defense-in-depth configuration (SELinux, firewalld, crypto, audit) is automatable via Ansible system roles while continuously verifiable through audit logging, AIDE integrity monitoring, and OpenSCAP compliance scanning.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-closed-loop-fleet-security-operations.json"},{"id":"rhel9-cluster-services-not-systemctl","text":"Cluster-managed services must not be started or enabled via `systemctl`; Pacemaker controls their lifecycle.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-cluster-services-not-systemctl.json"},{"id":"rhel9-codeready-builder-unsupported","text":"The CodeReady Linux Builder repository is available with all RHEL subscriptions but its packages are unsupported.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-codeready-builder-unsupported.json"},{"id":"rhel9-compatibility-levels-1-through-4","text":"RHEL 9 packages are assigned Application Compatibility Levels 1–4, where Level 1 provides the highest ABI stability guarantee across the major release.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-compatibility-levels-1-through-4.json"},{"id":"rhel9-complete-ad-interoperability","text":"RHEL 9 provides complete AD interoperability: the SSSD/realmd-based integration stack for client-side domain joins operates within a cross-forest trust architecture requiring common Kerberos encryption types, specific firewall ports, and bidirectional DNS resolution.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-complete-ad-interoperability.json"},{"id":"rhel9-complete-disk-encryption-coverage","text":"RHEL 9 NBDE with LUKS2 provides complete disk encryption coverage for all system partitions including boot volumes, enabling fully encrypted-at-rest deployments with automated network-bound decryption.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-complete-disk-encryption-coverage.json"},{"id":"rhel9-complete-installer-control-framework","text":"RHEL 9 installation is controlled through a comprehensive boot parameter framework combining installer directives (inst.ks, inst.repo, inst.stage2, inst.graphical/text/cmdline, inst.sshd, inst.vnc) with network configuration parameters (DHCP default, seven-field ip= static override, bootdev= for multi-NIC, ifname= for custom interface naming).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-complete-installer-control-framework.json"},{"id":"rhel9-complete-provisioning-control-framework","text":"RHEL 9 provides complete provisioning control from boot parameter specification through deployment execution: the installer control framework (inst.ks, inst.repo, inst.stage2, network configuration via ip=/bootdev=) feeds directly into the end-to-end provisioning pipeline (Image Builder blueprints, Kickstart automation, multiple installation methods), giving administrators deterministic control over every provisioning decision.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-complete-provisioning-control-framework.json"},{"id":"rhel9-complete-system-lifecycle-management","text":"RHEL 9 manages the complete temporal system lifecycle: automated provisioning (Image Builder blueprints, Kickstart, Anaconda) for initial deployment, structured patch management (BaseOS/AppStream content split, DNF security update filtering, advisory-driven remediation) for day-2 operations, and dual upgrade paradigms (Leapp sequential in-place upgrades, bootc image-based atomic updates) for major version transitions.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-complete-system-lifecycle-management.json"},{"id":"rhel9-comprehensive-deprecation-trajectory","text":"RHEL 9 is undergoing systematic modernization through coordinated deprecation across networking (ifcfg to keyfile, iptables to nftables, teaming to bonding) and infrastructure (cgroups v1 to v2, monolithic libvirtd to modular daemons, virt-manager to Cockpit).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-comprehensive-deprecation-trajectory.json"},{"id":"rhel9-comprehensive-security-posture","text":"RHEL 9 provides a comprehensive security posture integrating defense-in-depth hardened defaults (SELinux, firewalld, crypto policies, audit), continuous compliance monitoring (audit logging, AIDE integrity, OpenSCAP scanning), and layered authentication hardening (pam_faillock, password aging, SSH key-based auth) into a unified security architecture.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-comprehensive-security-posture.json"},{"id":"rhel9-container-mcs-isolation","text":"RHEL 9 container isolation leverages the full MCS restrictive access control model: container-selinux assigns unique MCS categories per container, enforced only after DAC and Type Enforcement pass, requiring conjunction of all assigned categories for inter-container access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-container-mcs-isolation.json"},{"id":"rhel9-container-runtime-podman","text":"Podman (not Docker) is the standard container runtime in RHEL 9, along with Buildah and Skopeo.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-container-runtime-podman.json"},{"id":"rhel9-content-delivery-architecture","text":"RHEL 9 content is architecturally split into two mandatory repositories: BaseOS (core OS foundation, RPMs only) and AppStream (user-space applications delivered as both RPMs and modules), with modules enabling multiple concurrent software versions and some Application Streams having shorter support lifecycles than the base OS.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-content-delivery-architecture.json"},{"id":"rhel9-content-gated-provisioning-pipeline","text":"RHEL 9 provisioning depends on a subscription-gated content chain: systems must first register (GUI/TUI, subscription-manager, or activation key) and establish repository access (CDN or Satellite) before the provisioning pipeline (Image Builder blueprints, Kickstart automation, Anaconda installation) can source packages from BaseOS and AppStream.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-content-gated-provisioning-pipeline.json"},{"id":"rhel9-continuous-os-evolution-strategy","text":"RHEL 9 supports continuous OS evolution from routine security patches (DNF advisory-filtered updates across BaseOS/AppStream with severity filtering) through major version transitions (Leapp sequential in-place upgrades with mandatory preupgrade assessment) to image-based atomic updates (rpm-ostree/bootc with health-check rollback for Edge deployments).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-continuous-os-evolution-strategy.json"},{"id":"rhel9-continuously-observable-compliance","text":"RHEL 9 compliance is observable through complementary mechanisms: continuous audit logging (file watches, auid tracking, pre-configured compliance rule sets for OSPP/PCI-DSS/STIG) provides ongoing evidence collection, while periodic AIDE integrity checks and OpenSCAP scanning provide point-in-time compliance verification.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-continuously-observable-compliance.json"},{"id":"rhel9-coordinated-platform-evolution","text":"RHEL 9 evolves the OS foundation (security patches, minor releases, Leapp major upgrades, rpm-ostree atomic updates) and application layer (deprecation-driven networking/virtualization/container modernization with AppStream versioning) as a coordinated platform evolution strategy.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-coordinated-platform-evolution.json"},{"id":"rhel9-cpu-security-mitigation-framework","text":"RHEL 9 addresses CPU-level security vulnerabilities through multiple coordinated mechanisms: SMT disabling for L1TF/MDS mitigation, shared buffer clearing for MMIO/MDS/TAA with interdependent mitigation toggles, restricted unprivileged BPF access by default, and mandatory BPF JIT compilation that eliminates the interpreter as an attack surface.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-cpu-security-mitigation-framework.json"},{"id":"rhel9-crashkernel-high-low-parameters","text":"`crashkernel=size,high` and `crashkernel=size,low` control kdump memory reservation above/below 4 GB; `crashkernel=X` without high/low takes precedence.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-crashkernel-high-low-parameters.json"},{"id":"rhel9-crypto-default-min-key-2048","text":"The DEFAULT and LEGACY crypto policies require minimum 2048-bit RSA/DH keys; FUTURE requires minimum 3072-bit.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-crypto-default-min-key-2048.json"},{"id":"rhel9-crypto-policy-command-set","text":"The command `update-crypto-policies --set POLICY` changes the system-wide cryptographic policy and requires root privileges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-crypto-policy-command-set.json"},{"id":"rhel9-crypto-policy-command-show","text":"The command `update-crypto-policies --show` displays the current system-wide cryptographic policy on RHEL 9.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-crypto-policy-command-show.json"},{"id":"rhel9-crypto-policy-lifecycle","text":"RHEL 9 provides complete crypto policy lifecycle management: four predefined policies, set/show CLI commands, persistent state file verification, and extensibility via custom .pmod subpolicies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-crypto-policy-lifecycle.json"},{"id":"rhel9-crypto-reboot-recommended","text":"A reboot is recommended after changing the system-wide cryptographic policy for full effect.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-crypto-reboot-recommended.json"},{"id":"rhel9-crypto-scoped-directives-at-syntax","text":"Scoped cryptographic policy directives use `@` syntax to restrict settings to specific protocols or libraries (e.g., `cipher@TLS`, `group@SSH`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-crypto-scoped-directives-at-syntax.json"},{"id":"rhel9-current-crypto-policy-state-file","text":"The current effective cryptographic policy can be verified at `/etc/crypto-policies/state/CURRENT.pol`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-current-crypto-policy-state-file.json"},{"id":"rhel9-custom-subpolicy-pmod-location","text":"Custom cryptographic subpolicy files use the `.pmod` extension with uppercase filenames and are stored in `/etc/crypto-policies/policies/modules/`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-custom-subpolicy-pmod-location.json"},{"id":"rhel9-dac-through-mac-access-control","text":"RHEL 9 implements layered access control from filesystem-level DAC (ugo/rwx permissions, setgid collaboration, hard/soft links) through SELinux MAC (Type Enforcement as primary policy, per-domain permissive mode, AVC denial logging), with DAC evaluated before MAC.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-dac-through-mac-access-control.json"},{"id":"rhel9-default-display-protocol-wayland","text":"RHEL 9 defaults to Wayland as the display protocol for GNOME, with X11/Xorg available as a fallback.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-default-display-protocol-wayland.json"},{"id":"rhel9-default-filesystem-xfs","text":"XFS is the default file system in RHEL 9.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-default-filesystem-xfs.json"},{"id":"rhel9-default-package-manager-dnf","text":"RHEL 9 uses DNF (not yum) as the primary package management tool.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-default-package-manager-dnf.json"},{"id":"rhel9-default-policy-tls12-minimum","text":"The DEFAULT crypto policy enforces TLS 1.2 as the minimum TLS version.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-default-policy-tls12-minimum.json"},{"id":"rhel9-defense-in-depth-container-isolation","text":"RHEL 9 containers operate within a defense-in-depth security stack where per-container MCS categories (assigned by container-selinux) provide inter-container isolation, layered on top of SELinux type enforcement, firewalld network controls, system-wide crypto policies, and continuous audit logging — meaning container breakout must defeat not just the container boundary but every surrounding security layer.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-defense-in-depth-container-isolation.json"},{"id":"rhel9-defense-in-depth-security-framework","text":"RHEL 9 enforces defense-in-depth through four integrated security layers: hardened defaults (SELinux enforcing, firewalld, crypto policies), granular cryptographic policy lifecycle management, layered SELinux MAC enforcement with type-based policy, and a unified audit subsystem with original-identity tracking across privilege escalation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-defense-in-depth-security-framework.json"},{"id":"rhel9-deprecated-functionality-removed","text":"RHEL 9 deprecated networking and infrastructure components (ifcfg, iptables, teaming, cgroups v1, monolithic libvirtd, virt-manager) have been removed and are no longer available for use.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-deprecated-functionality-removed.json"},{"id":"rhel9-diagnostic-reporting-workflow","text":"RHEL 9 provides a structured diagnostic reporting workflow: sos report (requiring root privileges) collects comprehensive system state into compressed tarballs in /var/tmp/, and sos clean obfuscates hostnames, IP addresses, and other sensitive data before the report is shared with Red Hat support.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-diagnostic-reporting-workflow.json"},{"id":"rhel9-direct-vs-indirect-ad-integration","text":"Direct AD integration means the RHEL host joins AD directly; indirect integration uses IdM/IPA as a broker with a cross-realm trust to AD.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-direct-vs-indirect-ad-integration.json"},{"id":"rhel9-dnf-check-update-security","text":"`dnf check-update --security` lists available security updates; `dnf update --security` installs all available security updates.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-dnf-check-update-security.json"},{"id":"rhel9-dnf-list-and-rpm-qa-query-packages","text":"Installed packages can be queried with `dnf list installed` or `rpm -qa`; available packages with `dnf list available` or `dnf repoquery`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-dnf-list-and-rpm-qa-query-packages.json"},{"id":"rhel9-dnf-replaces-yum","text":"The `dnf` package manager replaces `yum` in RHEL 9 for all package and update operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-dnf-replaces-yum.json"},{"id":"rhel9-dnf-updateinfo-advisory-query","text":"`dnf updateinfo info <advisory-id>` displays details about a specific advisory; `dnf updateinfo` is the subcommand for querying errata metadata.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-dnf-updateinfo-advisory-query.json"},{"id":"rhel9-drivers-loadable-kernel-modules","text":"RHEL ships device drivers as loadable kernel modules, not compiled monolithically into the kernel.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-drivers-loadable-kernel-modules.json"},{"id":"rhel9-dual-authenticated-identity-governed-workload-lifecycle","text":"RHEL 9 workloads are governed across their full lifecycle by dual authentication (subscription for content access, Kerberos for administration) with continuous observability, from identity-authenticated provisioning (IdM/AD-enrolled systems with DNS autodiscovery) through security-governed runtime isolation (SELinux MCS, firewalld, crypto policies) — creating a closed system where no workload phase is unauthenticated, ungoverned, or unobserved.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-dual-authenticated-identity-governed-workload-lifecycle.json"},{"id":"rhel9-dual-authenticated-observable-lifecycle","text":"RHEL 9 enforces dual authentication boundaries throughout the system lifecycle: subscription authentication gates all content and patch access while identity-governed security monitoring (Kerberos-bound audit with auid tracking) ensures every administrative action is attributable.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-dual-authenticated-observable-lifecycle.json"},{"id":"rhel9-dual-management-interface","text":"RHEL 9 system administration operates through complementary local and remote interfaces: the GNOME desktop on Wayland with systemd target switching for interactive console management, and the Cockpit web console with socket activation and firewall integration for browser-based remote management.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-dual-management-interface.json"},{"id":"rhel9-dual-upgrade-paradigm","text":"RHEL 9 supports two complementary OS upgrade paradigms: sequential in-place upgrades via Leapp (with mandatory preupgrade assessment and no major version skipping) for traditional RPM-based systems, and atomic image-based updates via rpm-ostree/bootc with automated health-check rollback (Greenboot) for Edge deployments.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-dual-upgrade-paradigm.json"},{"id":"rhel9-dual-workload-isolation-platform","text":"RHEL 9 provides dual workload isolation with distinct security models: virtual machines via the managed KVM/QEMU/libvirt stack with Cockpit web management and hardware-level isolation, and containers via Podman with MCS-enforced category-based separation where each container receives unique SELinux categories enforced after DAC and Type Enforcement.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-dual-workload-isolation-platform.json"},{"id":"rhel9-dump-utility-deprecated","text":"The `dump` backup utility is deprecated in RHEL 9; use `tar`, `dd`, or `bacula` instead (`restore` remains available).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-dump-utility-deprecated.json"},{"id":"rhel9-edge-image-based-os","text":"RHEL for Edge uses an image-based OS model with rpm-ostree for atomic updates/rollbacks, Greenboot for automated health-check rollback, and bootc for container-native image management.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-edge-image-based-os.json"},{"id":"rhel9-encrypted-storage-lifecycle","text":"RHEL 9 provides end-to-end encrypted storage lifecycle management: NBDE with Clevis/Tang for automated decryption across multiple pin types, volume-type-specific unlock requirements (dracut for root, systemd for non-root), and system-wide cryptographic policy governance ensuring encryption algorithms comply with organizational standards.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-encrypted-storage-lifecycle.json"},{"id":"rhel9-end-to-end-provisioning-pipeline","text":"RHEL 9 provides an end-to-end provisioning pipeline from image creation (Image Builder with TOML blueprints and multi-format output) through installation (interactive GUI to fully automated spectrum) to mass deployment (Kickstart with syntax validation, multiple source protocols, and CDN registration).","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-end-to-end-provisioning-pipeline.json"},{"id":"rhel9-enterprise-identity-ecosystem","text":"RHEL 9 provides a comprehensive enterprise identity ecosystem: IdM as a unified stack (LDAP/Kerberos/CA/SSSD), Kerberos-gated administration for all management interfaces, encrypted secret storage via vaults with client-side encryption and KRA backend, and direct Active Directory integration via SSSD/realmd for hybrid environments.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-enterprise-identity-ecosystem.json"},{"id":"rhel9-errata-three-types","text":"Red Hat advisories come in three types: RHSA (security), RHBA (bug fix), and RHEA (enhancement).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-errata-three-types.json"},{"id":"rhel9-filesystem-access-control-fundamentals","text":"RHEL 9 filesystem access control spans four complementary mechanisms: traditional DAC permissions (user/group/other with rwx via chmod), collaborative directory controls (set-GID for group inheritance, sticky bit for deletion protection), link semantics (hard links sharing inodes within a filesystem, symlinks crossing boundaries), and standard file operations (cp, mv, rm with recursive and archive modes).","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-filesystem-access-control-fundamentals.json"},{"id":"rhel9-filesystem-mounting-model","text":"RHEL 9 provides a layered filesystem mounting model: XFS as the default filesystem, persistent mounts via /etc/fstab with UUID/LABEL identification for reliability, and on-demand network mounting via autofs for filesystems accessed infrequently.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-filesystem-mounting-model.json"},{"id":"rhel9-fips-enable-at-install","text":"FIPS mode should be enabled at install time using the `fips=1` kernel parameter; the `fips-mode-setup` tool is deprecated.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-fips-enable-at-install.json"},{"id":"rhel9-fips-mode-kernel-parameter","text":"FIPS mode in RHEL 9 is enabled via `fips=1` kernel parameter at install time (not `/etc/system-fips`); check status with `fips-mode-setup --check`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-fips-mode-kernel-parameter.json"},{"id":"rhel9-fips-mode-setup-enable","text":"FIPS mode is enabled on RHEL 9 using `fips-mode-setup --enable` and verified with `fips-mode-setup --check`; a reboot is required after enabling.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-fips-mode-setup-enable.json"},{"id":"rhel9-fips-policy-not-fips-compliant-alone","text":"Setting the FIPS crypto policy alone does not guarantee FIPS 140 compliance; cryptographic keys must be regenerated.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-fips-policy-not-fips-compliant-alone.json"},{"id":"rhel9-firewalld-active-by-default","text":"RHEL 9 has `firewalld` active by default as part of its security baseline.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-firewalld-active-by-default.json"},{"id":"rhel9-firewalld-enabled-by-default","text":"`firewalld` is enabled by default on RHEL 9 but may be disabled by Kickstart configurations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-firewalld-enabled-by-default.json"},{"id":"rhel9-firewalld-nftables-backend","text":"RHEL 9 uses firewalld with an nftables backend as the firewall framework.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-firewalld-nftables-backend.json"},{"id":"rhel9-four-predefined-crypto-policies","text":"RHEL 9 provides four predefined system-wide cryptographic policies: DEFAULT, LEGACY, FUTURE, and FIPS.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-four-predefined-crypto-policies.json"},{"id":"rhel9-four-supported-architectures","text":"RHEL 9 supports four architectures: x86-64 (minimum v2), ARM aarch64 (minimum ARMv8.0-A), IBM Power ppc64le (minimum POWER9), and IBM Z s390x (minimum z14).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-four-supported-architectures.json"},{"id":"rhel9-full-life-app-streams-level-3","text":"Key application stream packages (httpd, mariadb, postgresql, python, ruby, php, perl) are designated as Full Life Application Streams at Compatibility Level 3.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-full-life-app-streams-level-3.json"},{"id":"rhel9-full-lifecycle-infrastructure","text":"RHEL 9 supports full infrastructure lifecycle from image creation and automated deployment (Image Builder, Kickstart, Anaconda) through content delivery (BaseOS + AppStream repositories) to ongoing configuration management (Ansible system roles with dual naming, covering timesync, network, SELinux, storage, firewall, logging, and kdump).","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-full-lifecycle-infrastructure.json"},{"id":"rhel9-full-stack-hardware-to-data-defense","text":"RHEL 9 defense-in-depth extends from hardware-level CPU mitigations (SMT disable for L1TF/MDS, BPF JIT hardening, unprivileged BPF restrictions) through cryptographic policy enforcement to data-at-rest protection (LUKS2/NBDE encryption and SELinux/MCS mandatory access control), ensuring no single layer's compromise alone exposes stored data.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-full-stack-hardware-to-data-defense.json"},{"id":"rhel9-fully-automated-fleet-security-convergence","text":"RHEL 9 fleet security configuration can converge to desired state through automation alone — Ansible system roles deploy SELinux, firewalld, crypto, and audit policy, while the audit/compliance pipeline verifies convergence — without requiring coordinated maintenance windows for any security subsystem.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-fully-automated-fleet-security-convergence.json"},{"id":"rhel9-fully-encrypted-partitioned-bare-metal","text":"RHEL 9 bare-metal deployments with recommended separate partitions (/boot, /, /home, /tmp, /var/tmp) achieve full disk-at-rest encryption through LVM-managed LUKS2 volumes with NBDE automated decryption, providing comprehensive data protection across all storage boundaries.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-fully-encrypted-partitioned-bare-metal.json"},{"id":"rhel9-gnome-default-wayland","text":"RHEL 9 GNOME defaults to Wayland as the display server, with X11 available as a fallback.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-gnome-default-wayland.json"},{"id":"rhel9-gnome-defaults-wayland","text":"RHEL 9 GNOME defaults to Wayland as the display server with X11 as fallback","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-gnome-defaults-wayland.json"},{"id":"rhel9-graphical-target-commands","text":"Switching between GUI and text mode at boot uses `systemctl set-default graphical.target` or `systemctl set-default multi-user.target`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-graphical-target-commands.json"},{"id":"rhel9-graphical-target-controls-gui-boot","text":"`systemctl set-default graphical.target` enables GUI at boot; `systemctl set-default multi-user.target` disables it","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-graphical-target-controls-gui-boot.json"},{"id":"rhel9-graphical-vs-multiuser-target","text":"`systemctl isolate graphical.target` starts the GNOME/display manager; `systemctl isolate multi-user.target` switches to text-only mode.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-graphical-vs-multiuser-target.json"},{"id":"rhel9-guaranteed-uniform-crypto-enforcement","text":"Administrators can guarantee that all RHEL 9 system services follow the system-wide cryptographic policy without exception, ensuring that setting a crypto policy (DEFAULT, FUTURE, FIPS, LEGACY) produces uniform cryptographic behavior across every service on the system.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-guaranteed-uniform-crypto-enforcement.json"},{"id":"rhel9-gui-desktop-management","text":"RHEL 9 provides a single managed desktop environment (GNOME on Wayland by default) with systemd target control for boot mode selection and virtual console switching for multi-session access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-gui-desktop-management.json"},{"id":"rhel9-ha-cluster-requirements","text":"Production HA clusters on RHEL 9 require mandatory STONITH fencing, pcs as the primary management CLI, dedicated firewall ports (TCP 2224/3121, UDP 5405), and Pacemaker-controlled service lifecycle (no systemctl).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-ha-cluster-requirements.json"},{"id":"rhel9-ha-corosync-membership-layer","text":"Corosync provides the cluster communication and membership layer underneath Pacemaker in RHEL 9 HA clusters.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-ha-corosync-membership-layer.json"},{"id":"rhel9-ha-firewall-ports","text":"RHEL 9 HA clusters require firewall ports TCP 2224 (pcsd), UDP 5405 (corosync), and TCP 3121 (pacemaker-remoted).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-ha-firewall-ports.json"},{"id":"rhel9-ha-uses-pacemaker-crm","text":"RHEL 9 High Availability Add-On uses Pacemaker as its cluster resource manager.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-ha-uses-pacemaker-crm.json"},{"id":"rhel9-hardened-kernel-runtime","text":"RHEL 9 manages a hardened kernel runtime through coordinated boot parameter management (grubby for default kernel and persistent args, mitigations= for CPU vulnerability controls, crashkernel= for dump reservation) and explicit security-vs-performance equilibrium controls (TuneD profiles, BPF restrictions with JIT-only enforcement, io_uring default-disabled).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-hardened-kernel-runtime.json"},{"id":"rhel9-hardware-security-performance-equilibrium","text":"RHEL 9 explicitly manages the hardware security-vs-performance equilibrium: CPU vulnerability mitigations (SMT disable for L1TF/MDS, BPF restrictions, io_uring disabled by default) reduce attack surface at performance cost, while TuneD profiles provide compensating performance optimization.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-hardware-security-performance-equilibrium.json"},{"id":"rhel9-health-monitored-enterprise-identity","text":"RHEL 9 enterprise identity services are health-monitored end-to-end: the full identity ecosystem (IdM with AD cross-forest trust, Kerberos-gated administration, vault client-side encryption) is continuously verified by automated ipa-healthcheck with systemd timer scheduling, JSON output with severity grading, and failure-only filtering for operational alerting.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-health-monitored-enterprise-identity.json"},{"id":"rhel9-identity-authenticated-infrastructure-provisioning","text":"RHEL 9 infrastructure provisioning is identity-authenticated end-to-end: the health-monitored enterprise identity ecosystem (IdM/AD with automated health checks) provides the authentication infrastructure that gates content access via subscription registration, which feeds the provisioning pipeline from Image Builder blueprints through Kickstart automation to deployed systems — with identity service health continuously verified.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-identity-authenticated-infrastructure-provisioning.json"},{"id":"rhel9-identity-bound-hardware-to-data-defense","text":"RHEL 9 defense-in-depth from hardware CPU mitigations through SELinux, firewalld, and crypto policies to LUKS2/NBDE data-at-rest protection is governed by the enterprise identity ecosystem (IdM with LDAP/Kerberos/CA, AD integration, vault secrets), ensuring that access to every security layer is identity-authenticated and that data protection decisions are centrally managed through the identity infrastructure.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-identity-bound-hardware-to-data-defense.json"},{"id":"rhel9-identity-controlled-data-protection","text":"RHEL 9 provides identity-controlled data protection where the enterprise identity ecosystem (IdM with LDAP/Kerberos/CA, AD integration, vault secrets) governs access authorization while layered encryption (LUKS2/NBDE) and mandatory access controls (SELinux Type Enforcement + MCS categories) protect data at rest, achieving defense-in-depth from authentication through storage.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-identity-controlled-data-protection.json"},{"id":"rhel9-identity-enabled-service-discovery","text":"RHEL 9 enterprise identity provides automated service discovery: IdM's integrated DNS subsystem (BIND with LDAP backend, configurable forward policies, auto-created SRV records) enables clients to locate and enroll into the identity ecosystem via ipa-client-install without explicit server specification.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-identity-enabled-service-discovery.json"},{"id":"rhel9-identity-governed-defense-across-lifecycle-and-stack","text":"RHEL 9 is a unified security platform where identity governance spans both the temporal dimension (provisioning, day-2 operations, compliance monitoring) and the spatial dimension (hardware CPU mitigations through mandatory access controls to cryptographic data protection), making every security layer at every lifecycle phase identity-authenticated and auditable.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-identity-governed-defense-across-lifecycle-and-stack.json"},{"id":"rhel9-identity-governed-secure-lifecycle","text":"RHEL 9 is an identity-governed secure lifecycle platform where every phase — provisioning, day-2 operations, compliance monitoring — is both security-hardened by default and controlled by a unified identity ecosystem (IdM/AD with Kerberos authentication), ensuring authenticated attribution from image creation through audit trail.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-identity-governed-secure-lifecycle.json"},{"id":"rhel9-identity-governed-security-operations","text":"RHEL 9 enables identity-governed security operations where the enterprise identity ecosystem (IdM with LDAP/Kerberos/CA, AD integration, vault secrets) provides the authentication foundation that the security monitoring layer (audit subsystem with auid tracking, system roles configuration) relies on to attribute all administrative actions to verified identities.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-identity-governed-security-operations.json"},{"id":"rhel9-identity-integrated-observability","text":"RHEL 9 observability is identity-integrated at both collection and verification layers: the centralized logging and audit subsystem (rsyslog framework, file watches, auid login identity tracking) feeds into identity-verified security monitoring where IdM-provided Kerberos identities ensure audit trails are tied to verified principals, not just UIDs.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-identity-integrated-observability.json"},{"id":"rhel9-identity-provisioned-security-governed-workloads","text":"RHEL 9 workloads are identity-controlled from cradle to runtime: the identity-authenticated provisioning pipeline (IdM/AD health-monitored identity feeding subscription-gated content delivery) produces systems whose workloads (VMs and containers) then operate within the comprehensive security posture with MCS-enforced inter-workload isolation.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-identity-provisioned-security-governed-workloads.json"},{"id":"rhel9-idm-ad-cross-forest-trust","text":"IdM-AD trust is a cross-forest trust (not a simple domain trust) that integrates Kerberos, LDAP, DNS, and certificate services between the two environments.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-idm-ad-cross-forest-trust.json"},{"id":"rhel9-idm-ad-trust-one-way","text":"IdM typically establishes a one-way trust where AD users can authenticate to IdM-managed services, not the reverse.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-idm-ad-trust-one-way.json"},{"id":"rhel9-idm-ad-trust-prerequisites","text":"Establishing an IdM-AD trust requires common Kerberos encryption types, firewall ports (389/636, 88/464, 53, 135, 138, 139, 445, 3268), proper DNS resolution between domains, and Kerberos realm configuration.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-idm-ad-trust-prerequisites.json"},{"id":"rhel9-idm-bundled-components","text":"Red Hat Identity Management (IdM) bundles 389 Directory Server, MIT Kerberos KDC, SSSD, and Certmonger into one integrated identity solution.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-idm-bundled-components.json"},{"id":"rhel9-idm-is-freeipa","text":"Red Hat IdM is the upstream FreeIPA project packaged by Red Hat.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-idm-is-freeipa.json"},{"id":"rhel9-idm-optional-dns-ca","text":"IdM can optionally provide its own integrated DNS and Certificate Authority (Dogtag CA), or integrate with existing external DNS and CA infrastructure; this choice is made at install time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-idm-optional-dns-ca.json"},{"id":"rhel9-idm-pretuned-for-typical-deployments","text":"IdM is pre-tuned for typical deployments by default; manual performance tuning is only needed for large-scale, high-load, or latency-sensitive environments.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-idm-pretuned-for-typical-deployments.json"},{"id":"rhel9-idm-three-roles","text":"IdM (Identity Management) has three installable roles: server, replica, and client, installed via `ipa-server-install`, `ipa-replica-install`, and `ipa-client-install` respectively.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-idm-three-roles.json"},{"id":"rhel9-ifcfg-deprecated-keyfile","text":"The ifcfg format for NetworkManager profiles is deprecated in RHEL 9; use `nmcli connection migrate` to convert to keyfile format.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-ifcfg-deprecated-keyfile.json"},{"id":"rhel9-ifcfg-deprecated-keyfile-default","text":"The `ifcfg` format for NetworkManager profiles is deprecated in RHEL 9; keyfile format in `/etc/NetworkManager/system-connections/` is the default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-ifcfg-deprecated-keyfile-default.json"},{"id":"rhel9-infrastructure-deprecation-landscape","text":"RHEL 9 has deprecated core infrastructure components beyond networking: cgroups v1 (replaced by v2), the dump backup utility (replaced by tar/dd/bacula), ISC DHCP (replaced by Kea/dhcpcd), monolithic libvirtd (replaced by modular daemons), and virt-manager (replaced by Cockpit) — representing a systematic modernization of virtualization, storage, and service management subsystems.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-infrastructure-deprecation-landscape.json"},{"id":"rhel9-inst-repo-protocols","text":"Valid protocols for the `inst.repo=` kernel boot parameter: http, https, ftp, nfs, hmc (and cdrom for local media).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-inst-repo-protocols.json"},{"id":"rhel9-install-gnome-group","text":"Installing GNOME on a minimal RHEL 9 system uses `dnf groupinstall \"Server with GUI\"`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-install-gnome-group.json"},{"id":"rhel9-install-gnome-groupinstall","text":"Installing GNOME on a minimal RHEL 9 system is done with `dnf groupinstall \"Server with GUI\"`","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-install-gnome-groupinstall.json"},{"id":"rhel9-installation-method-spectrum","text":"RHEL 9 offers a spectrum of installation methods from interactive (Anaconda GUI) through semi-automated (Boot ISO + network) to fully automated (Kickstart), with CDN registration support.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-installation-method-spectrum.json"},{"id":"rhel9-installer-network-configuration","text":"RHEL 9 installer supports layered network configuration via boot parameters: DHCP by default, static IP override via the seven-field ip= syntax (IP::GATEWAY:NETMASK:HOSTNAME:INTERFACE:none), custom interface naming via ifname=interface:MAC, and bootdev= required for designating the primary boot interface in multi-NIC environments.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-installer-network-configuration.json"},{"id":"rhel9-iptables-deprecated-nftables-replacement","text":"The `iptables` backend in `firewalld` is deprecated in RHEL 9; `nftables` is the replacement.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-iptables-deprecated-nftables-replacement.json"},{"id":"rhel9-iptables-viable-firewall-backend","text":"The iptables backend remains a viable production firewall option for firewalld on RHEL 9, controlling incoming, outgoing, and forwarded traffic.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-iptables-viable-firewall-backend.json"},{"id":"rhel9-isc-dhcp-deprecated","text":"ISC DHCP (client and server) is deprecated in RHEL 9; replacements are ISC Kea (server) and `dhcpcd` (client).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-isc-dhcp-deprecated.json"},{"id":"rhel9-kernel-configuration-management","text":"RHEL 9 manages kernel configuration across two complementary dimensions: runtime module lifecycle (loadable drivers with lsmod/modprobe, persistent blacklisting) and boot parameter management (grubby for persistent kernel args, CPU vulnerability mitigations, crashkernel memory reservation).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-kernel-configuration-management.json"},{"id":"rhel9-kernel-hz-1000","text":"RHEL 9 kernel is configured with `CONFIG_HZ = 1000` (timer interrupt frequency).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-kernel-hz-1000.json"},{"id":"rhel9-kernel-module-lifecycle","text":"RHEL 9 manages kernel drivers as loadable modules with a complete lifecycle: modules stored in `/lib/modules/$(uname -r)/`, managed via lsmod/modprobe/modprobe -r/modinfo commands, with persistent blacklisting via `modprobe.blacklist=` that survives installation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-kernel-module-lifecycle.json"},{"id":"rhel9-kernel-module-management-commands","text":"Kernel modules are managed with `lsmod` (list loaded), `modprobe` (load), `modprobe -r` (unload), and `modinfo` (query info); persistent config goes in `/etc/modprobe.d/*.conf`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-kernel-module-management-commands.json"},{"id":"rhel9-kernel-to-session-enforcement-chain","text":"RHEL 9 enforces security continuously from kernel boot (managed boot parameters, CPU mitigations, module blacklisting) through userspace access control (pam_faillock, password aging, SSH key auth, DAC permissions, SELinux MAC), creating an unbroken chain from hardware initialization to authenticated sessions.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-kernel-to-session-enforcement-chain.json"},{"id":"rhel9-kickstart-automated-install","text":"RHEL 9 supports automatic installation via Kickstart, which provides predefined configuration for Anaconda.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-kickstart-automated-install.json"},{"id":"rhel9-kickstart-for-many-systems","text":"Kickstart is the preferred automated installation method for deploying many RHEL systems; the graphical installer is for one or a few systems.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-kickstart-for-many-systems.json"},{"id":"rhel9-layered-data-protection","text":"RHEL 9 protects data at rest through two independent and complementary layers: cryptographic protection (LUKS2 encryption with NBDE automated decryption governed by system-wide crypto policies) and mandatory access control (SELinux DAC → Type Enforcement → MCS enforcement chain) — ensuring that even if one layer is bypassed, the other independently restricts unauthorized access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-layered-data-protection.json"},{"id":"rhel9-legacy-allows-sha1-signatures","text":"LEGACY is the only predefined crypto policy that allows SHA-1 in digital signatures; the `DEFAULT:SHA1` subpolicy is the targeted alternative.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-legacy-allows-sha1-signatures.json"},{"id":"rhel9-libvirtd-deprecated-modular-daemons","text":"The monolithic `libvirtd` daemon is deprecated in RHEL 9; modular libvirt daemons are the replacement.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-libvirtd-deprecated-modular-daemons.json"},{"id":"rhel9-lightspeed-ai-cli-assistant","text":"RHEL Lightspeed is an AI-powered command-line assistant for RHEL 9 that uses natural language input, grounded in RHEL documentation and the Red Hat Knowledgebase.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-lightspeed-ai-cli-assistant.json"},{"id":"rhel9-logging-input-types","text":"Logging system role input types are: `basics` (local journal/socket), `remote` (network receiver), and `files` (specific file paths).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-logging-input-types.json"},{"id":"rhel9-logging-output-types","text":"Logging system role output types are: `files` (local), `remote_files` (per-host remote storage organized by `%FROMHOST%`), and `forwards` (send to remote server).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-logging-output-types.json"},{"id":"rhel9-logging-role-name","text":"The RHEL logging system role is `redhat.rhel_system_roles.logging` and configures rsyslog on managed nodes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-logging-role-name.json"},{"id":"rhel9-logging-role-three-variable-groups","text":"The logging system role uses three variable groups: `logging_inputs` (log sources), `logging_outputs` (log destinations), and `logging_flows` (connecting inputs to outputs).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-logging-role-three-variable-groups.json"},{"id":"rhel9-logging-selinux-syslog-ports","text":"Default SELinux-allowed syslog ports are 601, 514, 6514, 10514, and 20514.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-logging-selinux-syslog-ports.json"},{"id":"rhel9-logging-system-role-framework","text":"The RHEL 9 logging system role (redhat.rhel_system_roles.logging) provides a structured rsyslog configuration framework organized around three variable groups: inputs (basics/remote/files as log sources), outputs (files/remote_files/forwards as destinations), and flows connecting them, with SELinux constraining allowed syslog ports to 601, 514, 6514, 10514, and 20514.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-logging-system-role-framework.json"},{"id":"rhel9-logging-tls-requires-idm","text":"TLS for the logging system role requires managed nodes to be enrolled in an IdM domain for CA-signed certificates.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-logging-tls-requires-idm.json"},{"id":"rhel9-logging-tls-requires-idm-enrollment","text":"TLS for the logging system role requires managed nodes to be enrolled in an IdM domain for CA-signed certificates.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-logging-tls-requires-idm-enrollment.json"},{"id":"rhel9-logging-udp-overrides-tcp","text":"In the logging system role, if both `udp_ports` and `tcp_ports` are set on a remote input, `udp_ports` is used and `tcp_ports` is dropped.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-logging-udp-overrides-tcp.json"},{"id":"rhel9-logging-udp-tcp-conflict","text":"When both `udp_ports` and `tcp_ports` are set on a logging system role remote input, `udp_ports` is used and `tcp_ports` is dropped.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-logging-udp-tcp-conflict.json"},{"id":"rhel9-lspci-k-shows-device-drivers","text":"The command `lspci -k` lists PCI devices and their associated kernel driver modules.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-lspci-k-shows-device-drivers.json"},{"id":"rhel9-luks2-default-disk-encryption","text":"LUKS2 is the default disk-encryption format in RHEL 9; LUKS1 volumes use the `luksmeta` package for NBDE state storage.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-luks2-default-disk-encryption.json"},{"id":"rhel9-luks2-default-format","text":"LUKS2 is the default disk-encryption format in RHEL 9; LUKS1 volumes use the `luksmeta` package for NBDE state storage.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-luks2-default-format.json"},{"id":"rhel9-managed-application-workload-infrastructure","text":"RHEL 9 provides fully managed application workload infrastructure combining compute (KVM/QEMU/libvirt with Cockpit management), encrypted storage (LVM three-layer abstraction with LUKS2/NBDE automated decryption), and application runtimes (relational databases via AppStream, managed Python ecosystem, RPM packaging lifecycle) into a single integrated platform.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-managed-application-workload-infrastructure.json"},{"id":"rhel9-managed-compute-storage-infrastructure","text":"RHEL 9 provides managed compute-and-storage infrastructure: the KVM/QEMU/libvirt virtualization stack with Cockpit web management runs workloads on LVM-managed storage volumes protected by LUKS2/NBDE automated disk encryption, giving administrators a unified infrastructure layer where compute placement and encrypted storage are both centrally manageable.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-managed-compute-storage-infrastructure.json"},{"id":"rhel9-managed-database-platform","text":"RHEL 9 provides a managed relational database platform: three supported RDBMS (MariaDB, MySQL, PostgreSQL) delivered via AppStream repository module streams for version selection, with standardized default ports (3306 for MariaDB/MySQL, 5432 for PostgreSQL).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-managed-database-platform.json"},{"id":"rhel9-managed-encrypted-storage","text":"RHEL 9 combines flexible volume management with automated disk encryption: LVM provides the three-layer abstraction (PV → VG → LV) with online extension capability, while NBDE with Clevis/Tang automates the decryption of those volumes at boot — enabling encrypted, dynamically resizable storage that requires no manual passphrase entry.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-managed-encrypted-storage.json"},{"id":"rhel9-managed-virtualization-stack","text":"RHEL 9 provides a fully managed virtualization stack: KVM/QEMU/libvirt for VM execution with virsh/virt-install for CLI management, and the Cockpit web console (socket-activated on port 9090, firewall-integrated) as the modern browser-based management interface replacing the deprecated virt-manager.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-managed-virtualization-stack.json"},{"id":"rhel9-minor-release-cadence-6-months","text":"RHEL 9 follows a minor release cadence of approximately every 6 months (9.0 May 2022 through 9.7 Nov 2025).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-minor-release-cadence-6-months.json"},{"id":"rhel9-minor-releases-9-0-through-9-7","text":"RHEL 9 has minor releases from 9.0 through 9.7.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-minor-releases-9-0-through-9-7.json"},{"id":"rhel9-mitigations-boot-parameter","text":"The `mitigations=` kernel boot parameter controls all CPU vulnerability mitigations: `off` disables all, `auto` (default) enables with SMT on, `auto,nosmt` disables SMT if needed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-mitigations-boot-parameter.json"},{"id":"rhel9-mmio-mds-taa-shared-mitigation","text":"MMIO stale data, MDS, and TAA mitigations share the same CPU buffer clearing mechanism; disabling one may require disabling the others.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-mmio-mds-taa-shared-mitigation.json"},{"id":"rhel9-modernizing-application-platform","text":"RHEL 9 application platform is actively modernizing: runtime infrastructure (databases via AppStream streams, managed Python ecosystem, RPM packaging lifecycle) evolves in parallel with systematic deprecation of legacy components (ifcfg, iptables, teaming, cgroups v1, monolithic libvirtd) driving migration to modern replacements.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-modernizing-application-platform.json"},{"id":"rhel9-monolithic-libvirtd-management","text":"RHEL 9 virtualization can be managed through the monolithic libvirtd daemon alongside virsh, virt-install, and the Cockpit web console.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-monolithic-libvirtd-management.json"},{"id":"rhel9-mptcp-support","text":"RHEL 9 supports Multipath TCP (MPTCP), enabling a single TCP connection to use multiple network paths simultaneously.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-mptcp-support.json"},{"id":"rhel9-multi-architecture-hardened-platform","text":"RHEL 9 delivers a security-hardened platform across four supported architectures (x86-64, ARM, POWER, Z) with per-architecture CPU minimums and separate subscription requirements, sharing common defense-in-depth defaults (SELinux enforcing, firewalld active, SHA-1 disabled, system-wide crypto policies) though per-architecture differences exist in kernel configuration.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-multi-architecture-hardened-platform.json"},{"id":"rhel9-multi-architecture-platform-requirements","text":"RHEL 9 supports four architectures with per-architecture minimum CPU microarchitecture versions, separate subscription requirements, and architecture-specific kernel configurations (e.g., 4k page size default on ARM).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-multi-architecture-platform-requirements.json"},{"id":"rhel9-nbde-decryption-stack","text":"RHEL 9 provides a complete Network-Bound Disk Encryption stack: Clevis client-side framework, Tang stateless server on port 80, multiple pin types (tang/tpm2/pkcs11/sss), and JWK-based key management.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-nbde-decryption-stack.json"},{"id":"rhel9-nbde-nonroot-unlock-requires-clevis-systemd","text":"Non-root volume auto-unlock requires `clevis-systemd` package, `systemctl enable clevis-luks-askpass.path`, and `_netdev` in fstab/crypttab.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-nbde-nonroot-unlock-requires-clevis-systemd.json"},{"id":"rhel9-nbde-nonroot-volume-unlock-requirements","text":"Automated non-root volume unlock with NBDE requires the `clevis-systemd` package, enabling `clevis-luks-askpass.path`, and adding `_netdev` to fstab/crypttab.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-nbde-nonroot-volume-unlock-requirements.json"},{"id":"rhel9-nbde-root-unlock-requires-clevis-dracut","text":"Root volume auto-unlock with NBDE requires the `clevis-dracut` package and running `dracut -fv --regenerate-all`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-nbde-root-unlock-requires-clevis-dracut.json"},{"id":"rhel9-nbde-root-volume-unlock-requirements","text":"Automated root volume unlock with NBDE requires the `clevis-dracut` package and running `dracut -fv --regenerate-all`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-nbde-root-volume-unlock-requirements.json"},{"id":"rhel9-nbde-volume-unlock-requirements","text":"NBDE auto-unlock diverges by volume type: root volumes require clevis-dracut and initramfs regeneration, while non-root volumes require clevis-systemd and _netdev mount option.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-nbde-volume-unlock-requirements.json"},{"id":"rhel9-network-teaming-deprecated","text":"Network teaming (`teamd`/`libteam`) is deprecated in RHEL 9; bonding is the recommended replacement.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-network-teaming-deprecated.json"},{"id":"rhel9-network-teaming-deprecated-use-bonding","text":"Network teaming (`teamd`/`libteam`) is deprecated in RHEL 9; bonding is the replacement.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-network-teaming-deprecated-use-bonding.json"},{"id":"rhel9-networking-deprecation-shift","text":"RHEL 9 networking has undergone a systematic deprecation of legacy technologies: ifcfg replaced by keyfile, iptables by nftables, network teaming by bonding, and SCP by SFTP.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-networking-deprecation-shift.json"},{"id":"rhel9-networking-stack-networkmanager","text":"NetworkManager (nmcli, nmtui) is the networking stack in RHEL 9.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-networking-stack-networkmanager.json"},{"id":"rhel9-networkmanager-default","text":"NetworkManager is the default networking service in RHEL 9, replacing legacy network-scripts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-networkmanager-default.json"},{"id":"rhel9-nondisruptive-selinux-fleet-automation","text":"SELinux mode and policy changes can be deployed fleet-wide via Ansible automation and semanage export/import without requiring coordinated maintenance windows for reboots.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-nondisruptive-selinux-fleet-automation.json"},{"id":"rhel9-ntp-time-synchronization-stack","text":"RHEL 9 provides a secure NTP time synchronization stack with chrony as the default implementation and a restricted-privilege service mode for minimal client configurations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-ntp-time-synchronization-stack.json"},{"id":"rhel9-observable-enforcement-from-kernel-to-session","text":"RHEL 9 enforcement is both deeply layered and continuously observable: the kernel-to-session enforcement chain (hardened kernel runtime through pre-auth/post-auth access control) operates under authenticated observable security operations (identity-governed access with operational visibility), meaning every enforcement layer from boot parameters through SELinux to user sessions is simultaneously enforced, identity-attributed, and audit-logged.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-observable-enforcement-from-kernel-to-session.json"},{"id":"rhel9-observable-security-compliance-posture","text":"RHEL 9 enables continuously observable and verifiable security by combining operational visibility (audit subsystem with login tracking and diagnostic reporting via sos) with compliance verification (AIDE file integrity monitoring, OpenSCAP policy scanning, pre-configured compliance rules for OSPP/PCI-DSS/STIG) into a single observable security posture.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-observable-security-compliance-posture.json"},{"id":"rhel9-only-desktop-gnome","text":"GNOME is the only desktop environment available in RHEL 9; no KDE or other alternative DE is shipped.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-only-desktop-gnome.json"},{"id":"rhel9-openldap-downgraded-level-4","text":"openldap was downgraded to Compatibility Level 4 in RHEL 9 due to upstream instability.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-openldap-downgraded-level-4.json"},{"id":"rhel9-operational-visibility-framework","text":"RHEL 9 provides operational visibility through an integrated audit subsystem (file watches, login identity tracking via auid, pre-configured compliance rules) combined with structured diagnostic reporting (sos report with root-privilege collection and sos clean data obfuscation).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-operational-visibility-framework.json"},{"id":"rhel9-oscap-scanning-with-ssg","text":"OpenSCAP compliance scanning on RHEL 9 uses the `oscap` command with profiles from the `scap-security-guide` package located at `/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-oscap-scanning-with-ssg.json"},{"id":"rhel9-pam-faillock-conf-path","text":"Account lockout policy on RHEL 9 is configured via `pam_faillock` in `/etc/security/faillock.conf`; locked accounts can be reset with `faillock --user username --reset`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-pam-faillock-conf-path.json"},{"id":"rhel9-pam-pwquality-conf-path","text":"Password quality requirements on RHEL 9 are configured via `pam_pwquality` in `/etc/security/pwquality.conf`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-pam-pwquality-conf-path.json"},{"id":"rhel9-patch-management-lifecycle","text":"RHEL 9 provides a structured patch management lifecycle: the content delivery architecture splits packages across BaseOS and AppStream repositories, DNF serves as the unified package manager, and security-specific tooling (`dnf check-update --security`, `dnf updateinfo info`) enables targeted security patching with advisory-level granularity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-patch-management-lifecycle.json"},{"id":"rhel9-pcs-primary-cluster-cli","text":"The `pcs` command is the primary CLI tool for configuring and managing Pacemaker/Corosync clusters on RHEL 9.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-pcs-primary-cluster-cli.json"},{"id":"rhel9-pcsd-must-be-enabled","text":"The `pcsd` service must be running and enabled on all nodes before Pacemaker cluster setup.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-pcsd-must-be-enabled.json"},{"id":"rhel9-per-architecture-subscription","text":"Each RHEL 9 architecture requires its own separate subscription.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-per-architecture-subscription.json"},{"id":"rhel9-per-architecture-subscriptions","text":"RHEL subscriptions are per-architecture — each architecture requires its own subscription type.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-per-architecture-subscriptions.json"},{"id":"rhel9-performance-security-tradeoff-controls","text":"RHEL 9 exposes explicit performance-vs-security tradeoff controls: TuneD (enabled by default) provides profile-based system performance tuning, while security restrictions constrain high-performance subsystems — io_uring disabled by default (`kernel.io_uring_disabled=2`) and BPF restricted to privileged users (`unprivileged_bpf_disabled=2`) — requiring administrators to consciously relax security for performance gains.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-performance-security-tradeoff-controls.json"},{"id":"rhel9-platform-python-internal","text":"`/usr/libexec/platform-python` is a minimal internal Python for system tools and is not intended for user use.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-platform-python-internal.json"},{"id":"rhel9-point-releases-backward-compatible","text":"RHEL 9 point releases (9.0, 9.1, 9.2, …) maintain backward ABI/API compatibility within the major version.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-point-releases-backward-compatible.json"},{"id":"rhel9-post-install-fips-enablement","text":"FIPS 140 mode can be enabled after initial RHEL 9 installation using fips-mode-setup --enable as a day-2 operation, allowing deferred compliance without reimaging.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-post-install-fips-enablement.json"},{"id":"rhel9-post-install-hardening-sequence","text":"The post-installation hardening sequence is: update system (`dnf update`) → verify/enable firewall → disable unneeded services.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-post-install-hardening-sequence.json"},{"id":"rhel9-pre-auth-to-post-auth-access-control","text":"RHEL 9 enforces access control across the full authentication boundary: pre-authentication defenses (pam_faillock account lockout, chage password aging, SSH key-based authentication) gate entry, while post-authentication layered authorization (DAC ugo/rwx permissions → SELinux Type Enforcement → MCS category conjunction) restricts what authenticated subjects can access.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-pre-auth-to-post-auth-access-control.json"},{"id":"rhel9-process-to-data-isolation-framework","text":"RHEL 9 isolates both processes and persistent data: SELinux Type Enforcement with MCS categories and polyinstantiation isolates running processes and their filesystem views, while LUKS2/NBDE encryption and AIDE integrity monitoring protect data at rest independently of process-level controls.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-process-to-data-isolation-framework.json"},{"id":"rhel9-python-appstream-versions","text":"Additional Python versions (e.g., 3.11, 3.12) are available as separate packages from AppStream (e.g., `python3.11`, `python3.12`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-python-appstream-versions.json"},{"id":"rhel9-python-managed-ecosystem","text":"RHEL 9 provides a managed Python ecosystem: Python 3 only (no Python 2), internal platform-python reserved for system tools, /usr/bin/python symlink via dedicated package, and additional versions available from AppStream.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-python-managed-ecosystem.json"},{"id":"rhel9-python-unversioned-command","text":"RHEL 9 provides `/usr/bin/python` as a symlink to `python3` via the `python-unversioned-command` package.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-python-unversioned-command.json"},{"id":"rhel9-python-venv-recommended","text":"`python3 -m venv` is the recommended way to create isolated Python environments on RHEL 9; pip should be used inside virtual environments rather than system-wide.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-python-venv-recommended.json"},{"id":"rhel9-python3-default-no-python2","text":"RHEL 9 ships Python 3 only; Python 2 is not included in the base repositories.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-python3-default-no-python2.json"},{"id":"rhel9-rcu-nocbs-offload-callbacks","text":"The `rcu_nocbs=<cpu-list>` boot parameter offloads RCU callbacks from specified CPUs to dedicated kthreads, reducing OS jitter for real-time workloads.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-rcu-nocbs-offload-callbacks.json"},{"id":"rhel9-realmd-orchestrates-domain-join","text":"The `realmd` tool orchestrates AD domain join operations for both SSSD and Winbind backends using commands `realm join`, `realm discover`, and `realm list`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-realmd-orchestrates-domain-join.json"},{"id":"rhel9-requires-x86-64-v2","text":"RHEL 9 requires x86-64-v2 as the minimum CPU microarchitecture level for x86_64, meaning older CPUs lacking SSE4.2, POPCNT, etc. are unsupported.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-requires-x86-64-v2.json"},{"id":"rhel9-resilient-compute-platform","text":"RHEL 9 provides resilient compute infrastructure by combining the managed KVM/QEMU/libvirt virtualization stack (with Cockpit web management and virsh CLI) and Pacemaker/Corosync HA clustering with mandatory STONITH fencing and pcs-managed service lifecycle.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-resilient-compute-platform.json"},{"id":"rhel9-resilient-containerized-compute","text":"RHEL 9 containers with defense-in-depth isolation (per-container MCS categories within SELinux Type Enforcement, layered with firewalld and crypto policies) run on resilient compute infrastructure (KVM/QEMU/libvirt with Pacemaker HA clustering, mandatory STONITH fencing, and Corosync membership), providing both workload isolation and infrastructure fault tolerance.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-resilient-containerized-compute.json"},{"id":"rhel9-rpm-packaging-lifecycle","text":"RHEL 9 provides a complete RPM packaging lifecycle: the rpmbuild directory tree (~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}) hosts spec files following the NVR naming convention with automatic distribution tagging via %{?dist}, build dependencies resolved through `dnf builddep`, and flexible output options (binary-only, source-only, or both RPMs).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-rpm-packaging-lifecycle.json"},{"id":"rhel9-rsyslogd-validate-config","text":"The command `rsyslogd -N 1` validates rsyslog configuration syntax on a managed node.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-rsyslogd-validate-config.json"},{"id":"rhel9-scp-deprecated-sftp-default","text":"The SCP protocol is deprecated in RHEL 9; SFTP is the default replacement in OpenSSH.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-scp-deprecated-sftp-default.json"},{"id":"rhel9-seamless-crypto-policy-transition","text":"Transitions between RHEL 9 system-wide cryptographic policies are seamless operations that take full immediate effect across all system services without disruption.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-seamless-crypto-policy-transition.json"},{"id":"rhel9-security-automatable-at-scale","text":"RHEL 9 security configuration is automatable at fleet scale through SELinux deployment automation (Ansible roles, semanage export/import, fixfiles autorelabel) integrated with RHEL System Roles for consistent cross-host configuration management.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-security-automatable-at-scale.json"},{"id":"rhel9-security-compliance-triad","text":"RHEL 9 provides three complementary security compliance mechanisms: continuous audit logging with original-identity tracking and pre-configured compliance rule sets (OSPP, PCI-DSS, STIG), file integrity monitoring via AIDE with init/check/update workflow, and automated SCAP scanning against predefined security profiles from scap-security-guide.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-security-compliance-triad.json"},{"id":"rhel9-security-from-hardware-to-policy","text":"RHEL 9 defense-in-depth extends from hardware-level security mitigations (SMT disable for L1TF/MDS, BPF JIT hardening, unprivileged BPF restrictions, MMIO buffer clearing) through software security controls (SELinux enforcing, firewalld active, system-wide crypto policies, granular audit logging), providing security assurance at every layer of the stack.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-security-from-hardware-to-policy.json"},{"id":"rhel9-security-governed-workload-isolation","text":"RHEL 9 workload isolation operates within the comprehensive security posture: virtual machines (KVM/QEMU/libvirt with Cockpit management) and containers (Podman with per-container MCS categories) both run under SELinux enforcing mode, behind firewalld network controls, within system-wide crypto policies, and under continuous audit surveillance, ensuring that workload boundaries are reinforced by defense-in-depth rather than standing alone.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-security-governed-workload-isolation.json"},{"id":"rhel9-security-hardened-defaults","text":"RHEL 9 ships with multiple security controls active by default: SELinux enforcing, firewalld active, SHA-1 disabled, and four predefined system-wide cryptographic policies (DEFAULT, LEGACY, FUTURE, FIPS).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-security-hardened-defaults.json"},{"id":"rhel9-security-integrated-lifecycle-platform","text":"RHEL 9 integrates security into every lifecycle phase: provisioning (Image Builder/Kickstart produce systems with hardened defaults), day-2 operations (DNF security updates, advisory-driven patching, audit/AIDE/OpenSCAP compliance verification), and upgrade paths (Leapp/bootc preserve security posture) — all governed by defense-in-depth controls, identity-based access, and system-wide crypto policies.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-security-integrated-lifecycle-platform.json"},{"id":"rhel9-security-preserving-platform-evolution","text":"RHEL 9 evolves its platform (deprecation modernization, minor release cadence, Leapp major upgrades, rpm-ostree atomic updates) while maintaining security integration at every lifecycle phase (provisioning through compliance monitoring), ensuring that modernization never creates security gaps — deprecated components are replaced by more secure alternatives, and new versions inherit the defense-in-depth posture.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-security-preserving-platform-evolution.json"},{"id":"rhel9-security-update-severity-filter","text":"Security updates can be filtered by severity using `dnf update --security --sec-severity=Critical` (levels: Critical, Important, Moderate, Low).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-security-update-severity-filter.json"},{"id":"rhel9-self-discovering-identity-provisioned-infrastructure","text":"RHEL 9 infrastructure self-configures through identity: new systems discover IdM services via DNS SRV autodiscovery and enroll into the identity-authenticated provisioning pipeline, receiving security configuration without manual endpoint specification.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-self-discovering-identity-provisioned-infrastructure.json"},{"id":"rhel9-selinux-enforcing-by-default","text":"RHEL 9 runs SELinux in enforcing mode by default as part of its security baseline.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-selinux-enforcing-by-default.json"},{"id":"rhel9-sendmail-deprecated-postfix-default","text":"Sendmail is deprecated in RHEL 9; Postfix is the default MTA.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-sendmail-deprecated-postfix-default.json"},{"id":"rhel9-service-firewall-port-matrix","text":"RHEL 9 infrastructure services require a coordinated set of firewall port openings: Cockpit web console (TCP 9090), HA cluster (TCP 2224/3121, UDP 5405), Tang NBDE server (TCP 80), databases (TCP 3306/5432), and IdM DNS (TCP/UDP 53).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-service-firewall-port-matrix.json"},{"id":"rhel9-sha1-deprecated-hmac-exception","text":"SHA-1 is deprecated for cryptographic purposes across RHEL 9, but HMAC-SHA1 and UUID generation remain allowed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-sha1-deprecated-hmac-exception.json"},{"id":"rhel9-sha1-disabled-by-default","text":"SHA-1 is not allowed by default for cryptographic signatures in RHEL 9; enable with `update-crypto-policies --set DEFAULT:SHA1` if needed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-sha1-disabled-by-default.json"},{"id":"rhel9-smt-disable-mitigates-l1tf-mds","text":"Disabling SMT (Simultaneous Multi Threading) mitigates CPU side-channel attacks (L1TF, MDS) but reduces performance; can be configured via Cockpit web console.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-smt-disable-mitigates-l1tf-mds.json"},{"id":"rhel9-sos-clean-obfuscate","text":"`sos clean <report-path>` obfuscates sensitive data from a sos report before sharing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-sos-clean-obfuscate.json"},{"id":"rhel9-sos-report-command","text":"`sos report` is the command to generate a diagnostic data bundle for Red Hat Technical Support; the `sos` package is installed via `dnf install sos`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-sos-report-command.json"},{"id":"rhel9-sos-report-output-path","text":"sos reports are saved to `/var/tmp/` as compressed tarballs named `sosreport-<hostname>-<date>-<hash>.tar.xz`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-sos-report-output-path.json"},{"id":"rhel9-sos-report-requires-root","text":"Running `sos report` requires root privileges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-sos-report-requires-root.json"},{"id":"rhel9-ssh-crypto-override-prefix-below-50","text":"To override SSH crypto policy on RHEL 9, use a drop-in config file with a numeric prefix less than 50 in `/etc/ssh/sshd_config.d/`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-ssh-crypto-override-prefix-below-50.json"},{"id":"rhel9-sssd-caching-reduces-idm-load","text":"SSSD caching on clients is the primary mechanism for reducing IdM server load by caching identity and authentication data locally.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-sssd-caching-reduces-idm-load.json"},{"id":"rhel9-sssd-default-realmd-backend","text":"SSSD is the default/recommended backend when using `realmd` for AD integration on RHEL 9.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-sssd-default-realmd-backend.json"},{"id":"rhel9-stable-kernel-branch-across-releases","text":"RHEL 9 maintains the 5.14.0 kernel branch across minor releases (9.3 through 9.5) on a six-month cadence, delivering security and feature updates through patch-level increments rather than kernel version bumps.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-stable-kernel-branch-across-releases.json"},{"id":"rhel9-stable-openldap-enterprise-directory","text":"OpenLDAP provides a stable enterprise directory service on RHEL 9 with guaranteed ABI backward compatibility across point releases.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-stable-openldap-enterprise-directory.json"},{"id":"rhel9-stonith-fencing-mandatory","text":"STONITH/fencing is mandatory in production Pacemaker clusters; disabling it is unsupported.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-stonith-fencing-mandatory.json"},{"id":"rhel9-subscription-authenticated-lifecycle-management","text":"RHEL 9 manages the entire system lifecycle under subscription authentication: provisioning (Image Builder, Kickstart, Anaconda), day-2 patch management (DNF advisory-filtered updates across BaseOS/AppStream), and major version upgrades (Leapp sequential progression, bootc image-based updates) all require valid subscription registration before content flows.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-subscription-authenticated-lifecycle-management.json"},{"id":"rhel9-subscription-authenticated-patch-pipeline","text":"RHEL 9 patch management requires subscription authentication before any updates flow: systems must register and receive entitlements to access BaseOS and AppStream repositories, which then enables the full advisory-filtered patch lifecycle (security severity filtering, updateinfo queries, dnf update operations), creating a trust chain from Red Hat subscription through content delivery to system-level package updates.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-subscription-authenticated-patch-pipeline.json"},{"id":"rhel9-subscription-content-pipeline","text":"RHEL 9 requires a registration-to-content pipeline before systems can receive updates: registration via one of three methods (GUI/TUI, subscription-manager CLI, or activation key), per-architecture subscription assignment, and content delivery from either Red Hat CDN or Satellite Server.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-subscription-content-pipeline.json"},{"id":"rhel9-subscription-gated-content-lifecycle","text":"RHEL 9 content access follows a subscription-gated lifecycle: systems must first register via one of three methods (GUI/TUI, subscription-manager CLI, or activation key) to access the architecturally split BaseOS/AppStream repository system, which then provides the foundation for package installation, module stream selection, and security update management.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-subscription-gated-content-lifecycle.json"},{"id":"rhel9-subscription-managed-workload-infrastructure","text":"RHEL 9 application workload infrastructure (KVM/QEMU/libvirt compute, LVM/LUKS2/NBDE storage, Podman containers, managed databases) operates within subscription-authenticated lifecycle management (provisioning, patching, upgrade all gated by registration and entitlement), meaning workloads can only run on infrastructure whose every component is subscription-verified and patch-current.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-subscription-managed-workload-infrastructure.json"},{"id":"rhel9-supported-architectures","text":"RHEL 9 supports four architectures: x86_64, aarch64, ppc64le, and s390x.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-supported-architectures.json"},{"id":"rhel9-supported-databases","text":"RHEL 9 supports three relational database servers: MariaDB, MySQL, and PostgreSQL.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-supported-databases.json"},{"id":"rhel9-sysctl-page-lock-unfairness-default-5","text":"The sysctl `vm.page_lock_unfairness` defaults to 5; after 5 lock steals, fair lock handoff applies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-sysctl-page-lock-unfairness-default-5.json"},{"id":"rhel9-system-roles-configuration-management","text":"RHEL System Roles provide Ansible-based consistent configuration across hosts, with dual naming conventions (legacy and collection), covering key subsystems (timesync, network, selinux, storage, firewall, logging, kdump).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-system-roles-configuration-management.json"},{"id":"rhel9-systemctl-enable-vs-start","text":"`systemctl enable` makes a service persistent across reboots while `systemctl start` starts it immediately; both are needed to activate and persist a service.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-systemctl-enable-vs-start.json"},{"id":"rhel9-systemctl-universal-service-management","text":"All RHEL 9 services can be managed exclusively through systemctl for start, stop, restart, enable, and status operations.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-systemctl-universal-service-management.json"},{"id":"rhel9-systemd-native-isolated-container-platform","text":"RHEL 9 provides a systemd-native container platform where Podman containers are managed declaratively via Quadlet unit files with modernized infrastructure (SQLite backend, Netavark networking) and per-container MCS security isolation enforced by SELinux, enabling containers to be first-class systemd citizens with mandatory access control.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-systemd-native-isolated-container-platform.json"},{"id":"rhel9-tang-default-port-80","text":"Tang's default port is 80; custom ports require `semanage port -a -t tangd_port_t -p tcp <port>`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-tang-default-port-80.json"},{"id":"rhel9-tang-keys-location","text":"Tang server keys are stored in `/var/db/tang/` as `.jwk` files; key rotation hides old keys by prefixing with `.` (dot).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-tang-keys-location.json"},{"id":"rhel9-tang-keys-stored-var-db-tang","text":"Tang keys are stored in `/var/db/tang/` as `.jwk` files; key rotation hides old keys by prefixing with `.` (dot).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-tang-keys-stored-var-db-tang.json"},{"id":"rhel9-three-installation-sources","text":"RHEL 9 interactive installation supports three sources: physical installation media (USB/DVD), ISO file, or Red Hat CDN.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-three-installation-sources.json"},{"id":"rhel9-two-default-repos-baseos-appstream","text":"RHEL 9 distributes content across two default repositories: BaseOS and AppStream.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-two-default-repos-baseos-appstream.json"},{"id":"rhel9-two-iso-types","text":"RHEL 9 provides two ISO types: Installation ISO (full, contains BaseOS + AppStream) and Boot ISO (minimal, requires network repository access).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-two-iso-types.json"},{"id":"rhel9-unified-authentication-service-stack","text":"RHEL 9 provides a unified authentication service stack where SSSD serves as the central identity daemon for external identity providers, authselect configures the PAM/NSS authentication profile, and SSSD client-side caching reduces IdM server load by locally caching identity and authentication data.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-unified-authentication-service-stack.json"},{"id":"rhel9-uniform-content-lifecycle-coverage","text":"All packages from RHEL 9 official repositories receive uniform support lifecycle coverage matching the base OS ten-year lifecycle.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-uniform-content-lifecycle-coverage.json"},{"id":"rhel9-universal-mcs-workload-isolation","text":"All RHEL 9 workloads — both containers and interactive user sessions — benefit from MCS category-based inter-workload isolation without additional configuration.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-universal-mcs-workload-isolation.json"},{"id":"rhel9-unprivileged-bpf-disabled-default","text":"In RHEL 9, unprivileged BPF access is restricted by default (`unprivileged_bpf_disabled = 2`), meaning the `bpf()` syscall is limited to privileged users but an admin can change this.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-unprivileged-bpf-disabled-default.json"},{"id":"rhel9-virt-manager-deprecated-cockpit-replacement","text":"`virt-manager` is deprecated in RHEL 9; Cockpit (RHEL web console) is the replacement GUI for VM management.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-virt-manager-deprecated-cockpit-replacement.json"},{"id":"rhel9-virt-stack-components","text":"The RHEL 9 virtualization stack consists of KVM (kernel module), QEMU (device emulation), and libvirt (management API/daemon).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-virt-stack-components.json"},{"id":"rhel9-virt-supported-architectures","text":"RHEL 9 virtualization is supported on Intel 64 (x86_64), AMD64, and IBM Z, with varying feature availability per architecture.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-virt-supported-architectures.json"},{"id":"rhel9-virtual-console-switch","text":"Virtual consoles are accessed via Ctrl+Alt+F2 through F6; the graphical session typically runs on F1.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-virtual-console-switch.json"},{"id":"rhel9-virtualization-platform","text":"RHEL 9 provides a complete virtualization platform: KVM as the kernel-level hypervisor, QEMU for device emulation, libvirt as the management API/daemon, with multiple management interfaces (virsh CLI, virt-install for VM creation, Cockpit web console on port 9090).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-virtualization-platform.json"},{"id":"rhel9-virtualization-uses-kvm","text":"RHEL 9 uses KVM (Kernel-based Virtual Machine) as its virtualization technology, not Xen or VMware.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-virtualization-uses-kvm.json"},{"id":"rhel9-vm-management-virsh-cockpit","text":"RHEL 9 VMs can be managed via `virsh` (CLI), `virt-install` (VM creation), or the Cockpit web console at port 9090.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-vm-management-virsh-cockpit.json"},{"id":"rhel9-vnc-headless-install","text":"The `inst.vnc` boot parameter enables graphical installation on headless systems, supporting both Direct and Connect modes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-vnc-headless-install.json"},{"id":"rhel9-vpn-ipsec-wireguard","text":"RHEL 9 supports both IPSec and WireGuard as VPN technologies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-vpn-ipsec-wireguard.json"},{"id":"rhel9-web-console-based-on-cockpit","text":"The RHEL 9 web console is based on the upstream Cockpit project.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-web-console-based-on-cockpit.json"},{"id":"rhel9-web-console-management-stack","text":"The RHEL 9 web console (Cockpit) provides browser-based system management through a defined deployment pattern: socket-activated service (not a persistent daemon), default listener on port 9090, and firewalld service integration for access control.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-web-console-management-stack.json"},{"id":"rhel9-x86-64-v2-minimum","text":"RHEL 9 requires x86-64-v2 as the minimum x86_64 microarchitecture level, meaning CPUs without SSE4.2 and POPCNT (roughly pre-2009 AMD, pre-2008 Intel) are not supported.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-x86-64-v2-minimum.json"},{"id":"rhel9-yum-dnf-aliases","text":"`yum` and `dnf` are interchangeable aliases in RHEL 9.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-yum-dnf-aliases.json"},{"id":"rhel9-zero-downtime-crypto-modernization","text":"RHEL 9 cryptographic posture can be modernized fleet-wide without service disruption by combining automated crypto policy deployment (Ansible system roles, semanage export/import) with the four-tier policy lifecycle (DEFAULT/LEGACY/FUTURE/FIPS with custom subpolicies).","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel9-zero-downtime-crypto-modernization.json"},{"id":"rhel91-fagenrules-load-no-restart","text":"In RHEL 9.1+, `fagenrules --load` reloads fapolicy rules without requiring a manual `fapolicyd` restart.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel91-fagenrules-load-no-restart.json"},{"id":"rhel91-free-command-used-memory-calculation","text":"In RHEL 9.1+, the `free` command calculates used memory as total minus available, accounting for unreclaimable cache and tmpfs objects.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel91-free-command-used-memory-calculation.json"},{"id":"rhel91-grubby-persists-kernel-args","text":"In RHEL 9.1+, `grubby --update-kernel=ALL --args=\"<argument>\"` correctly persists kernel command-line arguments across kernel upgrades.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel91-grubby-persists-kernel-args.json"},{"id":"rhel91-ipv6-address-priority-order","text":"NetworkManager in RHEL 9.1 orders IPv6 source addresses by priority: manual > dhcpv6 > autoconf6.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel91-ipv6-address-priority-order.json"},{"id":"rhel91-kdumpctl-estimate-crashkernel","text":"The command `kdumpctl estimate` checks estimated crashkernel memory reservation requirements.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel91-kdumpctl-estimate-crashkernel.json"},{"id":"rhel91-openssl-fips-restrictions","text":"In RHEL 9.1 FIPS mode, OpenSSL disallows 3DES, RSA keys smaller than 2048 bits, and RSA key exchange; the `req` tool uses AES-256-CBC for key encryption.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel91-openssl-fips-restrictions.json"},{"id":"rhel91-selinux-staff-u-secure-mode","text":"When the SELinux `secure_mode` boolean is enabled, `staff_u` users cannot switch to the `unconfined_r` role.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel91-selinux-staff-u-secure-mode.json"},{"id":"rhel91-sssd-ldap-ignore-unreadable-references","text":"SSSD option `ldap_ignore_unreadable_references` (default: false) controls whether unreadable LDAP group members cause errors.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel91-sssd-ldap-ignore-unreadable-references.json"},{"id":"rhel92-beta-march-2023-ga-may-2023","text":"RHEL 9.2 was released as Beta on March 29, 2023, with GA release notes published May 10, 2023.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel92-beta-march-2023-ga-may-2023.json"},{"id":"rhel93-kernel-version","text":"RHEL 9.3 ships with kernel version 5.14.0-362.8.1.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel93-kernel-version.json"},{"id":"rhel93-supported-architectures","text":"RHEL 9.3 supports four architectures: x86_64 (min x86-64-v2), aarch64 (min ARMv8.0-A), ppc64le (min POWER9), and s390x (min z14).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel93-supported-architectures.json"},{"id":"rhel94-appstream-versions","text":"RHEL 9.4 Application Streams include Python 3.12, Ruby 3.3, PHP 8.2, nginx 1.24, MariaDB 10.11, and PostgreSQL 16.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel94-appstream-versions.json"},{"id":"rhel94-chronyd-restricted-service","text":"The `chronyd-restricted` service runs chrony without root privileges for minimal client-only NTP configurations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel94-chronyd-restricted-service.json"},{"id":"rhel94-cni-deprecated-netavark-default","text":"The CNI network stack for Podman containers is deprecated in RHEL 9.4 in favor of Netavark; CNI will be removed in a future release.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel94-cni-deprecated-netavark-default.json"},{"id":"rhel94-fips-edge-provisioning-only","text":"FIPS mode for RHEL for Edge images must be enabled during image provisioning and cannot be changed after the build starts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel94-fips-edge-provisioning-only.json"},{"id":"rhel94-image-builder-partitioning-modes","text":"RHEL Image Builder supports custom mount points and partitioning modes: `auto-lvm`, `lvm`, and `raw`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel94-image-builder-partitioning-modes.json"},{"id":"rhel94-kernel-version","text":"RHEL 9.4 ships with kernel version 5.14.0-427.13.1.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel94-kernel-version.json"},{"id":"rhel94-kvm-64bit-arm-fully-supported","text":"KVM virtualization on 64-bit ARM (aarch64) is fully supported in RHEL 9.4 (promoted from tech preview).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel94-kvm-64bit-arm-fully-supported.json"},{"id":"rhel94-modernized-podman-ecosystem","text":"RHEL 9.4 modernizes the Podman container ecosystem across three infrastructure layers: SQLite replaces BoltDB as the default database backend, Netavark replaces CNI for container networking, and Quadlet gains .build, .pod, and .image unit types for declarative systemd-native container management.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel94-modernized-podman-ecosystem.json"},{"id":"rhel94-nft-reset-command","text":"The `nft reset` command can reset stateful objects (counters, quotas) in nftables rules.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel94-nft-reset-command.json"},{"id":"rhel94-nmstatectl-gr-revert","text":"`nmstatectl gr new.yml > revert.yml` generates a revert configuration file before applying network changes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel94-nmstatectl-gr-revert.json"},{"id":"rhel94-openssh-sysusers-d","text":"OpenSSH in RHEL 9.4 uses `sysusers.d` format for system user/group creation, replacing static `useradd` scripts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel94-openssh-sysusers-d.json"},{"id":"rhel94-openssl-dropin-directory","text":"OpenSSL provider configurations can be placed in `/etc/pki/tls/openssl.d/*.conf` as a drop-in directory without modifying the main config file.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel94-openssl-dropin-directory.json"},{"id":"rhel94-podman-farm-build-multiarch","text":"Podman 4.9 in RHEL 9.4 supports `podman farm build` for building multi-architecture container images (Tech Preview).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel94-podman-farm-build-multiarch.json"},{"id":"rhel94-podman-quadlet-new-units","text":"Podman Quadlet in RHEL 9.4 supports `.build`, `.pod`, and `.image` unit types in addition to existing container units.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel94-podman-quadlet-new-units.json"},{"id":"rhel94-podman-sqlite-default-boltdb-deprecated","text":"In RHEL 9.4, SQLite is the fully supported default database backend for Podman; BoltDB is deprecated.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel94-podman-sqlite-default-boltdb-deprecated.json"},{"id":"rhel94-selinux-userspace-36-deny-rules","text":"SELinux userspace 3.6 in RHEL 9.4 introduces deny rules, allowing policies to explicitly deny access (not just allow/don't-allow).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel94-selinux-userspace-36-deny-rules.json"},{"id":"rhel94-semanage-fcontext-lc-order","text":"`semanage fcontext -l -C` now lists local file context modifications in correct order (oldest to newest), matching `restorecon` processing order.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel94-semanage-fcontext-lc-order.json"},{"id":"rhel94-sssd-fido2-passwordless","text":"SSSD in RHEL 9.4 supports passwordless authentication via FIDO2-compatible devices (e.g., YubiKey).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel94-sssd-fido2-passwordless.json"},{"id":"rhel94-upgrade-path-810-to-94","text":"RHEL supports in-place upgrade from RHEL 8.10 to RHEL 9.4; direct upgrade from RHEL 7 to RHEL 9 is not supported (requires two-stage upgrade via RHEL 8).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel94-upgrade-path-810-to-94.json"},{"id":"rhel94-vm-external-snapshots-default","text":"VM external snapshots are fully supported in RHEL 9.4 and are the default snapshot mechanism.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel94-vm-external-snapshots-default.json"},{"id":"rhel95-arch-minimum-versions","text":"RHEL 9.5 minimum hardware versions: x86_64 requires x86-64-v2, aarch64 requires ARMv8.0-A, ppc64le requires POWER9, s390x requires z14.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel95-arch-minimum-versions.json"},{"id":"rhel95-kernel-version","text":"RHEL 9.5 ships with kernel version 5.14.0-503.11.1.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rhel95-kernel-version.json"},{"id":"rpm-nvr-naming-convention","text":"RPM packages follow the Name-Version-Release (NVR) naming convention: `name-version-release.arch.rpm`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rpm-nvr-naming-convention.json"},{"id":"rpm-ostree-status-upgrade-rollback","text":"Key rpm-ostree commands: `rpm-ostree status` (check deployment), `rpm-ostree upgrade` (pull/stage update), `rpm-ostree rollback` (revert to previous).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rpm-ostree-status-upgrade-rollback.json"},{"id":"rpmbuild-bb-bs-ba-flags","text":"`rpmbuild -bb` builds binary RPMs only, `rpmbuild -bs` builds source RPMs only, and `rpmbuild -ba` builds both.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rpmbuild-bb-bs-ba-flags.json"},{"id":"rpmbuild-directory-structure","text":"The `rpmdev-setuptree` command creates the rpmbuild directory tree at `~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rpmbuild-directory-structure.json"},{"id":"rsyslogd-validate-config-syntax","text":"`rsyslogd -N 1` validates rsyslog configuration syntax on a managed node.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/rsyslogd-validate-config-syntax.json"},{"id":"selinux-ansible-role-name","text":"The Ansible system role for SELinux is `redhat.rhel_system_roles.selinux`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-ansible-role-name.json"},{"id":"selinux-avc-denials-logged-audit-log","text":"SELinux AVC denials are logged to `/var/log/audit/audit.log` with entries prefixed `type=AVC`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-avc-denials-logged-audit-log.json"},{"id":"selinux-complete-isolation-framework","text":"SELinux provides process and data isolation through the MAC framework (Type Enforcement + MCS category-based conjunction access control) complemented by polyinstantiation for per-user or per-security-level directory separation of shared paths like /tmp and /var/tmp.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-complete-isolation-framework.json"},{"id":"selinux-complete-mac-framework","text":"SELinux on RHEL 9 provides a mandatory access control framework: layered enforcement (DAC → Type Enforcement → MCS), full mode lifecycle management (install-default enforcing → runtime toggle → persistent config → safe re-enable procedure), and fine-grained category-based isolation (1024 categories, conjunction access rule, post-DAC/TE evaluation).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-complete-mac-framework.json"},{"id":"selinux-config-file-location","text":"The persistent SELinux configuration file is `/etc/selinux/config`, containing `SELINUX=` and `SELINUXTYPE=` directives.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-config-file-location.json"},{"id":"selinux-context-four-fields","text":"Every SELinux context (label) has four fields: user, role, type, and security level.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-context-four-fields.json"},{"id":"selinux-dac-checked-before-mac","text":"DAC (traditional Unix permissions) rules are checked before SELinux (MAC) rules; if DAC denies access, SELinux is never consulted and no AVC denial is logged.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-dac-checked-before-mac.json"},{"id":"selinux-default-action-deny","text":"SELinux default action is deny; access requires an explicit allow rule in the policy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-default-action-deny.json"},{"id":"selinux-default-policy-targeted","text":"The default SELinux policy on RHEL is `targeted`; the alternative is `mls` (Multi Level Security).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-default-policy-targeted.json"},{"id":"selinux-deploy-three-methods","text":"Three methods for deploying SELinux configuration across systems: Ansible system roles, web console (Cockpit), and `semanage export/import`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-deploy-three-methods.json"},{"id":"selinux-deployment-automation-toolkit","text":"SELinux configuration can be deployed and maintained at scale through an integrated automation toolkit: three deployment methods (Ansible system roles, Cockpit web console, semanage), the dedicated Ansible role (redhat.rhel_system_roles.selinux), portable settings transfer via semanage export/import, and filesystem relabeling orchestration via fixfiles — enabling consistent SELinux policy across fleet-wide deployments.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-deployment-automation-toolkit.json"},{"id":"selinux-enforcing-default-on-rhel-install","text":"SELinux enforcing mode is the default when RHEL is initially installed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-enforcing-default-on-rhel-install.json"},{"id":"selinux-fixfiles-f-onboot-creates-autorelabel","text":"The command `fixfiles -F onboot` creates the `/.autorelabel` file, triggering a full filesystem relabel on next boot.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-fixfiles-f-onboot-creates-autorelabel.json"},{"id":"selinux-getenforce-returns-current-mode","text":"The `getenforce` command returns the current SELinux mode: Enforcing, Permissive, or Disabled.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-getenforce-returns-current-mode.json"},{"id":"selinux-kernel-param-enforcing0-temporary-permissive","text":"The kernel parameter `enforcing=0` boots SELinux in permissive mode temporarily (boot-time only, not persistent).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-kernel-param-enforcing0-temporary-permissive.json"},{"id":"selinux-kernel-param-selinux0-disables","text":"The kernel parameter `selinux=0` completely disables SELinux at the kernel level; set via `grubby --update-kernel ALL --args selinux=0`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-kernel-param-selinux0-disables.json"},{"id":"selinux-layered-enforcement-model","text":"SELinux operates through a layered enforcement model: DAC is evaluated first, type is the primary policy mechanism, per-domain permissive mode enables targeted debugging, and AVC denials are logged for forensic analysis.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-layered-enforcement-model.json"},{"id":"selinux-mode-management-lifecycle","text":"SELinux mode management spans four persistence levels with a defined safe transition procedure: enforcing-by-default on fresh install, non-persistent runtime toggling via setenforce, boot-time kernel parameter overrides, persistent configuration in /etc/selinux/config, and a safe re-enablement sequence (disabled → permissive → audit denials → fixfiles relabel → enforcing).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-mode-management-lifecycle.json"},{"id":"selinux-module-priority-default-400","text":"SELinux module priority defaults to `400` when deployed via the Ansible system role.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-module-priority-default-400.json"},{"id":"selinux-npm-label-bin-t","text":"In RHEL 9.5, SELinux labels `npm` as `bin_t` (previously `lib_t`) to allow proper execution.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-npm-label-bin-t.json"},{"id":"selinux-per-domain-permissive-mode","text":"A single SELinux domain can be set to permissive mode with `semanage permissive -a <domain_t>` while the rest of the system remains enforcing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-per-domain-permissive-mode.json"},{"id":"selinux-polyinstantiation-boolean","text":"The SELinux boolean `allow_polyinstantiation` must be enabled (`setsebool -P allow_polyinstantiation 1`) to use polyinstantiated directories.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-polyinstantiation-boolean.json"},{"id":"selinux-polyinstantiation-isolation-mechanism","text":"SELinux polyinstantiation provides per-user or per-security-level directory isolation: configured in `/etc/security/namespace.conf` (not `namespace.d`), enforced via the `pam_namespace.so` PAM module, gated by the `allow_polyinstantiation` boolean, using the `user` method on non-MLS systems and the `level` method on MLS systems, verifiable with `findmnt`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-polyinstantiation-isolation-mechanism.json"},{"id":"selinux-reboot-required-for-config-changes","text":"A reboot is required for persistent SELinux mode changes made in `/etc/selinux/config` to take effect.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-reboot-required-for-config-changes.json"},{"id":"selinux-safe-reenable-procedure","text":"The safe procedure to re-enable SELinux is: disabled → permissive (reboot) → check denials → `fixfiles -F onboot` → enforcing (reboot).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-safe-reenable-procedure.json"},{"id":"selinux-three-states-enforcing-permissive-disabled","text":"SELinux has three configuration values for the SELINUX= directive: `enforcing`, `permissive`, and `disabled`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-three-states-enforcing-permissive-disabled.json"},{"id":"selinux-type-most-important-context-field","text":"The type field (ending in `_t`) is the most important SELinux context field; most policy rules operate on types.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/selinux-type-most-important-context-field.json"},{"id":"semanage-export-import-transfers-settings","text":"`semanage export -f <file>` and `semanage import -f <file>` transfer all custom SELinux settings (ports, fcontexts, booleans) between systems.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/semanage-export-import-transfers-settings.json"},{"id":"semanage-export-requires-policycoreutils-python-utils","text":"The `policycoreutils-python-utils` package is required for `semanage export/import` functionality.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/semanage-export-requires-policycoreutils-python-utils.json"},{"id":"setenforce-non-persistent","text":"`setenforce 0` sets permissive mode and `setenforce 1` sets enforcing mode, both non-persistently (does not survive reboot).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/setenforce-non-persistent.json"},{"id":"setgid-directory-collaboration","text":"Set-GID bit (chmod g+s or octal 2775) on a directory causes new files to inherit the directory group ownership. Sticky bit (chmod +t) prevents users from deleting others files.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/setgid-directory-collaboration.json"},{"id":"simple-content-access-default","text":"Simple Content Access (SCA) is the current default subscription model in RHEL; the legacy entitlement-based model is deprecated.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/simple-content-access-default.json"},{"id":"spec-file-sections-purpose","text":"An RPM spec file contains sections `%prep` (source preparation), `%build` (compilation), `%install` (file installation to buildroot), `%files` (packaged file list), and `%changelog` (change history).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/spec-file-sections-purpose.json"},{"id":"ssh-key-based-authentication","text":"SSH key-based auth uses public/private key pairs. ssh-keygen generates keys (Ed25519 recommended). ssh-copy-id deploys public key. Permissions: ~/.ssh (700), authorized_keys (600). Private key never leaves client.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/ssh-key-based-authentication.json"},{"id":"sssctl-sssd-troubleshooting","text":"`sssctl` is the utility for managing and troubleshooting SSSD on RHEL 9.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/sssctl-sssd-troubleshooting.json"},{"id":"sssd-central-identity-daemon","text":"SSSD (System Security Services Daemon) is the central service RHEL 9 uses to authenticate and authorize users against external identity backends (IdM, Active Directory, LDAP).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/sssd-central-identity-daemon.json"},{"id":"stratis-production-storage","text":"Stratis is production-ready for local storage management with thin provisioning and snapshots on RHEL 9.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/stratis-production-storage.json"},{"id":"stratis-tech-preview-rhel92","text":"Stratis local storage management (thin provisioning, snapshots, auto-grow) is a Technology Preview in RHEL 9.2, managed via the `stratis` CLI and `stratisd` daemon.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/stratis-tech-preview-rhel92.json"},{"id":"subscription-manager-progress-messages","text":"Subscription-manager progress messages can be re-enabled with `subscription-manager config --rhsm.progress_messages=1`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/subscription-manager-progress-messages.json"},{"id":"subscription-manager-register-activationkey-org","text":"Systems are registered with `subscription-manager register --activationkey=<key> --org=<org_id>` and successful registration returns a system UUID.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/subscription-manager-register-activationkey-org.json"},{"id":"sysstat-package-provides-sar-iostat-mpstat","text":"The `sysstat` package provides `sar`, `iostat`, and `mpstat` and must be installed separately on RHEL 9.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/sysstat-package-provides-sar-iostat-mpstat.json"},{"id":"systemctl-required-for-correct-selinux-labels","text":"Services must be started via `systemctl` to receive correct SELinux domain labels.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/systemctl-required-for-correct-selinux-labels.json"},{"id":"systemd-init-system-rhel9","text":"systemd is the init system and service manager for RHEL 9, managed via `systemctl` (enable, start, stop, status, mask).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/systemd-init-system-rhel9.json"},{"id":"systemd-resolved-production-dns","text":"systemd-resolved is production-ready as the DNS resolution mechanism on RHEL 9.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/systemd-resolved-production-dns.json"},{"id":"systemd-resolved-tech-preview-rhel9","text":"systemd-resolved is available as a Technology Preview in RHEL 9 but is not the default DNS resolution mechanism.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/systemd-resolved-tech-preview-rhel9.json"},{"id":"tar-archive-compress-extract","text":"tar creates and extracts archives. Flags: c (create), x (extract), t (list), f (file), z (gzip), j (bzip2), J (xz). Use -C for target directory. tar xf auto-detects compression format.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/tar-archive-compress-extract.json"},{"id":"tech-preview-not-fully-supported","text":"Technology Preview features in RHEL are not fully supported by Red Hat, are provided for testing and feedback, and may change or be removed without the standard deprecation process.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/tech-preview-not-fully-supported.json"},{"id":"tech-preview-unsupported-production","text":"Technology Preview features in RHEL are functional but unsupported for production use; Red Hat's support scope is limited and features may change or be removed in future releases.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/tech-preview-unsupported-production.json"},{"id":"three-registration-methods","text":"RHEL systems can be registered three ways: GUI/TUI during installation, CLI post-install with subscription-manager, or automated via Kickstart/activation keys.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/three-registration-methods.json"},{"id":"tuned-adm-manage-profiles","text":"TuneD profiles are managed with `tuned-adm`: `list` (available profiles), `active` (current), `profile <name>` (apply), `recommend` (suggested profile).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/tuned-adm-manage-profiles.json"},{"id":"tuned-enabled-by-default-rhel9","text":"TuneD is enabled by default on RHEL 9.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/tuned-enabled-by-default-rhel9.json"},{"id":"ugo-rwx-permissions-chmod","text":"File permissions use user/group/other (ugo) with read/write/execute (rwx). chmod sets permissions in symbolic (u+x) or octal (755) mode. chown changes ownership. umask sets default permissions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/ugo-rwx-permissions-chmod.json"},{"id":"uki-kernel-package-rhel9","text":"Unified Kernel Image (UKI) via `kernel-uki-virt` package combines kernel, initramfs, and cmdline into one signed binary requiring UEFI; it is a Technology Preview in RHEL 9.2.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/uki-kernel-package-rhel9.json"},{"id":"vim-default-text-editor","text":"vim is the default text editor on RHEL 9 with Normal, Insert, and Command-line modes. Key commands: i (insert), Esc (normal), :wq (save and quit), dd (delete line), /pattern (search).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/vim-default-text-editor.json"},{"id":"wireguard-tech-preview-rhel9","text":"WireGuard VPN is a Technology Preview (not fully supported) in RHEL 9.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/wireguard-tech-preview-rhel9.json"},{"id":"wireguard-vpn-production-ready","text":"WireGuard VPN is production-ready for deployment on RHEL 9.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/wireguard-vpn-production-ready.json"},{"id":"xdp-highest-performance-packet-path","text":"XDP (eXpress Data Path) is the highest-performance packet processing path in the Linux kernel, operating at the NIC driver level before the normal network stack.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/bare-metal-expert/belief/xdp-highest-performance-packet-path.json"}],"count":613}