{"results":[{"id":"amd-sev-requires-epyc-rome","text":"AMD SEV/SEV-ES requires 2nd-generation AMD EPYC (Rome) or later; RHEL 9 provides memory encryption but not security attestation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ktls-tech-preview-rhel92","text":"Kernel TLS (KTLS) is a Technology Preview in RHEL 9.2, appearing in both security (gnutls acceleration) and networking (kernel-level TLS offload) contexts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"mcs-categories-c0-to-c1023","text":"SELinux Multi-Category Security (MCS) categories range from c0 to c1023 (1024 possible categories).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"polyinstantiation-config-namespace-conf","text":"Polyinstantiation is configured in `/etc/security/namespace.conf`; the `pam_namespace_helper` does NOT read files from `/etc/security/namespace.d/`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-authenticated-observable-security-operations","text":"RHEL 9 security operations are both identity-governed (enterprise identity ecosystem controlling access, Kerberos-gated administration, IdM vault secrets management) and continuously observable (audit subsystem with auid tracking, sos diagnostic reporting), creating an accountability chain from identity authentication through security action to audit trail.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-authenticated-security-monitoring","text":"RHEL 9 connects identity management to security monitoring: IdM provides verified user identities via Kerberos authentication, the audit subsystem tracks all privileged actions via loginuid (auid) which survives su/sudo, and system roles enable consistent security configuration across all managed hosts — creating an end-to-end chain from identity verification through action tracking to configuration enforcement.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-automatable-defense-in-depth","text":"RHEL 9 defense-in-depth security (SELinux enforcing, firewalld, crypto policies, granular audit) is fully automatable at fleet scale through Ansible system roles and SELinux deployment automation (semanage export/import, fixfiles autorelabel, Ansible roles), enabling consistent security posture across hundreds of hosts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-bare-metal-separate-partitions","text":"For bare-metal RHEL 9 installations, `/boot`, `/`, `/home`, `/tmp`, and `/var/tmp` should be on separate partitions for security isolation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-bpf-jit-always-on","text":"RHEL 9 has `CONFIG_BPF_JIT_ALWAYS_ON=y`, meaning the BPF JIT compiler is mandatory and the BPF interpreter is not available (security hardening).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-closed-loop-fleet-security-operations","text":"RHEL 9 enables closed-loop fleet security operations where defense-in-depth configuration (SELinux, firewalld, crypto, audit) is automatable via Ansible system roles while continuously verifiable through audit logging, AIDE integrity monitoring, and OpenSCAP compliance scanning.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-complete-system-lifecycle-management","text":"RHEL 9 manages the complete temporal system lifecycle: automated provisioning (Image Builder blueprints, Kickstart, Anaconda) for initial deployment, structured patch management (BaseOS/AppStream content split, DNF security update filtering, advisory-driven remediation) for day-2 operations, and dual upgrade paradigms (Leapp sequential in-place upgrades, bootc image-based atomic updates) for major version transitions.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-comprehensive-security-posture","text":"RHEL 9 provides a comprehensive security posture integrating defense-in-depth hardened defaults (SELinux, firewalld, crypto policies, audit), continuous compliance monitoring (audit logging, AIDE integrity, OpenSCAP scanning), and layered authentication hardening (pam_faillock, password aging, SSH key-based auth) into a unified security architecture.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-continuous-os-evolution-strategy","text":"RHEL 9 supports continuous OS evolution from routine security patches (DNF advisory-filtered updates across BaseOS/AppStream with severity filtering) through major version transitions (Leapp sequential in-place upgrades with mandatory preupgrade assessment) to image-based atomic updates (rpm-ostree/bootc with health-check rollback for Edge deployments).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-coordinated-platform-evolution","text":"RHEL 9 evolves the OS foundation (security patches, minor releases, Leapp major upgrades, rpm-ostree atomic updates) and application layer (deprecation-driven networking/virtualization/container modernization with AppStream versioning) as a coordinated platform evolution strategy.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-cpu-security-mitigation-framework","text":"RHEL 9 addresses CPU-level security vulnerabilities through multiple coordinated mechanisms: SMT disabling for L1TF/MDS mitigation, shared buffer clearing for MMIO/MDS/TAA with interdependent mitigation toggles, restricted unprivileged BPF access by default, and mandatory BPF JIT compilation that eliminates the interpreter as an attack surface.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-defense-in-depth-container-isolation","text":"RHEL 9 containers operate within a defense-in-depth security stack where per-container MCS categories (assigned by container-selinux) provide inter-container isolation, layered on top of SELinux type enforcement, firewalld network controls, system-wide crypto policies, and continuous audit logging — meaning container breakout must defeat not just the container boundary but every surrounding security layer.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-defense-in-depth-security-framework","text":"RHEL 9 enforces defense-in-depth through four integrated security layers: hardened defaults (SELinux enforcing, firewalld, crypto policies), granular cryptographic policy lifecycle management, layered SELinux MAC enforcement with type-based policy, and a unified audit subsystem with original-identity tracking across privilege escalation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-dnf-check-update-security","text":"`dnf check-update --security` lists available security updates; `dnf update --security` installs all available security updates.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-dual-authenticated-identity-governed-workload-lifecycle","text":"RHEL 9 workloads are governed across their full lifecycle by dual authentication (subscription for content access, Kerberos for administration) with continuous observability, from identity-authenticated provisioning (IdM/AD-enrolled systems with DNS autodiscovery) through security-governed runtime isolation (SELinux MCS, firewalld, crypto policies) — creating a closed system where no workload phase is unauthenticated, ungoverned, or unobserved.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"rhel9-dual-authenticated-observable-lifecycle","text":"RHEL 9 enforces dual authentication boundaries throughout the system lifecycle: subscription authentication gates all content and patch access while identity-governed security monitoring (Kerberos-bound audit with auid tracking) ensures every administrative action is attributable.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":60,"limit":20,"offset":0}