| Check | Status | Sev | Observed | What it means & how to fix |
|---|---|---|---|---|
| Operating system + version | PASS | low | Rocky Linux 9.8 (Blue Onyx) (EOL 2032-05-31) | The release is in vendor maintenance until 2032-05-31. Fix: n/a |
| Running vs installed kernel | PASS | low | 5.14.0-687.15.1.el9_8.x86_64 (newest installed) | The running kernel is the newest one installed — no pending reboot-to-new-kernel. Fix: n/a |
| Check | Status | Sev | Observed | What it means & how to fix |
|---|---|---|---|---|
| Pending security updates | FAIL | high | 20 outstanding | Many security errata are unapplied (20) — this is what an auditor flags first and where active-exploit CVEs hide. Fix: patch promptly, then hold a monthly cadence. |
| Total pending updates | PASS | low | 29 packages | Overall update backlog is modest. Fix: n/a |
| Reboot required | PASS | low | no | Running kernel and core libraries are the installed versions — no reboot pending. Fix: n/a |
| Services needing restart | PASS | low | 0 services | No running service is still mapped to a replaced library — memory matches disk. Fix: n/a |
| Last package update | PASS | low | 2026-07-05 (-1d ago) | The last dnf transaction was recent — patch cadence looks active. Fix: n/a |
| Check | Status | Sev | Observed | What it means & how to fix |
|---|---|---|---|---|
| Filesystem usage | PASS | low | / 11%; /boot 34%; /boot/efi 8% | All filesystems have healthy free space. Fix: n/a |
| Inode usage | PASS | low | all <85% | Inode headroom is healthy on every filesystem. Fix: n/a |
| LVM volume groups | PASS | low | no LVM (whole-disk filesystems) | No LVM in use — filesystems sit on plain partitions; growth needs a partition/disk change, not lvextend. Fix: n/a |
| /tmp filesystem | WARN | low | not a separate mount | /tmp shares the root filesystem — a runaway /tmp fills / and can take the whole host down, and it misses nosuid/nodev hardening. Fix: mount /tmp separately (or enable tmp.mount) with nodev,nosuid,noexec. |
| Check | Status | Sev | Observed | What it means & how to fix |
|---|---|---|---|---|
| Load average vs CPUs | PASS | low | 15-min load 0.10 on 1 CPU(s) | Sustained load is comfortably under the core count. Fix: n/a |
| Available memory | PASS | low | 42% available (MemAvailable) | Real allocatable memory headroom is healthy (page cache aside). Fix: n/a |
| Swap configuration | WARN | low | no swap configured (swappiness 60) | No swap is configured — under memory pressure the kernel OOM-kills a process instead of degrading gracefully. Deliberate on some workloads, a surprise on others. Fix: confirm this is intentional; if not, add a swap file/partition sized to policy. |
| Pressure stall info (PSI) | PASS | low | not enabled (RHEL 9 default) | PSI is compiled in but off by default on RHEL 9 (no psi=1 on the kernel cmdline), so the finest-grained contention signal is unavailable. Fix: for deep performance work, add 'psi=1' to the kernel cmdline to expose /proc/pressure. |
| Top resource consumers | PASS | low | cpu: systemd(1.6%), grafana(0.7%), loki(0.5%) | mem: loki(16.9%), grafana(12.4%), teleport(4.8%) | The current heaviest CPU and memory processes — context for the pressure signals above. Fix: n/a |
| Check | Status | Sev | Observed | What it means & how to fix |
|---|---|---|---|---|
| Failed systemd units | FAIL | high | 2 failed: example-agent-update.service,kd-nightly.service | 2 systemd unit(s) are in the failed state — each is a service that could not start or crashed; this is the first thing to fix. Fix: inspect each with 'systemctl status <unit>' and 'journalctl -u <unit>', then fix or mask it. |
| Journal error messages | WARN | med | 603 this boot | A high volume of error-priority messages this boot (603; latest: SELinux is preventing /usr/lib/systemd/systemd from append access on the file ex) — usually a single misbehaving unit spamming the log. Fix: find the noisy source ('journalctl -p 3 -b | sort | uniq -c') and fix the root cause. |
| OOM killer activity | PASS | med | none this boot | The kernel out-of-memory killer has not fired this boot. Fix: n/a |
| Hardware / I/O errors (kernel) | PASS | high | none this boot | No MCE, disk I/O, or filesystem-corruption errors in the kernel log this boot — no pre-failure signature showing. Fix: n/a |
| Journal persistence | WARN | med | volatile (/run only) | The journal is volatile — a reboot erases it, including whatever caused the reboot. Post-incident forensics are impossible. Fix: make it persistent: 'mkdir -p /var/log/journal; systemd-tmpfiles --create; systemctl restart systemd-journald' (or set Storage=persistent). |
| Check | Status | Sev | Observed | What it means & how to fix |
|---|---|---|---|---|
| Default boot kernel | PASS | high | vmlinuz-5.14.0-687.15.1.el9_8.x86_64 | The GRUB default points at an installed kernel image — the box will boot unattended. Fix: n/a |
| /boot free space | PASS | low | 34% used | /boot has room for kernel updates. Fix: n/a |
| Disk redundancy | WARN | low | no md RAID (single-disk or hypervisor-backed) | No host-visible disk redundancy — on a VM this is normally handled by the hypervisor/SAN, but on bare metal a single disk failure is an outage. Fix: confirm redundancy exists at the storage layer (hypervisor, SAN, or add md/LVM mirroring). |
| Backup evidence | WARN | med | no backup timer found | No restic/borg/bacula/backup timer was found on this host — either backups run elsewhere (agentless/snapshot) or there are none. The tool cannot see an offsite job. Fix: confirm where this host's backups run; if nowhere, this is a recovery gap to close. |
| Check | Status | Sev | Observed | What it means & how to fix |
|---|---|---|---|---|
| SELinux mode | PASS | high | Enforcing | SELinux is enforcing — the platform's mandatory-access-control containment is active. Fix: n/a |
| Host firewall | WARN | high | inactive | No host firewall (firewalld/nftables) is active — the host relies entirely on upstream network controls; every listening port is directly reachable if the network path allows. Fix: enable firewalld ('systemctl enable --now firewalld') or document the compensating network control. |
| SSH root login | PASS | med | without-password | Direct root SSH is restricted (key-only or off). Fix: n/a |
| SSH ciphers | FAIL | high | weak enabled: aes256-cbc,aes128-cbc | Weak/legacy SSH ciphers (CBC, arcfour, 3DES) are offered — a routine audit and cyber-insurance finding, and CBC has known padding-oracle issues. Fix: restrict 'Ciphers' to AEAD only (chacha20-poly1305, aes-gcm) via a drop-in in /etc/ssh/sshd_config.d/, then reload sshd. |
| Passwordless sudo (NOPASSWD) | WARN | high | 3 grant(s): admin1,clouduser,operator1 | 3 sudoers rule(s) grant passwordless root — a stolen key or hijacked session for those principals becomes root with no second check. Fix: scope NOPASSWD to specific commands, or require a password; reserve blanket NOPASSWD for automation accounts only. |
| Listening services (attack surface) | WARN | med | 12 external, 2 loopback | 12 services are bound to external interfaces (ports: 22,111,3000,3100,9080,9090,9093,9094,9095,40083) — each is directly reachable and is attack surface; with no host firewall active this is the exposed edge. Fix: close or bind-to-loopback anything that need not be network-facing; put the rest behind firewalld. |
| Failed login attempts | WARN | low | 2000 in btmp | 2000 failed login attempts recorded — sustained SSH brute-force pressure (normal for an internet-facing box, but confirms the exposure). Fix: ensure PermitRootLogin/PasswordAuthentication are off (key-only); add fail2ban or move SSH behind a bastion/allowlist. |
| OpenSCAP compliance scan | WARN | high | oscap not installed | The OpenSCAP scanner is not installed, so an automated stig evaluation could not run. Fix: install it: 'dnf install openscap-scanner scap-security-guide', then re-run --compliance stig. |
| Check | Status | Sev | Observed | What it means & how to fix |
|---|---|---|---|---|
| Time synchronization | PASS | low | synchronized (stratum 2, offset 0.000070544s) | The clock is disciplined by chrony (stratum 2) — log correlation, TLS validity, and Kerberos all depend on this. Fix: n/a |
| System timezone | PASS | low | UTC | System timezone is UTC. Fix: keep a consistent timezone across the fleet (UTC is common) for log correlation. |
| DNS resolvers | PASS | low | 1 nameserver(s) configured | Name resolution has configured resolvers. Fix: confirm they are reachable and redundant (>=2). |
| Kernel/network tunables | WARN | med | rp_filter=0 (reverse-path filtering off); accept_redirects=1 (ICMP redirects accepted) | One or more security-relevant sysctls are at a non-hardened value — small individually, but they are exactly what a CIS/STIG network-hardening pass sets. Fix: set the hardened values via /etc/sysctl.d/ (rp_filter=1, accept_redirects=0, tcp_syncookies=1, randomize_va_space=2) and 'sysctl --system'. |
| Check | Status | Sev | Observed | What it means & how to fix |
|---|---|---|---|---|
| Monitoring / metrics agent | PASS | med | running: grafana,node_exporter,prometheus,promtail,teleport | A monitoring/metrics agent is running (grafana,node_exporter,prometheus,promtail,teleport) — this host is being watched, so the next threshold breach can page someone. Fix: confirm it is actually reporting into a live dashboard/alerting backend, not just running locally. |
| Log forwarding | PASS | low | shipping via grafana,node_exporter,prometheus,promtail,teleport | Logs are being shipped off-box by a log agent — they survive a host loss and land in central search. Fix: n/a |
| Log rotation | PASS | low | logrotate active (7 configs, timer enabled) | logrotate is installed with 7 config(s) — logs are pruned so they do not fill the disk. Fix: n/a |