EXAMPLE REPORT — real, unedited output (hostname sanitized) · RHEL 9 / Rocky← all reports
AIXray
by PowerTrue Systems · AIX · IBM Power · VIOS · Linux
System Health Check

Posture snapshot — rhel9lab

Host: rhel9lab  ·  Generated: 2026-07-04  ·  Reference data: 2026-07-01  ·  READ-ONLY — nothing was changed
64%
Pass rate
25
Pass
11
Warn
3
Fail
A. Lifecycle & supportGREEN 2 pass · 0 warn · 0 fail
CheckStatusSevObservedWhat it means & how to fix
Operating system + versionPASSlowRocky Linux 9.8 (Blue Onyx) (EOL 2032-05-31)The release is in vendor maintenance until 2032-05-31.
Fix: n/a
Running vs installed kernelPASSlow5.14.0-687.15.1.el9_8.x86_64 (newest installed)The running kernel is the newest one installed — no pending reboot-to-new-kernel.
Fix: n/a
B. Patch & vulnerability currencyRED 4 pass · 0 warn · 1 fail
CheckStatusSevObservedWhat it means & how to fix
Pending security updatesFAILhigh20 outstandingMany security errata are unapplied (20) — this is what an auditor flags first and where active-exploit CVEs hide.
Fix: patch promptly, then hold a monthly cadence.
Total pending updatesPASSlow29 packagesOverall update backlog is modest.
Fix: n/a
Reboot requiredPASSlownoRunning kernel and core libraries are the installed versions — no reboot pending.
Fix: n/a
Services needing restartPASSlow0 servicesNo running service is still mapped to a replaced library — memory matches disk.
Fix: n/a
Last package updatePASSlow2026-07-05 (-1d ago)The last dnf transaction was recent — patch cadence looks active.
Fix: n/a
C. Storage & capacityAMBER 3 pass · 1 warn · 0 fail
CheckStatusSevObservedWhat it means & how to fix
Filesystem usagePASSlow/ 11%; /boot 34%; /boot/efi 8%All filesystems have healthy free space.
Fix: n/a
Inode usagePASSlowall <85%Inode headroom is healthy on every filesystem.
Fix: n/a
LVM volume groupsPASSlowno LVM (whole-disk filesystems)No LVM in use — filesystems sit on plain partitions; growth needs a partition/disk change, not lvextend.
Fix: n/a
/tmp filesystemWARNlownot a separate mount/tmp shares the root filesystem — a runaway /tmp fills / and can take the whole host down, and it misses nosuid/nodev hardening.
Fix: mount /tmp separately (or enable tmp.mount) with nodev,nosuid,noexec.
D. Performance & sizingAMBER 4 pass · 1 warn · 0 fail
CheckStatusSevObservedWhat it means & how to fix
Load average vs CPUsPASSlow15-min load 0.10 on 1 CPU(s)Sustained load is comfortably under the core count.
Fix: n/a
Available memoryPASSlow42% available (MemAvailable)Real allocatable memory headroom is healthy (page cache aside).
Fix: n/a
Swap configurationWARNlowno swap configured (swappiness 60)No swap is configured — under memory pressure the kernel OOM-kills a process instead of degrading gracefully. Deliberate on some workloads, a surprise on others.
Fix: confirm this is intentional; if not, add a swap file/partition sized to policy.
Pressure stall info (PSI)PASSlownot enabled (RHEL 9 default)PSI is compiled in but off by default on RHEL 9 (no psi=1 on the kernel cmdline), so the finest-grained contention signal is unavailable.
Fix: for deep performance work, add 'psi=1' to the kernel cmdline to expose /proc/pressure.
Top resource consumersPASSlowcpu: systemd(1.6%), grafana(0.7%), loki(0.5%) | mem: loki(16.9%), grafana(12.4%), teleport(4.8%)The current heaviest CPU and memory processes — context for the pressure signals above.
Fix: n/a
E. Errors & eventsRED 2 pass · 2 warn · 1 fail
CheckStatusSevObservedWhat it means & how to fix
Failed systemd unitsFAILhigh2 failed: example-agent-update.service,kd-nightly.service2 systemd unit(s) are in the failed state — each is a service that could not start or crashed; this is the first thing to fix.
Fix: inspect each with 'systemctl status <unit>' and 'journalctl -u <unit>', then fix or mask it.
Journal error messagesWARNmed603 this bootA high volume of error-priority messages this boot (603; latest: SELinux is preventing /usr/lib/systemd/systemd from append access on the file ex) — usually a single misbehaving unit spamming the log.
Fix: find the noisy source ('journalctl -p 3 -b | sort | uniq -c') and fix the root cause.
OOM killer activityPASSmednone this bootThe kernel out-of-memory killer has not fired this boot.
Fix: n/a
Hardware / I/O errors (kernel)PASShighnone this bootNo MCE, disk I/O, or filesystem-corruption errors in the kernel log this boot — no pre-failure signature showing.
Fix: n/a
Journal persistenceWARNmedvolatile (/run only)The journal is volatile — a reboot erases it, including whatever caused the reboot. Post-incident forensics are impossible.
Fix: make it persistent: 'mkdir -p /var/log/journal; systemd-tmpfiles --create; systemctl restart systemd-journald' (or set Storage=persistent).
F. Availability & resilienceAMBER 2 pass · 2 warn · 0 fail
CheckStatusSevObservedWhat it means & how to fix
Default boot kernelPASShighvmlinuz-5.14.0-687.15.1.el9_8.x86_64The GRUB default points at an installed kernel image — the box will boot unattended.
Fix: n/a
/boot free spacePASSlow34% used/boot has room for kernel updates.
Fix: n/a
Disk redundancyWARNlowno md RAID (single-disk or hypervisor-backed)No host-visible disk redundancy — on a VM this is normally handled by the hypervisor/SAN, but on bare metal a single disk failure is an outage.
Fix: confirm redundancy exists at the storage layer (hypervisor, SAN, or add md/LVM mirroring).
Backup evidenceWARNmedno backup timer foundNo restic/borg/bacula/backup timer was found on this host — either backups run elsewhere (agentless/snapshot) or there are none. The tool cannot see an offsite job.
Fix: confirm where this host's backups run; if nowhere, this is a recovery gap to close.
G. Security & hardeningRED 2 pass · 4 warn · 1 fail
CheckStatusSevObservedWhat it means & how to fix
SELinux modePASShighEnforcingSELinux is enforcing — the platform's mandatory-access-control containment is active.
Fix: n/a
Host firewallWARNhighinactiveNo host firewall (firewalld/nftables) is active — the host relies entirely on upstream network controls; every listening port is directly reachable if the network path allows.
Fix: enable firewalld ('systemctl enable --now firewalld') or document the compensating network control.
SSH root loginPASSmedwithout-passwordDirect root SSH is restricted (key-only or off).
Fix: n/a
SSH ciphersFAILhighweak enabled: aes256-cbc,aes128-cbcWeak/legacy SSH ciphers (CBC, arcfour, 3DES) are offered — a routine audit and cyber-insurance finding, and CBC has known padding-oracle issues.
Fix: restrict 'Ciphers' to AEAD only (chacha20-poly1305, aes-gcm) via a drop-in in /etc/ssh/sshd_config.d/, then reload sshd.
Passwordless sudo (NOPASSWD)WARNhigh3 grant(s): admin1,clouduser,operator13 sudoers rule(s) grant passwordless root — a stolen key or hijacked session for those principals becomes root with no second check.
Fix: scope NOPASSWD to specific commands, or require a password; reserve blanket NOPASSWD for automation accounts only.
Listening services (attack surface)WARNmed12 external, 2 loopback12 services are bound to external interfaces (ports: 22,111,3000,3100,9080,9090,9093,9094,9095,40083) — each is directly reachable and is attack surface; with no host firewall active this is the exposed edge.
Fix: close or bind-to-loopback anything that need not be network-facing; put the rest behind firewalld.
Failed login attemptsWARNlow2000 in btmp2000 failed login attempts recorded — sustained SSH brute-force pressure (normal for an internet-facing box, but confirms the exposure).
Fix: ensure PermitRootLogin/PasswordAuthentication are off (key-only); add fail2ban or move SSH behind a bastion/allowlist.
H. Config hygieneAMBER 3 pass · 1 warn · 0 fail
CheckStatusSevObservedWhat it means & how to fix
Time synchronizationPASSlowsynchronized (stratum 2, offset 0.000070544s)The clock is disciplined by chrony (stratum 2) — log correlation, TLS validity, and Kerberos all depend on this.
Fix: n/a
System timezonePASSlowUTCSystem timezone is UTC.
Fix: keep a consistent timezone across the fleet (UTC is common) for log correlation.
DNS resolversPASSlow1 nameserver(s) configuredName resolution has configured resolvers.
Fix: confirm they are reachable and redundant (>=2).
Kernel/network tunablesWARNmedrp_filter=0 (reverse-path filtering off); accept_redirects=1 (ICMP redirects accepted)One or more security-relevant sysctls are at a non-hardened value — small individually, but they are exactly what a CIS/STIG network-hardening pass sets.
Fix: set the hardened values via /etc/sysctl.d/ (rp_filter=1, accept_redirects=0, tcp_syncookies=1, randomize_va_space=2) and 'sysctl --system'.
I. Monitoring & operational readinessGREEN 3 pass · 0 warn · 0 fail
CheckStatusSevObservedWhat it means & how to fix
Monitoring / metrics agentPASSmedrunning: grafana,node_exporter,prometheus,promtail,teleportA monitoring/metrics agent is running (grafana,node_exporter,prometheus,promtail,teleport) — this host is being watched, so the next threshold breach can page someone.
Fix: confirm it is actually reporting into a live dashboard/alerting backend, not just running locally.
Log forwardingPASSlowshipping via grafana,node_exporter,prometheus,promtail,teleportLogs are being shipped off-box by a log agent — they survive a host loss and land in central search.
Fix: n/a
Log rotationPASSlowlogrotate active (7 configs, timer enabled)logrotate is installed with 7 config(s) — logs are pruned so they do not fill the disk.
Fix: n/a
You don't have to run this yourself. This is what we do, on systems like yours, every day — and we watch them so the next finding never becomes an outage. Walk these results with an engineer (free, no obligation): powertruesystems.com.   New CVE checks ship regularly — get notified: powertruesystems.com/updates.