System Configuration

Basic System Information

Linux Version information

  cat /proc/version

[tlasso@rhel-richmondfc proc]$ cat /proc/version
Linux version 5.14.0-284.18.1.el9_2.x86_64 (mockbuild@x86-64-02.build.eng.rdu2.redhat.com) (gcc (GCC) 11.3.1 20221121 (Red Hat 11.3.1-4), GNU ld version 2.35.2-37.el9) #1 SMP PREEMPT_DYNAMIC Wed May 31 10:39:18 EDT 2023

Os Release information from `/etc/os-release` file

 cat /etc/os-release

tlasso@rhel-richmondfc Documents]$ cat /etc/os-release 
NAME="Red Hat Enterprise Linux"
VERSION="9.2 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux 9.2 (Plow)"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_BUGZILLA_PRODUCT_VERSION=9.2
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.2"

Installation date

$ rpm -qi basesystem

[tlasso@rhel-richmondfc Documents]$ rpm -qi basesystem 
Name        : basesystem
Version     : 11
Release     : 13.el9
Architecture: noarch
Install Date: Wed 14 Jun 2023 02:26:33 AM EDT
Group       : Unspecified
Size        : 0
License     : Public Domain
Signature   : RSA/SHA256, Sat 20 Nov 2021 05:50:43 AM EST, Key ID 199e2f91fd431d51
Source RPM  : basesystem-11-13.el9.src.rpm
Build Date  : Mon 09 Aug 2021 03:47:02 PM EDT
Build Host  : x86-vm-55.build.eng.bos.redhat.com
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
Summary     : The skeleton package which defines a simple Red Hat Enterprise Linux system

File System

Using lsblk

[tlasso@rhel-richmondfc scripts]$ lsblk -f
NAME          FSTYPE      FSVER    LABEL UUID                                   FSAVAIL FSUSE% MOUNTPOINTS
sda                                                                                            
├─sda1        vfat        FAT32          D7C9-A9C8                               591.8M     1% /boot/efi
├─sda2        xfs                        f96af77c-de86-4f65-b914-33373c4313cf    730.5M    28% /boot
└─sda3        LVM2_member LVM2 001       wZx9a7-JGa6-Za1A-3xtF-UXNZ-kPYx-w2gGVZ                
  ├─rhel-root xfs                        51074d0b-8172-4bd0-aca8-1558aa348c34     29.3G    15% /
  └─rhel-swap swap        1              7f8666f3-f284-4ee6-9bb2-91b3d8686a02                  [SWAP]
sr0

We can determine the file system in use as xfs for rhel-root (/) mount.

From fstab

fstab file contains the file system information.

cat /etc/fstab

[tlasso@rhel-richmondfc scripts]$ cat /etc/fstab

#
# /etc/fstab
# Created by anaconda on Wed Jun 14 06:26:07 2023
#
# Accessible filesystems, by reference, are maintained under '/dev/disk/'.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run 'systemctl daemon-reload' to update systemd
# units generated from this file.
#
/dev/mapper/rhel-root   /                       xfs     defaults        0 0
UUID=f96af77c-de86-4f65-b914-33373c4313cf /boot                   xfs     defaults        0 0
UUID=D7C9-A9C8          /boot/efi               vfat    umask=0077,shortname=winnt 0 2
/dev/mapper/rhel-swap   none                    swap    defaults        0 0

Mounts

cat /proc/mounts

[tlasso@rhel-richmondfc proc]$ cat /proc/mounts
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
sysfs /sys sysfs rw,seclabel,nosuid,nodev,noexec,relatime 0 0
devtmpfs /dev devtmpfs rw,seclabel,nosuid,size=4096k,nr_inodes=1958404,mode=755,inode64 0 0
securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /dev/shm tmpfs rw,seclabel,nosuid,nodev,size=7864436k,nr_inodes=1966109,inode64 0 0
devpts /dev/pts devpts rw,seclabel,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /run tmpfs rw,seclabel,nosuid,nodev,size=3145776k,nr_inodes=819200,mode=755,inode64 0 0
cgroup2 /sys/fs/cgroup cgroup2 rw,seclabel,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot 0 0
pstore /sys/fs/pstore pstore rw,seclabel,nosuid,nodev,noexec,relatime 0 0
efivarfs /sys/firmware/efi/efivars efivarfs rw,nosuid,nodev,noexec,relatime 0 0
bpf /sys/fs/bpf bpf rw,nosuid,nodev,noexec,relatime,mode=700 0 0
/dev/mapper/rhel-root / xfs rw,seclabel,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,nosuid,noexec,relatime 0 0

System Audit configuration and Audit rules 1

The /etc/audit/auditd.conf file is the main configuration file for the Linux Audit daemon (auditd). It is responsible for controlling the behavior of the audit system, allowing administrators to specify various parameters, such as how to log events, where to store log files, how much disk space to use, and when to take certain actions in response to specific system events.

audit.rules

The default audit configuration file is located at /etc/audit/auditd.conf.

https://www.redhat.com/sysadmin/configure-linux-auditing-auditd

Digital forensics & Intrusion Response Playbook - *nix OS