Hello and welcome to LQ. Hope you like it here.
I have just been hired as tech manager
With all due respect but if you don't grok GNU/Linux from a security point of view then please consider (temporarily) bringing somebody in who does. Not only will it save time but it'll also mean "better" quality wrt auditing and reporting (short and longterm recommendations).
RHL-6 (as opposed to RHE
L) is severely deprecated. On top of that the 6 releases where the ones with the largest amount of 'sploits ITW. I really hope the thing is hardened properly, behind two or three firewalls and overloaded with access restrictions but that probably won't be the case...
Anyway. RHL isn't different from any other GNU/Linux distro (well, OK, some commands may not take args 'n switches we expect in this millennium). Before I'd go in I'd look at company policies, be especially careful to understand compliance and regulations games, look for any maint docs left (dream on), find out the box location inside their network (restrictions) and relation to other servers and services, what processes/which users are allowed access to it, where (if) it logs to (no kidding) and if there are backups (as if). If there's nothing to learn from that (like there was anything documented) and I have no suspicions (if I do then alerting, blocking access and making a full backup is the first priority) I'd log in as unprivileged user and look at the open files, process and network listings, go find a downtime slot and prepare for a full audit on the box with the focus on system integrity, keeping a swift migration to something maintainable and stable in the back of my mind. If I'm going to run tools on it I'll compile static them on a dev box and bring them along on removable media or grab them from a share. First thing I'd check are the login records and system and daemon logs (backups could help extend logrotate retention settings). Meanwhile I'll run something like Tiger to get an overview of the box, md5deep the whole FS and correlate output with 'rpm-Va'.
From there it depends on what I find.
So. I'd say draw up a plan (targets), work outside in (scope) before you recon the box (risk) and be weary of executing commands without a clear goal. If you feel you totally lost your bearings you might find the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html
a good starting point even though it kinda sounds like made for worst case scenario's (which RHL-6 kinda is
If there's anything here I should clear up, please ask.