RHCSA (038): Season 2 - Scenario 13: Auditing Log Streams
Podcast: The RHCSA Series Podcast
Season: 2 (Episodes 26A - 50)
Episode: 38
Title: RHCSA (038): Season 2 - Scenario 13: Auditing Log Streams
Release date: July 28, 2026
Produced by: Djere Services Group
Associated article: https://djere.com/rhcsa-038-season-2-scenario-13-auditing-log-streams.html
Episode 038 Executive Summary
In this Auditing Log Streams RHCSA lab scenario, I start performing the lab after a 6 minute introduction by the podcast hosts. You will get the most out of this lab if you listen to the entire show and then try to practice the lab several times, either along with me or by yourself. We will be setting up a secure log processing environment that filters and redirects system events into designated auditing text files.
This scenario trips up many candidates because it combines standard stream redirection with strict file access policies. It is not enough to simply extract text from logs using standard utilities. You must ensure the target files have the correct ownership and security context, or the automated grading scripts will fail to read your output.
The core challenge requires creating a dedicated auditing user, parsing specific security events from the system journal, redirecting them into text files, and ensuring SELinux permits the intended operations. We will use systemd journal tools alongside basic shell redirection and SELinux management commands to accomplish this task, verifying our work with context and permission checks.
Keywords: IO Redirection, Text Files, User Management, SELinux Contexts
EPISODE 038: Auditing Log Streams
- Season: 2 | Difficulty: High
- Objectives: Primary 1.2, 1.7; Secondary 9.1, 10.5
- Lab Focus: IO Redirection, Text Files, User Management, SELinux Contexts
- URL: https://djere.com/rhcsa-038-season-2-scenario-13-auditing-log-streams.html
1. SCENARIO BRIEF (THE PROBLEM)
The security team needs a daily dump of all authentication failures parsed from the system journal. This data must be stored in a specific web-accessible directory owned by a new user named log-auditor. Furthermore, the output text files must possess the correct SELinux context so that the web server can read them without throwing access denials.
2. TASK ANALYSIS (THE "WHY")
- 1.2: Standard output redirection is required to save volatile command line streams into persistent files.
- 1.7: Text filtering tools are necessary to extract only the relevant failure messages from the broader log stream.
- 9.1: Creating a specific user to own the output ensures correct permissions and auditability.
- 10.5: Setting SELinux contexts guarantees the files meet the security compliance requirements of the web server daemon.
3. SOLUTION STEPS
Step 1: Environment Setup (Root Only)
# Verify if httpd is installed, and quietly install it if it is missing
if ! rpm -q httpd; then dnf install -y httpd; fi
# Create the directory structure to hold the audit reports
mkdir -p /var/www/audit-reports
# Create the log-auditor user with no login shell for security purposes
useradd -s /sbin/nologin log-auditor
Step 2: Core Implementation (Execute as Root)
# Query the system journal for sshd logs, filter for failures using grep, and redirect standard output to a text file
journalctl -u sshd | grep -i "failed" > /var/www/audit-reports/ssh-failures.txt
# Recursively change the ownership of the audit directory and its contents to the log-auditor user
chown -R log-auditor:log-auditor /var/www/audit-reports
# Define the SELinux fcontext rule to apply the httpd_sys_content_t type to the audit directory
semanage fcontext -a -t httpd_sys_content_t "/var/www/audit-reports(/.*)?"
# Apply the newly defined SELinux context rule to the directory and its contents recursively
restorecon -Rv /var/www/audit-reports
Technical Breakdown: We used the pipe operator to pass journal output into grep, filtering the text stream. We then used the greater-than symbol to redirect that filtered stream into a persistent text file. Following file creation, user ownership and SELinux contexts were permanently configured.
Pro-Tip: A common exam mistake is forgetting to run restorecon after using semanage fcontext. The semanage command only updates the policy database, while restorecon actually applies the labels to the filesystem.
Step 3: Verification (The "Proof of Work")
# List the directory contents with SELinux contexts and long format to verify ownership and labels
ls -lZ /var/www/audit-reports
EXPECTED:-rw-r--r--. 1 log-auditor log-auditor unconfined_u:object_r:httpd_sys_content_t:s0 [size] [date] ssh-failures.txt
4. COMPREHENSIVE CLEANUP (ZERO-TRACE)
# Remove the SELinux fcontext rule for the audit directory to revert policy changes
semanage fcontext -d -t httpd_sys_content_t "/var/www/audit-reports(/.*)?"
# Forcefully remove the audit directory and all of its generated text files
rm -rf /var/www/audit-reports
# Delete the log-auditor user and their associated mail spool
userdel log-auditor
