RHCSA (039): Season 2 - Scenario 14: Regex File Sorter

Podcast: The RHCSA Series Podcast

  • Season: 2 (Episodes 26A - 50)
  • Episode: 39
  • Title: RHCSA (039): Season 2 - Scenario 14: Regex File Sorter
  • Release date: August 11, 2026
  • Produced by: Djere Services Group
  • Associated article: https://djere.com/rhcsa-039-season-2-scenario-14-regex-file-sorter.html

Episode 039 Executive Summary

In this Regex File Sorter RHCSA lab scenario, I start performing the lab after a 6 minute introduction by the podcast hosts. You will get the most out of this lab if you listen to the entire show and then try to practice the lab several times, either along with me or by yourself. We focus on automating data categorization and isolating system anomalies.

This scenario frequently trips candidates up because it requires chaining regular expressions with standard file management commands across isolated user directories. The operational goal is to extract specific system records, isolate them, and ensure the right user has access while dealing with mandatory access controls.

The core challenge lies in parsing an unformatted data dump to find specific patterns, moving those matched files into a newly provisioned user account, and confirming the system remains in enforcing mode. We will use standard stream editors, file creation utilities, and security tools to resolve the task.

Keywords: rhcsa, linux administration, regex parsing, file management, user provisioning, selinux enforcing

EPISODE 039: Regex File Sorter
* Season: 2 | Difficulty: High
* Objectives: Primary 1.3, 1.8; Secondary 9.1, 10.4
* Lab Focus: rhcsa, linux administration, regex parsing, file management, user provisioning, selinux enforcing
* URL: https://djere.com/rhcsa-039-season-2-scenario-14-regex-file-sorter.html


1. SCENARIO BRIEF (THE PROBLEM)

You have been tasked with parsing a massive raw text dump of system access logs. You must extract all lines containing specific client and server error codes, save these lines to a dedicated file, and organize this file into a newly created auditor account directory. You must perform all of these actions while ensuring the system's mandatory access controls remain strictly enforcing.


2. TASK ANALYSIS (THE "WHY")

  • 1.3 (Grep/Regex): Required to isolate the specific error patterns from the raw data dump using regular expressions.
  • 1.8 (File Management): Necessary to create directories, move files, and organize the parsed data into the correct destination.
  • 9.1 (Create/Delete/Modify): Crucial for establishing the dedicated auditor user account to hold the restricted data.
  • 10.4 (SELinux Modes): Ensures that system security policies are actively enforced during all file operations.

3. SOLUTION STEPS

Step 1: Environment Setup (Root Only)

# Verify if the coreutils package is present, which contains standard tools, and install it quietly if missing
if ! rpm -q coreutils; then dnf install -y coreutils; fi

# Create a simulated raw access log file containing various HTTP status codes to serve as our data source
echo -e "200 OK\n404 Not Found\n500 Internal Error\n403 Forbidden\n200 OK" > /tmp/raw_access_log.txt

Step 2: Core Implementation (Execute as root)

# Create the dedicated auditor user account with a standard home directory using the useradd command
useradd auditor

# Ensure that the system is currently running in enforcing mode for SELinux to replicate strict operational conditions
setenforce 1

# Search for any line containing a 4xx or 5xx error code using extended regular expressions and save the output to a new file
grep -E '40[0-9]|50[0-9]' /tmp/raw_access_log.txt > /tmp/error_logs.txt

# Create a specific directory inside the auditor home folder to store the extracted files using the make directory command with the parent flag
mkdir -p /home/auditor/investigations

# Move the extracted error logs from the temporary location to the persistent auditor directory using the move command
mv /tmp/error_logs.txt /home/auditor/investigations/

# Change the ownership of the newly created directory and its contents recursively to the auditor user and group
chown -R auditor:auditor /home/auditor/investigations

# Technical Breakdown: We utilized extended grep to pattern match specific error ranges, isolating the required data before securely transferring it to a provisioned user space under mandatory access controls.
# Pro-Tip: Always verify your regex patterns on a subset of data before writing to a permanent file, as an incorrect pattern might silently omit critical data or capture too much.

Step 3: Verification (The "Proof of Work")

# List the contents of the investigations directory with detailed attributes to verify ownership and file presence
ls -lZ /home/auditor/investigations/
* EXPECTED: -rw-r--r--. 1 auditor auditor unconfined_u:object_r:user_home_t:s0 ... error_logs.txt

# Check the contents of the extracted log file to ensure the regex successfully captured only the error codes
cat /home/auditor/investigations/error_logs.txt
* EXPECTED: 404 Not Found, 500 Internal Error, 403 Forbidden lines.

# Output the current SELinux status to confirm it remains in enforcing mode
getenforce
* EXPECTED: Enforcing

4. COMPREHENSIVE CLEANUP (ZERO-TRACE)

# Remove the simulated raw access log file from the temporary directory
rm -f /tmp/raw_access_log.txt

# Delete the auditor user account and forcefully remove its home directory and contents
userdel -r auditor
You should also read: