I. Understand and Use Essential Tools
- Access a shell prompt and issue commands with correct syntax
Applications --> System Tools ---> Terminal
or
press function keys to access pseudo consoles to type commands
shell prompt (command line) refers to the Linux command prompt whre we enter commands for execution.
$ cal 2011
- Use input-output redirection (>, >>, |, 2>, etc.)
The BASH shell allows you to redirect input, output and error messages to allow programs and commands to read input from something other than the keyboard and send output and errors to something other than the terminal window.
File Descriptor | Symbol | Associated Digit | Descriptor |
stdin | < | 0 | Standard input |
stdout | > | 1 | Standard output |
stderr | > | 2 | Standard error |
Table: I/O/E Redirection Symbols
Redirecting Standard Input
$ mailx user2 < file1 ( Get input to mailx command from file1 file)
Redirecting Standard Output
$ sort file1 > sort.out ( Redirect the output to sort.out file)
$ sort file1 >> sort.out ( appent to output to sort.out file)
Redirecting Standard Error
Error redirection sends any error messages generated to an alternate destination such as a file, instead of sending them to the terminal window.
$ find / -name core -print 2> /dev/null
Redirecting both Standard Output and Error
$ ls /etc/ /cdr 1> testfile1 2>&1
$ ls /etc/ /cdr &> testfile1
- Use grep and regular expressions to analyze text
grep (global regular expression print) searches contents of one or more specified files for a regular expression. If found, it prints every line containing the expression on the screen without changing the original file contents.
for example, to search for the pattern "user1" in the /etc/passwd file:
$ grep user1 /etc/passwd
user1:x:501:501::/home/user1:/bin/bash
user1:x:501:501::/home/user1:/bin/bash
to search for all the users beginning with user:
$ grep "user*" /etc/passwd
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
saslauth:x:497:495:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
user1:x:501:501::/home/user1:/bin/bash
user2:x:502:502::/home/user2:/bin/bash
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
saslauth:x:497:495:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
user1:x:501:501::/home/user1:/bin/bash
user2:x:502:502::/home/user2:/bin/bash
To search for all occurrences of the pattern "user1" in both the /etc/passwd and /etc/group files:
$ grep user1 /etc/passwd /etc/group
/etc/passwd:user1:x:501:501::/home/user1:/bin/bash
/etc/group:user1:x:501:
/etc/passwd:user1:x:501:501::/home/user1:/bin/bash
/etc/group:user1:x:501:
To display only the names of those files that contain the pattern "user1" from the specified file list use :
$ grep -l
- Access remote systems using ssh and VNC
check whether the required packages are installed. then we can use ssh and vnc as follows:
$ ssh user@remotesystem
we can either use vncviewer in commandline and X windows session to connect to the vnc server running on remote systems.
- Log in and switch users in multi-user runlevels
log in using the username and passwords in runlevel 3 (in text mode) and graphically in run level 5
- Archive, compress, unpack and uncompress files using tar, star, gzip, and bzip2
star -xattr -H=exustar -c -f all_web.star public_html/ web_files/
tar xvzf file.tar.gz
tar cvzf file.tar.gz files
gunzip patch-2.5.28.gz
- Create and edit text files
Use vi, nano, emacs, gedit etc text editors
- Create, delete, copy and move files and directories
touch, mv, rm , mv , cp
for directories use -r for recursive option
- Create hard and soft links
ln hardlink1 file1
ln -s softlink1 file1
- List, set and change standard ugo/rwx permissions
ls -l or ll
chmod
numerics -- symbolic
1 -- execute-- x
2 -- write-- w
4 -- read-- r
- Locate, read and use system documentation including man, info, and files in /usr/share/doc .
[Note: Red Hat may use applications during the exam that are not included in Red Hat Enterprise Linux for the purpose of evaluating candidate's abilities to meet this objective.]
read the documentation accordingly using:
man command
info commnad
and files in /usr/share/doc
II. Operate Running Systems
- Boot, reboot, and shut down a system normally
power on the machine to boot it
reboot command can be used to reboot the machine
shutdown command with -h option to halt or -r option to reboot with time mostly 'now'
- Boot systems into different runlevels manually
init runlevel
- Use single-user mode to gain access to a system
init 1 or telinit 1
at the boot time edit the grub menu and at the end of the kernel entry append 1 or S to boot into single user mode
- Identify CPU/memory intensive processes, adjust process priority with renice, and kill processes
ps aux
ps -ef
top
kill
nice
renice
- Locate and interpret system log files
/var/log/messages
/var/log/*
- Access a virtual machine's console
xm console
virsh console
virt-viewer
- Start and stop virtual machines
xm create < vm >
xm destroy
xm shutdown
xm restart
virsh option
- Start, stop and check the status of network services
/sbin/service status/start/stop/restart
/etc/init.d/service status/start/stop/restart
III. Configure Local Storage
- List, create, delete and set partition type for primary, extended, and logical partitions
Use fdisk diskname and type m for help on the commands and use the neccesssary command
for listing the partitions in fdisk: type p
for creating a new partition: type n , select whether it should be primary/extended and specify the required amount of space
for creating the system id of a partition in fdisk: type t, and for help type L then select the required id such as 83 for linux and 8e for Linux LVM etc. Then type w to save the changes to the partition table.
Further we can create the required filesystem using 'mkfs.ext(x) partition' or use LVM tools for creating logical volumes accordingly then format with neccessary filesystem.
- Create and remove physical volumes, assign physical volumes to volume groups, create and delete logical volumes
to create a physical volume create a partition on the disk using fdisk utility as mentioned above and select the system id for the partition as 8e which is Linux LVM
then use the following commands to create the logical volume groups:
# pvcreate -v /dev/sda1 /dev/sda2
# vgcreate -v -s 32 vg-testvm /dev/sda1 /dev/sda2
# lvcreate -v -L 4g -n lv-home vg-testvm
# lvcreate -v -L 2g -n lv-var vg-testvm
# vgcreate -v -s 32 vg-testvm /dev/sda1 /dev/sda2
# lvcreate -v -L 4g -n lv-home vg-testvm
# lvcreate -v -L 2g -n lv-var vg-testvm
to remove
# lvremove /dev/vg-testvm/lv-home
# vgremove /dev/vg-testvm
# pvremove /dev/sda1
Use vgdisplay -v and lvdisplay -v to see your new creations and complete details. My own naming convention is to use "vg" to indicate a volume group, and "lv" for a logical volume. So you see the structure here: the volume group is your total LVM storage space, which is comprised of several physical disk partitions, and then you have to divide your volume group into logical groups, or even just one logical group.
The -v switch turns on verbosity so you know what it's doing, and -s 32 creates physical extents that are 32 megabytes in size. Extents are often shrouded in mystery because no one bothers to explain them, but actually they're not mysterious at all. Physical extents are LVM's individual storage blocks, so the smallest possible size for a logical volume is a single extent. There is a maximum of 65,536 extents available per Linux kernel. The default size is 4 MB, which limits the maximum size of your volume group to about 256 GB. You can calculate a reasonable extent size by dividing the desired size of your volume by 65K. Extent sizes must be a power of 2, so round up to the next one and leave room for growth. Extent size doesn't affect performance, just your storage allocations. Extents are fixed when you create your volume group, so you can't change them later.
You have to increase or decrease the size of your volumes according to your extents, so here we're limited to 32 MB increments. The maximum possible size of a logical volume for 2.6 kernels is 16 terabytes on 32-bit systems, and 8 exabytes on 64-bit systems.
Now it's time to put filesystems and mountpoints on your logical volumes. Logical volumes are akin to physical disk partitions, so "lv-home" is going to be /home, and "lv-var" is /var:
# mkfs.xfs /dev/vg-testvm/lv-home
# mkfs.ext3 /dev/vg-testvm/lv-var
# mkfs.ext3 /dev/vg-testvm/lv-var
You may use any filesystem you want. Now create your mountpoints, adjust permissions and ownership, and then create your /etc/fstab entries. You can use either the /dev names or UUIDs:
/dev/vg-testvm/lv-home /home xfs defaults 0 2
/dev/vg-testvm/lv-var /var ext3 defaults 0 2
UUID=8d566d0e /dev/vg-testvm/lv-home /home xfs defaults 0 2
UUID=681919d5 /dev/vg-testvm/lv-var /var ext3 defaults 0 2
/dev/vg-testvm/lv-var /var ext3 defaults 0 2
UUID=8d566d0e /dev/vg-testvm/lv-home /home xfs defaults 0 2
UUID=681919d5 /dev/vg-testvm/lv-var /var ext3 defaults 0 2
The UUIDs are truncated to conserve pixels. vgdisplay -v shows your UUIDs. Now you can reboot or manually mount your new logical volumes, and you're ready to start using them just like physical disk partitions.
Increasing the Size of a Logical Volume
Follow these steps to add a physical disk partition to an existing logical volume:
# pvcreate -v /dev/sdb1
# vgextend vg-testvm /dev/sdb1
# lvextend -L+10G
# vgextend vg-testvm /dev/sdb1
# lvextend -L+10G
Then you must resize your filesystem using the resizing command specific to your filesystem. ReiserFS can be safely resized while mounted, and XFS must be mounted. Ext2/3 should be unmounted first:
# umount /var
# resize2fs -p /dev/vg-testvm/lv-var
# mount /var
# resize2fs -p /dev/vg-testvm/lv-var
# mount /var
The others look like this:
# resize_reiserfs /dev/volumegroup/logical-volume
# xfs_growfs /home
# xfs_growfs /home
ReiserFS uses the /dev name, and XFS uses the name of the mountpoint. JFS is rather complicated
- Create and configure LUKS-encrypted partitions and logical volumes to prompt for password and mount a decrypted file system at boot
The following procedure will reconfigure and format your
/home
. The procedure is for single-user computers or computers that are shared between trusted users.The following procedure will wipe all your existing data, so be sure to have a tested backup before you start. This also requires you to have a separate partition for
/home
(in my case that is /dev/VG00/LV_home
). All the following must be done as root. Any of these steps failing means you must not continue until the step succeeded.Step-by-Step Instructions
- enter runlevel 1:
telinit 1
- unmount your existing /home:
umount /home
- if it fails use fuser to find and kill processes hogging /home:
fuser -mvk /home
- verify /home is not mounted any longer:
cat /proc/mounts | grep home
- fill your partition with random data:
dd if=/dev/urandom of=/dev/VG00/LV_home
- initialize your partition:
cryptsetup --verbose --verify-passphrase luksFormat /dev/VG00/LV_home
- open the newly encrypted device:
cryptsetup luksOpen /dev/VG00/LV_home home
- check it's there:
ls -l /dev/mapper | grep home
- create a filesystem:
mkfs.ext3 /dev/mapper/home
- mount it:
mount /dev/mapper/home /home
- check it's visible:
df -h | grep home
- add the following to /etc/crypttab:
home /dev/VG00/LV_home none
- edit your /etc/fstab, removing the old entry for /home and adding
/dev/mapper/home /home ext3 defaults 1 2
- verify your fstab entry:
mount /home
- restore default SELinux security contexts:
/sbin/restorecon -v -R /home
- reboot:
shutdown -r now
- The entry into /etc/crypttab makes your computer ask your luks passphrase on boot.
- Log in as root and restore your backup.
we can create encrypted partitions at the time of installation by selecting the option available and providing the passphrase
- Configure systems to mount file systems at boot by Universally Unique ID (UUID) or label
to check UUID use blkid command on the device or partition
then edit the /etc/fstab file accordingly as follows:
UUID=d39b074c-9d46-4eab-a116-38d1a751c6fb / ext4 defaults 1 1
UUID=ded0bcce-2769-411d-8eaa-453233a5b9e4 /boot ext4 defaults 1 2
UUID=31379ba4-dce7-43f2-8679-5488aff9e82b /home ext4 defaults 1 2
UUID=1e4a6b5d-5d10-44d6-a5ff-334cdc63e4a4 /putty ext4 defaults 1 2
UUID=951da975-f039-42d4-86d5-42875a3d8b70 swap swap defaults 0 0
- Add new partitions, logical volumes and swap to a system non-destructively
create the partiontions, logical volumes and swap using the fdisk utitiliy and add them while unmounted
IV. Create and Configure File Systems
- Create, mount, unmount and use ext2, ext3 and ext4 file systems
- Mount, unmount and use LUKS-encrypted file systems
- Mount and unmount CIFS and NFS network file systems
- Configure systems to mount ext4, LUKS-encrypted and network file systems automatically
add entries in /etc/fstab and /etc/crypttab files using the UUID's and dev mapper paths respectively
- Extend existing unencrypted ext4-formatted logical volumes
lvextend
- Create and configure set-GID directories for collaboration
- Create and manage Access Control Lists (ACLs)
mount -t ext3 -o acl
For example:mount -t ext3 -o acl /dev/VolGroup00/LogVol02 /workAlternatively, if the partition is listed in the /etc/fstab file, the entry for the partition can include the acloption:
LABEL=/work /work ext3 acl 1 2If an ext3 file system is accessed via Samba and ACLs have
setfacl -m u:andrius:rw /project/somefile
To remove all the permissions for a user, group, or others, use the -x option and do not specify any permissions:setfacl -xFor example, to remove all permissions from the user with UID 500:
setfacl -x u:500 /project/somefile
To set a default ACL, add d: before the rule and specify a directory instead of a file name.
For example, to set the default ACL for the /share/ directory to read and execute for users not in the user group (an access ACL for an individual file can override it):
To determine the existing ACLs for a file or directory, use the getfacl command. In the example below, thegetfacl is used to determine the existing ACLs for a file.
getfacl home/john/picture.pngThe above command returns the following output:
# file: home/john/picture.png # owner: john # group: john user::rw- group::r-- other::r--
If a directory with a default ACL is specified, the default ACL is also displayed as illustrated below.
[john@main /]$ getfacl home/sales/ # file: home/sales/ # owner: john # group: john user::rw- user:barryg:r--
setfacl -m d:o:rx /share
- Diagnose and correct file permission problems
V. Deploy, Configure and Maintain Systems
- Configure networking and hostname resolution statically or dynamically
edit the files in
/etc/sysconfig/network-scripts/ifcfg-eth*
with neccessary options such as
IPADDR, BOOTPROTO, NETMASK, NETWORK, BROADCAST, GATEWAY, ONBOOT, HWADDR etc
Edit /etc/sysconfig/network file for specifying the hostname
hostname can be assigned using the hostname command temporarily
Edit /etc/resolv.conf file and specify
search parameters and nameserver parameters accordingly
- Schedule tasks using cron
crontab -e for editing specific user crontab
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
# minutes hour dayofmonthy month dayofweek command
- Configure systems to boot into a specific runlevel automatically
edit /etc/inittab file and specify the runlevel at the bottom entry which looks like:
id:3:initdefault:
- Install Red Hat Enterprise Linux automatically using Kickstart
PXE boot (Install tftp which is a xinetd managed service then configure tftpboot with pxelinux configuration and pxelinux images)
share the kickstart file using either nfs/http
provide the following information in kickstart file
- Configure a physical machine to host virtual guests
- Install Red Hat Enterprise Linux systems as virtual guests
- Configure systems to launch virtual machines at boot
- Configure network services to start automatically at boot
chkconfig service on
- Configure a system to run a default configuration HTTP server
- Configure a system to run a default configuration FTP server
- Install and update software packages from Red Hat Network, a remote repository, or from the local filesystem
rpm -ivh
rpm -e
yum install
yum groupinstall
yum remove
/etc/yum/repos.d for configuring repositories
- Update the kernel package appropriately to ensure a bootable system
#yum -y update kernel
# rpm -Uvh /var/yum/repos.d/kernel/kernel-2xxxx
# rpm -Uvh /var/yum/repos.d/kernel/kernel-2xxxx
- Modify the system bootloader
Edit /bootgrub/grub.conf file to change the bootloader and its options
VI. Manage Users and Groups
- Create, delete, and modify local user accounts
useradd
userdel
usermod
id
- Change passwords and adjust password aging for local user accounts
passwd
chage 'user'
- Create, delete and modify local groups and group memberships
usermod -a -G unixadm balaji
groupadd
groupmod
gpasswd
- Configure a system to use an existing LDAP directory service for user and group information
Install the Necessary LDAP Packages.
First, make sure that the appropriate packages are installed on both the LDAP server and the LDAP client machines. The LDAP server needs the openldap-servers package.
The openldap, openldap-clients, and nss_ldap packages need to be installed on all LDAP client machines.
Edit the Configuration Files.
- On the server, edit the /etc/openldap/slapd.conf file on the LDAP server to make sure it matches the specifics of the organization.
- On the client machines, both /etc/ldap.conf and /etc/openldap/ldap.conf need to contain the proper server and search base information for the organization.To do this, run the graphical Authentication Configuration Tool (system-config-authentication) and select Enable LDAP Support under the User Information tab.
It is also possible to edit these files by hand. - On the client machines, the /etc/nsswitch.conf must be edited to use LDAP.To do this, run the Authentication Configuration Tool (system-config-authentication) and selectEnable LDAP Support under the User Information tab.
If editing /etc/nsswitch.conf by hand, add ldap to the appropriate lines.
For example:
passwd: files ldap shadow: files ldap group: files ldap
VII. Manage Security
- Configure firewall settings using system-config-firewall or iptables
run system-config-firewall as root and select the required configuration if X windows is installed
/etc/sysconfig/iptables file can be edited according to the rules.
- Set enforcing and permissive modes for SELinux
we can either edit /etc/sysconfig/selinux or run system-config-selinux or
use
/usr/sbin/setenforce — Modifies in real-time the mode in which SELinux runs.
For example:
setenforce 1 — SELinux runs in enforcing mode.
setenforce 0 — SELinux runs in permissive mode.
To actually disable SELinux, you need to either specify the appropriate setenforce parameter in/etc/sysconfig/selinux or pass the parameter selinux=0 to the kernel, either in /etc/grub.conf or at boot time.
- List and identify SELinux file and process context
ll -Z
ps -ef -Z
cp /mv -Z
id -Z
This section covers the specific roles enabled for the targeted policy. The unconfined_t type exists in every role, which significantly reduces the usefulness of roles in the targeted policy. More extensive use of roles requires a change to the strict policy paradigm, where every process runs in an individually considered domain.
Effectively, there are only two roles in the targeted policy: system_r and object_r. The initial role is system_r, and everything else inherits that role. The remaining roles are defined for compatibility purposes between the targeted policy and the strict policy.[21]
Three of the four roles are defined by the policy. The fourth role, object_r, is an implied role and is not found in policy source. Because roles are created and populated by types using one or more declarations in the policy, there is no single file that declares all roles. (Remember that the policy itself is generated from a number of separate files.)
- system_r
- This role is for all system processes except user processes:
system_r (28 types) dhcpd_t httpd_helper_t httpd_php_t httpd_suexec_t httpd_sys_script_t httpd_t httpd_unconfined_script_t initrc_t ldconfig_t mailman_cgi_t mailman_mail_t mailman_queue_t mysqld_t named_t ndc_t nscd_t ntpd_t pegasus_t portmap_t postgresql_t snmpd_t squid_t syslogd_t system_mail_t unconfined_t winbind_helper_t winbind_t ypbind_t
- user_r
- This is the default user role for regular Linux users. In a strict policy, individual users might be used, allowing for the users to have special roles to perform privileged operations. In the targeted policy, all users run in the unconfined_t domain.
- object_r
- In SELinux, roles are not utilized for objects when RBAC is being used. Roles are strictly for subjects. This is because roles are task-oriented and they group together entities which perform actions (for example, processes). All such entities are collectively referred to as subjects. For this reason, all objects have the roleobject_r, and the role is only used as a placeholder in the label.
- sysadm_r
- This is the system administrator role in a strict policy. If you log in directly as the root user, the default role may actually be staff_r. If this is true, use the newrole -r sysadm_r command to change to the SELinux system administrator role to perform system administration tasks. In the targeted policy, the following retain sysadm_r for compatibility:
sysadm_r (6 types) httpd_helper_t httpd_sys_script_t initrc_t ldconfig_t ndc_t unconfined_t
There is effectively only one user identity in the targeted policy. The user_u identity was chosen becauselibselinux falls back to user_u as the default SELinux user identity. This occurs when there is no matching SELinux user for the Linux user who is logging in. Using user_u as the single user in the targeted policy makes it easier to change to the strict policy. The remaining users exist for compatibility with the strict policy.[22]
The one exception is the SELinux user root. You may notice root as the user identity in a process's context. This occurs when the SELinux user root starts daemons from the command line, or restarts a daemon originally started by init.
- Restore default file contexts
chcon
ex: #chcon -R -t httpd_user_content_t public_html/
# ls -Z
restorecon
Use the restorecon command to restore files to the default values according to the policy. There are two other methods for performing this operation that work on the entire file system: fixfiles or a policy relabeling operation
ex: #/sbin/restorecon -R archives
- Use boolean settings to modify system SELinux settings
sestatus
getsebool -a
Use the getsebool command to get the current status of the boolean:
[root@host2a ~]# getsebool named_disable_trans
named_disable_trans --> off
Use the following command to disable enforcing mode for this daemon:[root@host2a ~]# setsebool named_disable_trans 1
[root@host2a ~]# getsebool named_disable_trans
named_disable_trans --> on
Use the following command to find which of these booleans are set:
to change the value of a specific boolean:
getsebool -a | grep disable.*on
httpd_disable_trans=1
mysqld_disable_trans=1
ntpd_disable_trans=1
You can set any number of boolean values using the setsebool command:setsebool -P httpd_disable_trans=1 mysqld_disable_trans=1 ntpd_disable_trans=1
You can also use togglesebool [root@host2a ~]# getsebool httpd_disable_trans
httpd_disable_trans --> off
[root@host2a ~]# togglesebool httpd_disable_trans
httpd_disable_trans: active
You can configure all of these settings using system-config-selinux. The same configuration files are used, so changes appear bidirectionally.- Diagnose and address routine SELinux policy violations
his section describes some common tasks that a security analyst might need to perform on an SELinux system.
As part of an SELinux analysis or troubleshooting exercise, you might choose to enable complete kernel-level auditing. This can be quite verbose, because it generates one or more additional audit messages for each AVC audit message. To enable this level of auditing, append the audit=1 parameter to your kernel boot line, either in the /etc/grub.conf file or on the GRUB menu at boot time.
This is an example of a full audit log entry when httpd is denied access to ~/public_html because the directory is not labeled as Web content. Notice that the time and serial number stamps in the audit(...) field are identical in each case. This makes it easier to track a specific event in the audit logs:
This is an example of a full audit log entry when httpd is denied access to ~/public_html because the directory is not labeled as Web content. Notice that the time and serial number stamps in the audit(...) field are identical in each case. This makes it easier to track a specific event in the audit logs:
Jan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \
avc: denied { getattr } for pid=2239 exe=/usr/sbin/httpd \
path=/home/auser/public_html dev=hdb2 ino=921135 \
scontext=user_u:system_r:httpd_t \
tcontext=system_u:object_r:user_home_t tclass=dir
The following audit message tells more about the source, including the kind of system call involved, showing that httpd tried to stat the directory:Jan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \
syscall=195 exit=4294967283 a0=9ef88e0 a1=bfecc0d4 a2=a97ff4 \
a3=bfecc0d4 items=1 pid=2239 loginuid=-1 uid=48 gid=48 euid=48 \
suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
The following message provides more information about the target:Jan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \
item=0 name=/home/auser/public_html inode=921135 dev=00:00
The serial number stamp is always identical for a particular audited event. The time stamp may or may not be identical.Note
If you are using an audit daemon for troubleshooting, the daemon may capture audit messages into a location other than /var/log/messages, such as /var/log/audit/audit.log. Red Hat Enterprise Linux 5 does not currently ship with an audit daemon.