Thursday 13 January 2011

Red Hat EX200 Objectives and solutions

I. Understand and Use Essential Tools

  • Access a shell prompt and issue commands with correct syntax
         Applications --> System Tools ---> Terminal
         or
         press function keys to access pseudo consoles to type commands
             shell prompt (command line) refers to the Linux command prompt whre we enter commands for execution.
              $ cal 2011


    • Use input-output redirection (>, >>, |, 2>, etc.)
           The BASH shell allows you to redirect input, output and error messages to allow programs and commands to read input from something other than the keyboard and send output and errors to something other than the terminal window.

    File Descriptor   
    Symbol
    Associated Digit   
    Descriptor     
     stdin
     <
     0
     Standard input   
     stdout
     >
     1
     Standard output   
     stderr
     >
     2
     Standard error
             Table: I/O/E Redirection Symbols
       
          Redirecting Standard Input
        
          $ mailx user2 < file1    ( Get input to mailx command from file1 file)

          Redirecting Standard Output

          $ sort file1 > sort.out   ( Redirect the output to sort.out file)     
          $ sort file1 >> sort.out  ( appent to output to sort.out file) 

         Redirecting Standard Error

         Error redirection sends any error messages generated to an alternate destination such as a file, instead of sending them to the terminal window. 

         $ find / -name core -print 2> /dev/null 

         Redirecting both Standard Output and Error

          $ ls /etc/ /cdr 1> testfile1 2>&1
          $ ls /etc/ /cdr &> testfile1
    • Use grep and regular expressions to analyze text
         grep (global regular expression print) searches contents of one or more specified files for a regular expression. If found, it prints every line containing the expression on the screen without changing the original file contents.


       
          for example, to search for the pattern "user1" in the /etc/passwd file:

           $ grep user1 /etc/passwd
            user1:x:501:501::/home/user1:/bin/bash
        
         to search for all the users beginning with user:


           $ grep "user*" /etc/passwd
           usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
           saslauth:x:497:495:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
           user1:x:501:501::/home/user1:/bin/bash
           user2:x:502:502::/home/user2:/bin/bash
         To search for all occurrences of the pattern "user1" in both the /etc/passwd and /etc/group files:

         $ grep user1 /etc/passwd /etc/group
        /etc/passwd:user1:x:501:501::/home/user1:/bin/bash
        /etc/group:user1:x:501:
        To display only the names of those files that contain the pattern "user1" from the specified file list use :

        $ grep -l  
       

    • Access remote systems using ssh and VNC
     check whether the required packages are installed. then we can use ssh and vnc as follows:

    $ ssh user@remotesystem

    we can either use vncviewer  in commandline and X windows session to connect to the vnc server running on remote systems.
    • Log in and switch users in multi-user runlevels
    log in using the username and passwords in runlevel 3 (in text mode) and graphically in run level 5
    • Archive, compress, unpack and uncompress files using tar, star, gzip, and bzip2

    star -xattr -H=exustar -c -f all_web.star public_html/ web_files/
    tar xvzf file.tar.gz
    tar cvzf file.tar.gz files
    
    
    gunzip patch-2.5.28.gz
    • Create and edit text files
    Use vi, nano, emacs, gedit etc  text editors
    • Create, delete, copy and move files and directories
    touch, mv, rm , mv , cp

    for directories use -r for recursive option
    • Create hard and soft links
    ln hardlink1 file1

    ln -s softlink1 file1
    • List, set and change standard ugo/rwx permissions
    ls -l or ll

    chmod

    numerics -- symbolic

    1 -- execute-- x

    2 -- write-- w

    4 -- read-- r
    • Locate, read and use system documentation including man, info, and files in /usr/share/doc .
      [Note: Red Hat may use applications during the exam that are not included in Red Hat Enterprise Linux for the purpose of evaluating candidate's abilities to meet this objective.]
    read the documentation accordingly using:

    man command
    info commnad
    and files in /usr/share/doc

    II. Operate Running Systems

    • Boot, reboot, and shut down a system normally
    power on the machine to boot it

    reboot command can be used to reboot the machine

    shutdown command with -h option to halt or -r option to reboot with time mostly 'now'

    • Boot systems into different runlevels manually
    init runlevel
    • Use single-user mode to gain access to a system
    init 1 or telinit 1

    at the boot time edit the grub menu and at the end of the kernel entry append 1 or S to boot into single user mode
    • Identify CPU/memory intensive processes, adjust process priority with renice, and kill processes
    ps aux

    ps -ef

    top

    kill 

    nice

    renice 
    • Locate and interpret system log files
    /var/log/messages

    /var/log/*


    • Access a virtual machine's console
    xm console

    virsh console

    virt-viewer
    • Start and stop virtual machines
    xm create < vm >

    xm destroy

    xm shutdown

    xm restart

    virsh option
    • Start, stop and check the status of network services
    /sbin/service status/start/stop/restart

    /etc/init.d/service status/start/stop/restart

    III. Configure Local Storage

    • List, create, delete and set partition type for primary, extended, and logical partitions 
    Use fdisk diskname and type m for help on the commands and use the neccesssary command

    for listing the partitions in fdisk: type p

    for creating a new partition: type n , select whether it should be primary/extended and  specify the required amount of space

    for creating the system id of a partition  in fdisk:  type t, and for help type L then select the required id such as 83 for linux  and 8e for Linux LVM etc. Then type w to save the changes to the partition table.

    Further we can create the required filesystem using 'mkfs.ext(x) partition' or use LVM tools for creating logical volumes accordingly then format with neccessary filesystem.

    • Create and remove physical volumes, assign physical volumes to volume groups, create and delete logical volumes
    to create a physical volume create a partition on the disk using fdisk utility as mentioned above and select the system id for the partition as 8e which is Linux LVM

    then use the following commands to create the logical volume groups:

    pvcreate -v /dev/sda1 /dev/sda2
    vgcreate -v -s 32 vg-testvm /dev/sda1 /dev/sda2
    lvcreate -v -L 4g -n lv-home vg-testvm
    lvcreate -v -L 2g -n lv-var vg-testvm
    to remove 
    # lvremove /dev/vg-testvm/lv-home
    # vgremove /dev/vg-testvm
    # pvremove /dev/sda1
    Use vgdisplay -v and lvdisplay -v to see your new creations and complete details. My own naming convention is to use "vg" to indicate a volume group, and "lv" for a logical volume. So you see the structure here: the volume group is your total LVM storage space, which is comprised of several physical disk partitions, and then you have to divide your volume group into logical groups, or even just one logical group.
    The -v switch turns on verbosity so you know what it's doing, and -s 32 creates physical extents that are 32 megabytes in size. Extents are often shrouded in mystery because no one bothers to explain them, but actually they're not mysterious at all. Physical extents are LVM's individual storage blocks, so the smallest possible size for a logical volume is a single extent. There is a maximum of 65,536 extents available per Linux kernel. The default size is 4 MB, which limits the maximum size of your volume group to about 256 GB. You can calculate a reasonable extent size by dividing the desired size of your volume by 65K. Extent sizes must be a power of 2, so round up to the next one and leave room for growth. Extent size doesn't affect performance, just your storage allocations. Extents are fixed when you create your volume group, so you can't change them later.
    You have to increase or decrease the size of your volumes according to your extents, so here we're limited to 32 MB increments. The maximum possible size of a logical volume for 2.6 kernels is 16 terabytes on 32-bit systems, and 8 exabytes on 64-bit systems.
    Now it's time to put filesystems and mountpoints on your logical volumes. Logical volumes are akin to physical disk partitions, so "lv-home" is going to be /home, and "lv-var" is /var:
    # mkfs.xfs /dev/vg-testvm/lv-home
    # mkfs.ext3 /dev/vg-testvm/lv-var
    You may use any filesystem you want. Now create your mountpoints, adjust permissions and ownership, and then create your /etc/fstab entries. You can use either the /dev names or UUIDs:
    /dev/vg-testvm/lv-home /home xfs defaults 0 2
    /dev/vg-testvm/lv-var /var ext3 defaults 0 2

    UUID=8d566d0e /dev/vg-testvm/lv-home /home xfs defaults 0 2
    UUID=681919d5 /dev/vg-testvm/lv-var /var ext3 defaults 0 2
    The UUIDs are truncated to conserve pixels. vgdisplay -v shows your UUIDs. Now you can reboot or manually mount your new logical volumes, and you're ready to start using them just like physical disk partitions.

    Increasing the Size of a Logical Volume

    Follow these steps to add a physical disk partition to an existing logical volume:
    pvcreate -v /dev/sdb1
    vgextend vg-testvm /dev/sdb1
    lvextend -L+10G
    Then you must resize your filesystem using the resizing command specific to your filesystem. ReiserFS can be safely resized while mounted, and XFS must be mounted. Ext2/3 should be unmounted first:
    umount /var
    resize2fs -p /dev/vg-testvm/lv-var
    mount /var
    The others look like this:
    resize_reiserfs /dev/volumegroup/logical-volume
    xfs_growfs /home
    ReiserFS uses the /dev name, and XFS uses the name of the mountpoint. JFS is rather complicated
    • Create and configure LUKS-encrypted partitions and logical volumes to prompt for password and mount a decrypted file system at boot
    The following procedure will reconfigure and format your /home. The procedure is for single-user computers or computers that are shared between trusted users.
    The following procedure will wipe all your existing data, so be sure to have a tested backup before you start. This also requires you to have a separate partition for /home (in my case that is /dev/VG00/LV_home). All the following must be done as root. Any of these steps failing means you must not continue until the step succeeded.

    Step-by-Step Instructions

    1. enter runlevel 1: telinit 1
    2. unmount your existing /homeumount /home
    3. if it fails use fuser to find and kill processes hogging /homefuser -mvk /home
    4. verify /home is not mounted any longer: cat /proc/mounts | grep home
    5. fill your partition with random data: dd if=/dev/urandom of=/dev/VG00/LV_home
    You're looking at a process that takes many hours, but it is imperative to do this in order to have good protection against break-in attempts. Just let it run overnight.
    1. initialize your partition: cryptsetup --verbose --verify-passphrase luksFormat /dev/VG00/LV_home
    2. open the newly encrypted device: cryptsetup luksOpen /dev/VG00/LV_home home
    3. check it's there: ls -l /dev/mapper | grep home
    4. create a filesystem: mkfs.ext3 /dev/mapper/home
    5. mount it: mount /dev/mapper/home /home
    6. check it's visible: df -h | grep home
    7. add the following to /etc/crypttabhome /dev/VG00/LV_home none
    8. edit your /etc/fstab, removing the old entry for /home and adding /dev/mapper/home /home ext3 defaults 1 2
    9. verify your fstab entry: mount /home
    10. restore default SELinux security contexts: /sbin/restorecon -v -R /home
    11. reboot: shutdown -r now
    12. The entry into /etc/crypttab makes your computer ask your luks passphrase on boot.
    13. Log in as root and restore your backup.

    we can create encrypted partitions at the time of installation by selecting the option available and providing the passphrase
    • Configure systems to mount file systems at boot by Universally Unique ID (UUID) or label
    to check UUID use blkid command on the device or partition

    then edit the /etc/fstab file accordingly as follows:

    UUID=d39b074c-9d46-4eab-a116-38d1a751c6fb /                       ext4    defaults        1 1
    UUID=ded0bcce-2769-411d-8eaa-453233a5b9e4 /boot                   ext4    defaults        1 2
    UUID=31379ba4-dce7-43f2-8679-5488aff9e82b /home                   ext4    defaults        1 2
    UUID=1e4a6b5d-5d10-44d6-a5ff-334cdc63e4a4 /putty                  ext4    defaults        1 2
    UUID=951da975-f039-42d4-86d5-42875a3d8b70 swap                    swap    defaults        0 0

    • Add new partitions, logical volumes and swap to a system non-destructively
    create the partiontions, logical volumes and swap using the fdisk utitiliy and add them while unmounted  

    IV. Create and Configure File Systems

    • Create, mount, unmount and use ext2, ext3 and ext4 file systems
    • Mount, unmount and use LUKS-encrypted file systems
    • Mount and unmount CIFS and NFS network file systems

    • Configure systems to mount ext4, LUKS-encrypted and network file systems automatically
    add entries in /etc/fstab and /etc/crypttab files using the UUID's and dev mapper paths respectively
    • Extend existing unencrypted ext4-formatted logical volumes
    lvextend
    • Create and configure set-GID directories for collaboration

    • Create and manage Access Control Lists (ACLs)

    mount -t ext3 -o acl  
    
    For example:
    mount -t ext3 -o acl /dev/VolGroup00/LogVol02 /work
    
    Alternatively, if the partition is listed in the /etc/fstab file, the entry for the partition can include the acloption:
    LABEL=/work      /work       ext3    acl        1 2
    
    If an ext3 file system is accessed via Samba and ACLs have

    setfacl -m u:andrius:rw /project/somefile
    
    To remove all the permissions for a user, group, or others, use the -x option and do not specify any permissions:
    setfacl -x  
    
    For example, to remove all permissions from the user with UID 500:
    setfacl -x u:500 /project/somefile


    To set a default ACL, add d: before the rule and specify a directory instead of a file name.
    For example, to set the default ACL for the /share/ directory to read and execute for users not in the user group (an access ACL for an individual file can override it):

    To determine the existing ACLs for a file or directory, use the getfacl command. In the example below, thegetfacl is used to determine the existing ACLs for a file.
    getfacl home/john/picture.png
    
    The above command returns the following output:
    # file: home/john/picture.png 
    # owner: john 
    # group: john 
    user::rw- 
    group::r-- 
    other::r--
    

    If a directory with a default ACL is specified, the default ACL is also displayed as illustrated below.
    [john@main /]$ getfacl home/sales/
    # file: home/sales/ 
    # owner: john 
    # group: john 
    user::rw- 
    user:barryg:r-- 

    setfacl -m d:o:rx /share
    • Diagnose and correct file permission problems

    V. Deploy, Configure and Maintain Systems

    • Configure networking and hostname resolution statically or dynamically
    edit the files in 

    /etc/sysconfig/network-scripts/ifcfg-eth* 

    with neccessary options such as

    IPADDR, BOOTPROTO, NETMASK, NETWORK, BROADCAST, GATEWAY, ONBOOT, HWADDR etc

    Edit /etc/sysconfig/network  file for specifying the hostname

    hostname can be assigned using the hostname command temporarily

    Edit /etc/resolv.conf file and specify 

    search parameters and nameserver parameters accordingly

    • Schedule tasks using cron
    crontab -e for editing specific user crontab

    # Each task to run has to be defined through a single line
    # indicating with different fields when the task will be run
    # and what command to run for the task
    #
    # To define the time you can provide concrete values for
    # minute (m), hour (h), day of month (dom), month (mon),
    # and day of week (dow) or use '*' in these fields (for 'any').#
    # Notice that tasks will be started based on the cron's system
    # daemon's notion of time and timezones.
    #
    # Output of the crontab jobs (including errors) is sent through
    # email to the user the crontab file belongs to (unless redirected).
    #
    # For example, you can run a backup of all your user accounts
    # at 5 a.m every week with:
    # 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
    #
    # For more information see the manual pages of crontab(5) and cron(8)


    # minutes  hour  dayofmonthy month dayofweek   command

    • Configure systems to boot into a specific runlevel automatically
    edit /etc/inittab file and specify the runlevel at the bottom entry which looks like:

    id:3:initdefault:

    • Install Red Hat Enterprise Linux automatically using Kickstart
    PXE boot  (Install tftp which is a xinetd managed service  then configure tftpboot with pxelinux configuration and pxelinux images)

    share the kickstart file using either nfs/http 

    provide the following information in kickstart file

    • Configure a physical machine to host virtual guests
    • Install Red Hat Enterprise Linux systems as virtual guests
    • Configure systems to launch virtual machines at boot

    • Configure network services to start automatically at boot
    chkconfig service on
    • Configure a system to run a default configuration HTTP server
    • Configure a system to run a default configuration FTP server

    • Install and update software packages from Red Hat Network, a remote repository, or from the local filesystem
    rpm -ivh 

    rpm -e

    yum install 

    yum groupinstall

    yum remove

    /etc/yum/repos.d for configuring repositories

    • Update the kernel package appropriately to ensure a bootable system
    #yum -y update kernel

    # rpm -Uvh /var/yum/repos.d/kernel/kernel-2xxxx
    • Modify the system bootloader
    Edit  /bootgrub/grub.conf file to change the bootloader and its options

    VI. Manage Users and Groups

    • Create, delete, and modify local user accounts
    useradd
    userdel
    usermod
    id
    • Change passwords and adjust password aging for local user accounts
    passwd
    chage 'user'

    • Create, delete and modify local groups and group memberships
    usermod -a -G unixadm balaji

    groupadd

    groupmod

    gpasswd


    • Configure a system to use an existing LDAP directory service for user and group information
    Install the Necessary LDAP Packages.
    First, make sure that the appropriate packages are installed on both the LDAP server and the LDAP client machines. The LDAP server needs the openldap-servers package.
    The openldapopenldap-clients, and nss_ldap packages need to be installed on all LDAP client machines.
    Edit the Configuration Files.
    • On the server, edit the /etc/openldap/slapd.conf file on the LDAP server to make sure it matches the specifics of the organization. 
    • On the client machines, both /etc/ldap.conf and /etc/openldap/ldap.conf need to contain the proper server and search base information for the organization.
      To do this, run the graphical Authentication Configuration Tool (system-config-authentication) and select Enable LDAP Support under the User Information tab.
      It is also possible to edit these files by hand.
    • On the client machines, the /etc/nsswitch.conf must be edited to use LDAP.
      To do this, run the Authentication Configuration Tool (system-config-authentication) and selectEnable LDAP Support under the User Information tab.
      If editing /etc/nsswitch.conf by hand, add ldap to the appropriate lines.
      For example:
      
      passwd: files ldap 
      shadow: files ldap 
      group: files ldap

    VII. Manage Security

    • Configure firewall settings using system-config-firewall or iptables
    run system-config-firewall as root and select the required configuration if X windows is installed

    /etc/sysconfig/iptables file can be edited according to the rules. 
    • Set enforcing and permissive modes for SELinux
     we can either edit /etc/sysconfig/selinux or run system-config-selinux or
    use
    /usr/sbin/setenforce — Modifies in real-time the mode in which SELinux runs.
    For example:
    setenforce 1 — SELinux runs in enforcing mode.
    setenforce 0 — SELinux runs in permissive mode.
    To actually disable SELinux, you need to either specify the appropriate setenforce parameter in/etc/sysconfig/selinux or pass the parameter selinux=0 to the kernel, either in /etc/grub.conf or at boot time.
    • List and identify SELinux file and process context
    ll -Z 

    ps -ef -Z

    cp /mv -Z

    id -Z

    This section covers the specific roles enabled for the targeted policy. The unconfined_t type exists in every role, which significantly reduces the usefulness of roles in the targeted policy. More extensive use of roles requires a change to the strict policy paradigm, where every process runs in an individually considered domain.
    Effectively, there are only two roles in the targeted policy: system_r and object_r. The initial role is system_r, and everything else inherits that role. The remaining roles are defined for compatibility purposes between the targeted policy and the strict policy.[21]
    Three of the four roles are defined by the policy. The fourth role, object_r, is an implied role and is not found in policy source. Because roles are created and populated by types using one or more declarations in the policy, there is no single file that declares all roles. (Remember that the policy itself is generated from a number of separate files.)


    system_r
    This role is for all system processes except user processes:
    system_r (28 types)
        dhcpd_t
        httpd_helper_t
        httpd_php_t
        httpd_suexec_t
        httpd_sys_script_t
        httpd_t
        httpd_unconfined_script_t
        initrc_t
        ldconfig_t
        mailman_cgi_t
        mailman_mail_t
        mailman_queue_t
        mysqld_t
        named_t
        ndc_t
        nscd_t
        ntpd_t
        pegasus_t
        portmap_t
        postgresql_t
        snmpd_t
        squid_t
        syslogd_t
        system_mail_t
        unconfined_t
        winbind_helper_t
        winbind_t
        ypbind_t
    
    user_r
    This is the default user role for regular Linux users. In a strict policy, individual users might be used, allowing for the users to have special roles to perform privileged operations. In the targeted policy, all users run in the unconfined_t domain.
    object_r
    In SELinux, roles are not utilized for objects when RBAC is being used. Roles are strictly for subjects. This is because roles are task-oriented and they group together entities which perform actions (for example, processes). All such entities are collectively referred to as subjects. For this reason, all objects have the roleobject_r, and the role is only used as a placeholder in the label.
    sysadm_r
    This is the system administrator role in a strict policy. If you log in directly as the root user, the default role may actually be staff_r. If this is true, use the newrole -r sysadm_r command to change to the SELinux system administrator role to perform system administration tasks. In the targeted policy, the following retain sysadm_r for compatibility:
    sysadm_r (6 types)
        httpd_helper_t
        httpd_sys_script_t
        initrc_t
        ldconfig_t
        ndc_t
        unconfined_t
    
    There is effectively only one user identity in the targeted policy. The user_u identity was chosen becauselibselinux falls back to user_u as the default SELinux user identity. This occurs when there is no matching SELinux user for the Linux user who is logging in. Using user_u as the single user in the targeted policy makes it easier to change to the strict policy. The remaining users exist for compatibility with the strict policy.[22]
    The one exception is the SELinux user root. You may notice root as the user identity in a process's context. This occurs when the SELinux user root starts daemons from the command line, or restarts a daemon originally started by init.


    • Restore default file contexts
    chcon

    ex:  #chcon -R -t httpd_user_content_t public_html/
    # ls -Z


    restorecon

    Use the restorecon command to restore files to the default values according to the policy. There are two other methods for performing this operation that work on the entire file system: fixfiles or a policy relabeling operation
    ex: #/sbin/restorecon -R archives
    • Use boolean settings to modify system SELinux settings
    sestatus

    getsebool -a

    Use the getsebool command to get the current status of the boolean:

    [root@host2a ~]# getsebool named_disable_trans
    named_disable_trans --> off
    
    Use the following command to disable enforcing mode for this daemon:

    [root@host2a ~]# setsebool named_disable_trans 1
    
    [root@host2a ~]# getsebool named_disable_trans
    named_disable_trans --> on

    Use the following command to find which of these booleans are set:

    getsebool -a | grep disable.*on
    
    httpd_disable_trans=1
    mysqld_disable_trans=1
    ntpd_disable_trans=1
    
    You can set any number of boolean values using the setsebool command:

    setsebool -P httpd_disable_trans=1 mysqld_disable_trans=1 ntpd_disable_trans=1
    
    You can also use togglesebool  to change the value of a specific boolean:

    [root@host2a ~]# getsebool httpd_disable_trans
    httpd_disable_trans --> off
    
    [root@host2a ~]# togglesebool httpd_disable_trans
    httpd_disable_trans: active
    
    You can configure all of these settings using system-config-selinux. The same configuration files are used, so changes appear bidirectionally.
    • Diagnose and address routine SELinux policy violations
    his section describes some common tasks that a security analyst might need to perform on an SELinux system.

    44.3.1. Enabling Kernel Auditing

    As part of an SELinux analysis or troubleshooting exercise, you might choose to enable complete kernel-level auditing. This can be quite verbose, because it generates one or more additional audit messages for each AVC audit message. To enable this level of auditing, append the audit=1 parameter to your kernel boot line, either in the /etc/grub.conf file or on the GRUB menu at boot time.
    This is an example of a full audit log entry when httpd is denied access to ~/public_html because the directory is not labeled as Web content. Notice that the time and serial number stamps in the audit(...) field are identical in each case. This makes it easier to track a specific event in the audit logs:
    Jan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \
     avc:  denied  { getattr } for  pid=2239 exe=/usr/sbin/httpd \
     path=/home/auser/public_html dev=hdb2 ino=921135 \
     scontext=user_u:system_r:httpd_t \
     tcontext=system_u:object_r:user_home_t tclass=dir
    
    The following audit message tells more about the source, including the kind of system call involved, showing that httpd tried to stat the directory:
    Jan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \
     syscall=195 exit=4294967283 a0=9ef88e0 a1=bfecc0d4 a2=a97ff4 \
     a3=bfecc0d4 items=1 pid=2239 loginuid=-1 uid=48 gid=48 euid=48 \
     suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
    
    The following message provides more information about the target:
    Jan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \
     item=0 name=/home/auser/public_html inode=921135 dev=00:00
    
    The serial number stamp is always identical for a particular audited event. The time stamp may or may not be identical.

    Note

    If you are using an audit daemon for troubleshooting, the daemon may capture audit messages into a location other than /var/log/messages, such as /var/log/audit/audit.log. Red Hat Enterprise Linux 5 does not currently ship with an audit daemon.

    44.3.2. Dumping and Viewing Logs

    The Red Hat Enterprise Linux 5 implementation of SELinux routes AVC audit messages to /var/log/messages. You can use any of the standard search utilities (for example, grep), to search for lines containing avc or audit