CO-M9 Defensive Cyber Operations

Defensive cyber operations protect friendly cyberspace through monitoring, detection, and response.

Learning outcomes

What a student must demonstrate to claim coverage of this unit. Each outcome links to the skill drills that assess it.

1. CO-M9-O1 Analyze system and network log files to identify indicators of compromise.
2. CO-M9-O2 Harden operating system configurations against common attack vectors.

Exam questions that cite this unit

• CSCD240-E1-A-Q11 permissions-chmod Change permissions of notes.sh: owner rwx, group rx, other none. Use octal.
• CSCD240-E1-A-Q12 permissions-chmod Using only letters, remove write permission from the owner on notes.sh.
• CSCD240-E1-A-Q13 search-find Somewhere in the filesystem there is a file config.ini. Locate it.
• CSCD240-E1-A-Q14 grep-recursive Show the filenames containing "printf" in all .c files in home directory and subdirs.
• CSCD240-E1-A-Q26 rm-recursive Using absolute path, remove subdirectory scratch under /home/ssteiner. Not in home dir.
• CSCD240-E1-A-Q29 regex contacts.txt has Name<tab>number lines. Print only those whose number ends with 6.
• CSCD240-E1-A-Q34 grep Print lines of access.log containing 403 with their line numbers.
• CSCD240-E1-A-Q38 pipeline-distinct Count distinct lines in visitors.txt (unsorted input).
• CSCD240-E1-A-Q42 chmod-recursive Recursively change permissions in current dir so group and other have no write permission.
• CSCD240-E1-A-Q50 log-pipeline auth.log line format "2026-04-14 08:31 FAIL user=alex src=10.x". Print top-3 FAIL source IPs, count first, most-frequent first.
• CSCD240-E1-B-Q11 harden Remove setuid bit from /opt/app/runner without changing other permissions.
• CSCD240-E1-B-Q12 ownership Change owner AND group of /opt/app/runner to svc_app:svc_app in ONE command.
• CSCD240-E1-B-Q13 harden Recursively set permissions on ~/secrets/ so only owner has any access.
• CSCD240-E1-B-Q14 enum-misconfig Find every world-writable regular file under /var (common misconfig indicator).
• CSCD240-E1-B-Q18 log-search Print every line of auth.log containing "Failed password" (case-insensitive), with line numbers.
• CSCD240-E1-B-Q19 log-pipeline Top 5 source IPs in FAIL lines of auth.log, where IP is field 5.
• CSCD240-E1-B-Q20 log-pipeline Count distinct usernames on FAIL lines of auth.log where username is "user=<name>".
• CSCD240-E1-B-Q22 regex-alt Print lines of fw.log matching DENY OR DROP (extended regex).
• CSCD240-E1-B-Q23 grep-recursive Recursively search /etc for any file containing "password=" and print only filenames.
• CSCD240-E1-B-Q28 proc-forensics Suspect PID 31337 is a reverse shell. Print its full command line and working directory.
• CSCD240-E1-B-Q32 signals Send SIGHUP to PID 4112 to reload daemon config.
• CSCD240-E1-C-Q11 log-follow A log file is continuously updated. Which command shows new lines as written?
• CSCD240-E1-C-Q15 pipeline-distinct Which pipeline counts distinct values in column 1 of a CSV?
• CSCD240-E1-C-Q17 find Which command searches the filesystem for a file by name, suppressing permission-denied errors?
• CSCD240-E1-C-Q23 harden Remove the setuid bit from /opt/svc/agent using symbolic form, leaving other perms.
• CSCD240-E1-C-Q25 grep Print every line of auth.log containing "Failed password" (case-insensitive) with line numbers.
• CSCD240-E1-C-Q26 log-pipeline Top 5 source IPs appearing on FAIL lines of auth.log (IP = field 5).
• CSCD240-E1-C-Q27 log-pipeline List unique usernames appearing on FAIL lines of auth.log (user=<name>).
• CSCD240-E1-C-Q29 signals Send SIGHUP (signal 1) to PID 7120 so the daemon reloads config.
• CSCD240-E1-C-Q42 chmod-recursive-trap chmod -R 644 /etc/ssh — what broke and why?