CSCD240-S26-L08

Lecture 8. Pipes, filters, grep, sort, uniq, wc, tar

Delivered 2026-04-09

Key topics: ["pipe","grep","sort","uniq","wc","tar","find"]

Authority mappings

DCWF roles: CE-463 Host Analyst CS-511 Cyber Defense Analyst IT-451 System Administrator

Knowledge Units: CD-BSP Basic Scripting and Programming CD-OSC Operating Systems Concepts

Exam questions that cite this lecture

CSCD240-E1-A-Q14 grep-recursive Show the filenames containing "printf" in all .c files in home directory and subdirs.
CSCD240-E1-A-Q17 process-listing Display PID and full process info for all processes containing "python".
CSCD240-E1-A-Q18 process-definition Define what a process is.
CSCD240-E1-A-Q19 job-vs-process Define what a job is and explain how jobs differ from processes.
CSCD240-E1-A-Q20 background Execute firefox and allow the shell to be used for other activities.
CSCD240-E1-A-Q21 jobs-output Firefox running in background; nothing else. What does typing jobs print?
CSCD240-E1-A-Q22 reading-comprehension 3 jobs: 1) firefox 2) gedit 3) code. Bring kate to foreground — give the command.
CSCD240-E1-A-Q23 signal ./daemon &. Terminate the JOB daemon (no other jobs active).
CSCD240-E1-A-Q24 process-termination ./daemon &. Terminate the PROCESS via PID (PID=7291). Show PID discovery AND kill.
CSCD240-E1-A-Q29 regex contacts.txt has Name<tab>number lines. Print only those whose number ends with 6.
CSCD240-E1-A-Q30 archive Create gzip-compressed tarball backup.tar.gz of all .txt files in pwd.
CSCD240-E1-A-Q34 grep Print lines of access.log containing 403 with their line numbers.
CSCD240-E1-A-Q37 field-extract data.csv has comma-separated records. Print just the second column.
CSCD240-E1-A-Q38 pipeline-distinct Count distinct lines in visitors.txt (unsorted input).
CSCD240-E1-A-Q47 priority PID 9142 — reduce priority (increase nice value to +10) without stopping it.
CSCD240-E1-A-Q50 log-pipeline auth.log line format "2026-04-14 08:31 FAIL user=alex src=10.x". Print top-3 FAIL source IPs, count first, most-frequent first.
CSCD240-E1-B-Q10 enum-setuid Locate every setuid-root file on the filesystem; suppress permission-denied noise.
CSCD240-E1-B-Q18 log-search Print every line of auth.log containing "Failed password" (case-insensitive), with line numbers.
CSCD240-E1-B-Q19 log-pipeline Top 5 source IPs in FAIL lines of auth.log, where IP is field 5.
CSCD240-E1-B-Q20 log-pipeline Count distinct usernames on FAIL lines of auth.log where username is "user=<name>".
CSCD240-E1-B-Q21 field-extract Print the second column of data.csv (comma-separated).
CSCD240-E1-B-Q22 regex-alt Print lines of fw.log matching DENY OR DROP (extended regex).
CSCD240-E1-B-Q23 grep-recursive Recursively search /etc for any file containing "password=" and print only filenames.
CSCD240-E1-B-Q24 process-def Define process including PID and memory.
CSCD240-E1-B-Q25 job-vs-process Define job and distinguish from process.
CSCD240-E1-B-Q26 ps List every process system-wide with PID, PPID, user, and command line.
CSCD240-E1-B-Q27 process-filter Show every process whose command line contains "cron".
CSCD240-E1-B-Q29 jobs-output ./beacon &. What exact line does jobs print?
CSCD240-E1-B-Q30 trick Jobs: 1) beacon 2) tunnel 3) listener. Bring exfil to foreground.
CSCD240-E1-B-Q31 signals Process 31337 refuses SIGTERM. Terminate unconditionally.
CSCD240-E1-B-Q32 signals Send SIGHUP to PID 4112 to reload daemon config.
CSCD240-E1-B-Q50 archive-evidence Create gzip-compressed tarball evidence.tar.gz of every .log in /var/log/.
CSCD240-E1-C-Q03 ps Which command lists every process system-wide in BSD-style output with full command line?
CSCD240-E1-C-Q08 signals Which signal cannot be caught, blocked, or ignored?
CSCD240-E1-C-Q13 enum-misconfig Find every regular file under /var that is world-writable?
CSCD240-E1-C-Q15 pipeline-distinct Which pipeline counts distinct values in column 1 of a CSV?
CSCD240-E1-C-Q25 grep Print every line of auth.log containing "Failed password" (case-insensitive) with line numbers.
CSCD240-E1-C-Q26 log-pipeline Top 5 source IPs appearing on FAIL lines of auth.log (IP = field 5).
CSCD240-E1-C-Q29 signals Send SIGHUP (signal 1) to PID 7120 so the daemon reloads config.
CSCD240-E1-C-Q31 archive Create gzipped tarball ir-evidence.tar.gz of every .log in /var/log/.
CSCD240-E1-C-Q35 archive-extract Extract the archive case-123.tar.gz into the current directory.
CSCD240-E1-C-Q37 ps Show all processes owned by user apache, system-wide.
CSCD240-E1-C-Q44 debug-pipeline cat access.log | grep admin | wc -l returns 0 when log has admin hits. Two reasons?