published
priority 6
30 min. 60 XP.
Backups + Cron = Self-Healing Configs
Even a basic 60-second cron that restores critical configs from a known-good tarball will undo most red-team tampering automatically. This lesson covers the 3 parts: capturing the golden snapshot, writing the restore script, and wiring it up in cron.
Prerequisites
DCWF roles:
IT-411 Technical Support Specialist
IT-451 System Administrator
CS-521 Cyber Defense Infrastructure Support Specialist
SE-627 DevSecOps Specialist
Services:
SSH LoginSMB LoginDNS INT FWDWWW Port 80Postgres Access
Objectives
- Create a golden-config tarball at competition start
- Write a restore script that's idempotent and fast (<2s)
- Schedule the script via cron every 60 seconds
- Verify the cron is actually running
- Decide which services to auto-restart as a secondary defense
Quick reference
| Command | Purpose |
|---|---|
| tar -czf /root/golden.tar.gz /etc/ssh /etc/samba /etc/bind /etc/apache2 /etc/postgresql | Create golden tarball |
| tar -xzf /root/golden.tar.gz -C / | Restore into place |
| crontab -e | Edit current user's crontab |
| crontab -l | List current user's crontab |
| systemctl list-timers | See active systemd timers (cron alternative) |
| journalctl -u cron --since '10 minutes ago' | Verify cron fired |
Common pitfalls
- tarball path inside the tarball is absolute. restoring overwrites host paths (good here, dangerous elsewhere)
- `cp` instead of `tar` leaves old files in place that shouldn't be there
- Cron runs the script but environment is minimal. always use full paths in cron scripts
- Forgetting to `systemctl reload <service>` after restoring the config
- Running the restore while you're editing. it clobbers your edits
Skill drills
-
1. Cron line for 'every minute'?* * * * *
-
2. Command to list your crontab?crontab -l
-
3. Tar flag for gzip compression?-z (as in -czf)
-
4. Where cron stores per-user crontabs on most Linux?/var/spool/cron/crontabs/
NCAE scoreboard patterns this lesson prevents
- 2,502.8 SSH Login. Failed to connect to host: IP
- 44.4 SSH Login. The following users failed to authenticate with their public key: nills, vetomo
- 44.4 SSH Login. The following users failed to authenticate with their public key: vetomo, nills
- 36.1 SSH Login. The following users failed to authenticate with their public key: simone_weil, todd_k
- 36.1 SSH Login. The following users failed to authenticate with their public key: vetomo, todd_k
- 30.6 SSH Login. The following users failed to authenticate with their public key: claude_chevalley
- 27.8 SSH Login. The following users failed to authenticate with their public key: claude_chevalley, simone_weil
- 27.8 SSH Login. The following users failed to authenticate with their public key: nills, simone_weil
- 27.8 SSH Login. The following users failed to authenticate with their public key: nills, todd_k
- 25 SSH Login. The following users failed to authenticate with their public key: simone_weil, vetomo, claude_chevalley
- 25 SSH Login. The following users failed to authenticate with their public key: nills
- 25 SSH Login. The following users failed to authenticate with their public key: simone_weil, nills
- 22.2 SSH Login. The following users failed to authenticate with their public key: vetomo, claude_chevalley
- 22.2 SSH Login. The following users failed to authenticate with their public key: vetomo
- 19.4 SSH Login. The following users failed to authenticate with their public key: simone_weil, vetomo, nills