Listen to this Post
Introduction:
The Linux file system is not just a hierarchy of folders—it is the backbone of system security, incident response, and forensic analysis. For cybersecurity professionals, understanding the purpose of directories like /proc, /var, and /etc transforms routine log checks into proactive threat hunting and system hardening.
Learning Objectives:
– Navigate and audit critical Linux directories using command-line tools for security assessments
– Perform real-time incident response by analyzing logs, processes, and configuration files
– Automate privilege escalation detection and system hardening checks across Linux environments
You Should Know:
1. System Hardening Through /etc – Auditing Configuration Vulnerabilities
The /etc directory stores system-wide configuration files. Misconfigurations here are a leading cause of breaches. Below is a step‑by‑step guide to auditing key files.
Step‑by‑step guide:
1. Check password and shadow file permissions
`sudo ls -l /etc/passwd /etc/shadow`
Expected: `-rw-r–r–` for passwd, `-r–` for shadow.
2. Find world‑writable config files
`sudo find /etc -type f -perm -o+w -ls`
World‑writable files can be modified by any user—a privilege escalation vector.
3. Verify sudoers syntax
`sudo visudo -c`
A corrupted sudoers file can lock out administrative access.
4. List all users with UID 0 (root equivalents)
`sudo awk -F: ‘($3 == 0) {print}’ /etc/passwd`
Only root should have UID 0. Additional entries indicate backdoors.
5. Audit SSH daemon security
`sudo grep -E “PermitRootLogin|PasswordAuthentication|Protocol” /etc/ssh/sshd_config`
Ensure `PermitRootLogin no` and `PasswordAuthentication no` for production.
2. Real‑Time Log Analysis in /var – Detecting Intrusions with journalctl and grep
/var contains variable data, most critically logs under /var/log. During incident response, these files reveal attacker behavior.
Step‑by‑step guide:
1. View authentication failures
`sudo grep “Failed password” /var/log/auth.log` (Debian/Ubuntu) or `/var/log/secure` (RHEL/CentOS)
2. Monitor live SSH connection attempts
`sudo tail -f /var/log/auth.log | grep “Accepted”`
3. Extract IPs with most brute‑force attempts
`sudo grep “Failed password” /var/log/auth.log | awk ‘{print $(NF-3)}’ | sort | uniq -c | sort -1r`
4. Use journalctl for systemd systems
`sudo journalctl -u sshd –since “1 hour ago” -p err`
Shows SSH errors from the last hour.
5. Check for log deletion
`sudo find /var/log -1ame “.log” -exec stat –format ‘%n %y’ {} \; | grep -v “2026”`
Unusually old or missing timestamps may indicate tampering.
3. Process Forensics in /proc – Uncovering Hidden Malware
The /proc virtual file system exposes kernel and process information. Attackers often hide processes—/proc does not lie.
Step‑by‑step guide:
1. List all running processes with their binary paths
`ls -l /proc//exe 2>/dev/null | grep -v ” (deleted)”`
Processes marked `(deleted)` may indicate a running binary removed from disk (a common malware evasion).
2. Check process environment variables for secrets
`sudo strings /proc/[bash]/environ | grep -E “KEY|SECRET|PASS”`
Replace `[bash]` with the process ID.
3. Identify processes with open network sockets
`sudo netstat -tulpn` or `sudo ss -tulpn`
Correlate with `/proc/[bash]/net/tcp` for detailed views.
4. Find processes running from unusual mount points
`ls -l /proc//cwd 2>/dev/null | grep -E “/tmp|/dev/shm|/var/tmp”`
Malware often executes from temporary directories.
5. Detect rootkits hiding from ps
`sudo cat /proc/[bash]/cmdline` – if a process appears in /proc but not in `ps`, a kernel‑level rootkit may be active.
4. Privilege Escalation Checks in /home, /tmp, and /root
These directories are prime targets for attackers seeking to elevate privileges.
Step‑by‑step guide:
1. Search for SUID/SGID binaries
`sudo find / -perm -4000 -o -perm -2000 -type f 2>/dev/null`
Overly permissive SUID binaries (e.g., `find`, `vim`, `nmap`) can be exploited.
2. Identify writable files in /root
`sudo ls -la /root/` – only root should have write access.
3. Check /tmp for shared object hijacking
`find /tmp -type f -1ame “.so” 2>/dev/null`
Attackers drop malicious libraries in world‑writable locations.
4. Examine user history files
`sudo cat /home//.bash_history | grep -E “sudo|passwd|chmod|ssh”`
Historical commands often reveal credentials or misconfigurations.
5. Automated privilege escalation scan using LinPEAS
`curl -L https://github.com/peass-1g/PEASS-1g/releases/latest/download/linpeas.sh | sh`
(Review the script before piping to sh in production.)
5. Cloud & Container Hardening – Applying Linux File System Principles to Kubernetes
The same directory logic applies to containers and cloud VMs. Misconfigured volume mounts are a common cloud security gap.
Step‑by‑step guide:
1. Inspect container file system from the host
`docker run -it –rm -v /:/host alpine ls /host`
Shows that containers can see the host’s root if not properly isolated.
2. Check for exposed Kubernetes secrets
`find /var/lib/kubelet/pods/ -1ame “secrets” -type d 2>/dev/null`
Secrets mounted as volumes may be readable by unauthorized pods.
3. Audit read‑only root file systems
In Docker: `docker inspect –format='{{.HostConfig.ReadonlyRootfs}}’ `
Read‑only root prevents many binary replacement attacks.
4. Detect privilege escalation in cloud init scripts
`grep -r “chmod 777” /var/lib/cloud/instances/`
Cloud‑init scripts that set world‑writable permissions are a common oversight.
5. Use Linux capabilities to restrict containers
`capsh –print` – then drop dangerous capabilities like `CAP_SYS_ADMIN` in your Kubernetes security context.
6. Cross‑Platform Commands: Windows Equivalents for Linux File System Analysis
For SOC analysts working hybrid environments, knowing Windows analogs speeds up incident response.
| Linux Command / Path | Windows Equivalent | Purpose |
|-|–||
| `/var/log/auth.log` | `Event Viewer → Security Log` (Event ID 4625) | Failed logins |
| `ls -la /etc/passwd` | `icacls C:\Windows\System32\config\SAM` | File permissions |
| `ps aux` | `Get-Process` (PowerShell) | Process listing |
| `lsof -i :22` | `netstat -ano | findstr :22` | Listening ports |
| `find / -perm -4000` | `wmic process get name,executablepath` (limited) | SUID equivalent (Setuid on Windows is rare) |
| `cat /proc/cpuinfo` | `Get-WmiObject -Class Win32_Processor` | Hardware info |
Step‑by‑step for Windows file system security:
1. List world‑writable directories (analogous to `/tmp` abuse)
`icacls C:\Users\Public\ /T | findstr “(F)”`
2. Check for scheduled tasks (like cron in Linux)
`schtasks /query /fo LIST /v | findstr “Task To Run”`
3. Audit PowerShell history
`Get-Content (Get-PSReadlineOption).HistorySavePath`
What Undercode Say:
– Key Takeaway 1: The Linux file system is a map of attack surfaces. Every directory—/tmp, /var, /proc—offers a unique telemetry source. Mastering `find`, `grep`, and `/proc` inspection alone can catch 80% of low‑sophistication compromises.
– Key Takeaway 2: Hardening is not about tools but about understanding data flows. For example, world‑writable files in /etc or SUID binaries in /home are configuration failures, not exploit complexity. Proactive audits using the commands above reduce mean time to detection (MTTD) from weeks to minutes.
– Analysis: The post’s emphasis on directory purposes is foundational, yet most junior analysts stop at `ls -l`. Real security value comes from combining directories (e.g., correlating `/var/log` with `/proc` PIDs). Training courses should move from memorizing paths to scripting automated health checks. Additionally, cloud environments inherit these same Linux structures—container escapes often leverage /proc or /sys misconfigurations. The future of blue team operations will embed these checks into CI/CD pipelines, treating file system hygiene as code.
Prediction:
– +1 Increased adoption of eBPF-based monitoring tools that visualize /proc and /sys activity in real time, making hidden process detection instantaneous.
– -1 Misconfigured /tmp and /dev/shm permissions will remain among the top five initial access vectors for container breakouts, driving a surge in runtime security products.
– +1 Linux file system mastery will become a mandatory certification domain for SOC Tier 2 and above, similar to network packet analysis today.
– -1 Attackers will increasingly target /var/log/journal to erase systemd logs, forcing defenders to implement remote log shipping as a baseline control.
– +1 Automated hardening scripts (e.g., Lynis, OpenSCAP) that baseline /etc permissions will integrate natively with cloud workload security platforms, reducing manual audit overhead.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Linux Cybersecurity](https://www.linkedin.com/posts/linux-cybersecurity-sysadmin-share-7465105999318786048-YXP1/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
