Listen to this Post

Introduction:
In the world of IT infrastructure, the filesystem is not merely a storage structure; it is the very skeleton of the operating system. For a Windows user, everything lives under C:\, but for a Linux professional, the hierarchy begins at the root (/), a unified tree that dictates how devices, processes, and configurations interact. For cybersecurity analysts, understanding this hierarchy is akin to a detective knowing the layout of a crime scene—it is essential for identifying anomalies, hardening systems, and conducting forensic investigations.
Learning Objectives:
- Understand the functional purpose of the root directory and its subdirectories.
- Identify key log, configuration, and binary locations for system administration and security monitoring.
- Apply command-line tools to navigate, manage, and secure the Linux filesystem.
- Recognize common attack vectors and persistence mechanisms hidden within standard directories.
You Should Know:
- The Pillars of the System:
/bin,/sbin,/etc, and `/lib`The operating system cannot function without its core binaries and configuration files. The `/bin` directory houses essential user commands like
ls,cp, andmv, which are available even in single-user mode. Similarly, `/sbin` contains system binaries—critical tools for system administration such asfdisk,iptables, andreboot. These folders are often part of the initial RAM disk (initramfs) and are required for system boot.
The real control center, however, is /etc. This is where the global configuration files live. Whether you are managing network interfaces (/etc/network/interfaces or /etc/sysconfig/network-scripts/), defining system services (/etc/systemd/system/), or securing SSH access (/etc/ssh/sshd_config), everything passes through this directory. Alongside these binaries, the `/lib` and `/lib64` directories store the shared libraries (similar to `.dll` files in Windows) necessary to execute these commands.
Step‑by‑step guide:
To see how these interact, we can trace a system call. Open a terminal and run the following to check binary locations and their dependencies:
1. Locate a binary: `which ls` – This reveals `/bin/ls` (often a symbolic link to /usr/bin/ls).
2. Check dependencies: `ldd /bin/ls` – This lists the shared libraries required, pointing to paths like /lib/x86_64-linux-gnu/libc.so.6.
3. Verify configuration: View the SSH config to see security settings: cat /etc/ssh/sshd_config | grep PermitRootLogin. This helps in auditing “PermitRootLogin no” policies.
4. Syntax check: After editing a config, validate it with `sshd -t` or `nginx -t` to avoid service crashes.
- User Data and Application Storage:
/home,/root, and `/usr`User data segregation is critical for both security and administration. The `/home` directory contains personal files and user-specific configurations (dotfiles) for standard users. In contrast, `/root` is the secure home directory for the superuser. This segregation ensures that standard users cannot inadvertently modify the operating system’s core files.
The `/usr` directory is one of the largest and most important secondary hierarchies. It stands for “Unix System Resources” and contains most user utilities and applications. It mimics the root structure (/usr/bin, /usr/lib, /usr/local) but is generally used for non-essential, multi-user software. If `/bin` is for survival, `/usr/bin` is for daily living. Security teams often monitor `/usr/local` for unauthorized installations, as attackers frequently drop tools here to avoid detection by the package manager.
Step‑by‑step guide:
- Explore disk usage: To find large files that might indicate data exfiltration or rogue applications, run
du -sh /home/ | sort -h. - Check user home permissions: Run `ls -la /home/` to ensure home directories are not world-readable (
drwxis preferred for security). - Analyze package integrity: Use `rpm -Va` (Red Hat) or `debsums` (Debian) to verify `/usr/bin` binaries against the package database, a crucial step in detecting rootkits.
- Check for SUID binaries in
/usr/bin:find /usr/bin -perm -4000 -type f 2>/dev/null. SUID binaries can be exploited for privilege escalation if misconfigured. -
The Dynamic System State:
/var,/tmp, and `/run`These directories are the “living” parts of the Linux system, where data changes constantly. `/var` (variable data) is the repository for logs (
/var/log), spool files (print queues,/var/spool), and temporary files designed to persist across reboots (like application caches). For a SOC analyst, `/var/log` is the first stop during an investigation, containingauth.log,syslog, and application-specific logs.
On the other hand, `/tmp` is a temporary space writable by all users. This is a classic vector for privilege escalation attacks (e.g., symlink attacks or race condition exploits). To mitigate this, modern systems often use `tmpfs` (temporary file storage in RAM). Similarly, `/run` stores volatile runtime data since the last boot, such as process IDs (PIDs) and socket files for system services.
Step‑by‑step guide:
- Forensic log review: To detect brute-force attacks, analyze
/var/log/auth.log:grep "Failed password" /var/log/auth.log | awk '{print $NF}' | sort | uniq -c | sort -1r. - Hardening
/tmp: Ensure `/tmp` is mounted with `noexec` and `nosuid` in `/etc/fstab` to prevent execution of malicious binaries:mount -o remount,noexec,nosuid /tmp. - Clearing logs safely: Use `journalctl –vacuum-size=100M` to rotate systemd logs and free up space.
- Monitor
/run: Check for suspicious services: `ls -la /run/user/` to see logged-in user sessions. -
Hardware Abstraction and Kernel Interface:
/dev,/sys, and `/proc`The most powerful aspect of Linux is treating hardware as files. `/dev` contains device files that interface with hardware (e.g., `/dev/sda` for the first hard drive). `/sys` exposes kernel subsystems, hardware drivers, and device attributes. It is a virtual filesystem populated by the kernel, allowing real-time interaction with hardware parameters.
However, the crown jewel for cybersecurity is /proc, the process information pseudo-filesystem. It provides a window into the kernel’s view of the system. For instance, `/proc/cpuinfo` shows processor details, but more importantly, `/proc/[bash]/` shows environment variables, open files, and memory maps of running processes. Incident responders use this to dump memory or check for hidden processes.
Step‑by‑step guide:
- Discover attached drives: `fdisk -l` (requires root) lists partitions by scanning
/dev. - Mount a device: If you plug in a USB, it might appear as
/dev/sdb1. Mount it manually: `mount /dev/sdb1 /mnt/usb` (after creating the mount point). - Check for hidden processes: An attacker may try to hide processes. Run `ps -auxf` or check `/proc` count:
ls -d /proc/[0-9] | wc -l. - View file descriptors of a suspicious process: If you find a process PID (e.g., 1234), run `ls -la /proc/1234/fd` to see which files it has open, revealing potential log deletion or malware payloads.
- Dump a process memory: `cat /proc/1234/mem > memory_dump.bin` (requires careful handling of offsets, but is possible).
5. Boot and Recovery: `/boot` and `/mnt`
The `/boot` directory contains the kernel (vmlinuz) and bootloader (GRUB) files. Misconfigurations here can prevent the system from starting. During a ransomware or rootkit infection, attackers often modify the boot process to load malware early or to hide from the operating system.
`/mnt` and `/media` are used for mounting filesystems temporarily. `/mnt` is often used for manual system recovery. For example, if the system is unbootable, a live CD is used to mount the root file system onto `/mnt/sysimage` to repair or chroot into the environment.
Step‑by‑step guide:
- Protect the bootloader: Set a GRUB password to prevent single-user mode bypasses: `grub2-mkpasswd-pbkdf2` and update
/etc/grub.d/.
2. Backup the kernel: `cp /boot/vmlinuz-$(uname -r) /backup/`.
- Recover a broken system: Boot into a rescue mode, mount your root drive to
/mnt, then `chroot /mnt /bin/bash` to fix passwords or configurations. - Check for modified kernel modules: `lsmod | grep -v “virt”` to look for suspicious modules that might be intercepting system calls.
6. Understanding the Link Between Directories
In modern Linux, the structure is highly symbolic. For instance, `/bin` is often a symbolic link to /usr/bin. This consolidation means that understanding the actual file location versus the symlink is crucial for forensics, as attackers may manipulate these links to redirect execution to malicious scripts.
Windows Comparison:
- Linux `/bin` → Windows `C:\Windows\System32` (Core executables)
- Linux `/etc` → Windows Registry (System)` (Configuration)
- Linux `/var/log` → Windows Event Logs (
C:\Windows\System32\winevt\Logs) - Linux `/tmp` → Windows `C:\Users\[bash]\AppData\Local\Temp`
Command for Windows Admin:
If managing a hybrid environment, you can use `wsl` or PowerShell to map this logic. For Linux, use `ls -l /bin` to see symlinks.
Step‑by‑step guide:
- Trace a symlink: `ls -l /bin/sh` usually points to `/usr/bin/dash` or
bash. - Check for mount points: `mount | grep -E “/| “` to see how the disk layout is structured.
- Use `find` for forensics: To find all `.sh` files with suspicious names, run `find / -1ame “.sh” -exec ls -la {} \;` to manually inspect.
7. Security Hardening Checklist across these Directories
To secure the environment, administrators should focus on write permissions and sticky bits.
– `/tmp` should have the sticky bit (1777) set, meaning only file owners can delete their files.
– `/home` should enforce strict permissions.
– `/var/tmp` (persistent temp) also needs the `noexec` mount option.
Step‑by‑step guide:
- Set sticky bit on world-writable directories:
chmod 1777 /tmp /var/tmp. - Partition hardening: Modify `/etc/fstab` to include options like `nodev,noexec,nosuid` for partitions like
/tmp,/var, and `/home` to prevent exploitation. - Automated scanning: Install `lynis` (
apt install lynis) and run `lynis audit system` to test these settings. - Monitor file integrity: Use `aide` (Advanced Intrusion Detection Environment) to check for modifications in
/etc,/bin, and/usr/bin. Initialize it withaideinit.
What Undercode Say:
- Key Takeaway 1: The Linux filesystem is a fundamental pillar of security. Every directory has a specific purpose, and mastering this map is essential for identifying anomalies—whether it’s a rogue binary in `/tmp` or a hidden SSH key in
/root. - Key Takeaway 2: Security is not just about the perimeter but about internal configuration. Properly mounting directories with `noexec` and `nosuid` and monitoring `/proc` and `/var/log` often gives the first warning signs of a breach, long before a firewall alerts you.
Analysis:
Undercode emphasizes that the Linux filesystem is not a static entity but a dynamic ecosystem reflecting the state of the machine. For security professionals, knowing where to look—be it the `/var/log` for attack patterns, `/usr/local` for unauthorized tools, or `/proc` for memory analysis—reduces Mean Time to Detect (MTTD). The distinction between system-owned and user-owned spaces is a core defense mechanism. Attackers rely on blurring these lines (e.g., installing malware in /tmp). By internalizing the hierarchy, a defender moves from reactive patching to proactive threat hunting, ensuring the integrity of the entire OS from boot (/boot) to shutdown.
Prediction:
- +1 As containerization (Docker/Kubernetes) continues to dominate, understanding the Linux filesystem will become even more critical for securing container escapes and namespace isolation.
- +1 The rise of eBPF observability will allow security teams to monitor these directories with unprecedented granularity, making real-time detection of filesystem abuse standard.
- -1 However, as systems become more complex with merged `/usr` (UsrMerge), misconfigurations in symlinks could lead to widespread system failures if a package manager overwrites a critical binary.
- +1 Certification tracks (RHCSA, LFCS) will increasingly emphasize forensic analysis within these directories, pushing the industry toward a “zero-trust” filesystem approach.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Understanding The – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


