Vulnarex | Elite Cybersecurity Learning Platform

#Linux Filesystem and Navigation#link

Before you can secure a Linux system, you need to understand how it is organized. The Linux filesystem has a specific structure that differs fundamentally from Windows. Every file, device, and process is represented in a single hierarchical tree starting at the root directory. Understanding this structure is essential for finding configuration files, investigating incidents, and navigating efficiently from the command line.

The Linux Directory Structure

Unlike Windows with its drive letters (C:, D:, etc.), Linux uses a single root directory (/) with everything branching from it. Here are the directories every security professional must know:

Directory	Purpose	Security Relevance
/	Root of the filesystem	Top of the hierarchy
/bin	Essential user binaries (ls, cp, cat)	Tampering = system compromise
/sbin	System binaries (fdisk, iptables)	Admin tools, often targeted
/etc	Configuration files	Critical — contains all system configs
/home	User home directories	User data, SSH keys, bash history
/root	Root user's home	Often overlooked in audits
/var	Variable data (logs, caches)	Log files, mail spools, web content
/var/log	System log files	Incident response goldmine
/tmp	Temporary files	Common malware staging area
/dev	Device files	Hardware access, potential attack vector
/proc	Process information (virtual)	Running process details, system info
/usr	User programs and libraries	Applications, shared libraries
/opt	Optional software	Third-party applications
/boot	Boot loader files	Tampering = bootkit potential

Essential Navigation Commands

Security professionals spend most of their time in the terminal. These commands are your bread and butter:

Basic Navigation Commands

root@vulnarex:~## Print working directory pwd # List directory contents (detailed) ls -la /etc # Change directory cd /var/log # Go to previous directory cd - # Go to home directory cd ~

File Operations for Security Work

Reading, searching, and analyzing files is a daily task for security professionals. These commands are indispensable:

File Reading and Searching

root@vulnarex:~## View file contents cat /etc/passwd # View with line numbers (useful for config files) cat -n /etc/ssh/sshd_config # Search for a pattern in a file grep "PermitRootLogin" /etc/ssh/sshd_config # Search recursively in a directory grep -r "password" /etc/ 2>/dev/null # Find files modified in the last 24 hours (incident response) find / -type f -mtime -1 2>/dev/null # Find SUID files (privilege escalation hunting) find / -perm -4000 -type f 2>/dev/null

info

💡 The find command is one of the most powerful tools in a security professional's toolkit. Use it to locate recently modified files, SUID binaries, world-writable files, and files owned by specific users during incident response.

Understanding /etc — The Configuration Heart

The /etc directory is the single most important directory for security professionals. It contains virtually every system configuration file. During audits and incident response, you will spend significant time here.

▪/etc/passwd — User account information (world-readable)
▪/etc/shadow — Encrypted password hashes (root-only)
▪/etc/group — Group definitions
▪/etc/ssh/sshd_config — SSH server configuration
▪/etc/hosts — Static hostname-to-IP mappings
▪/etc/resolv.conf — DNS resolver configuration
▪/etc/fstab — Filesystem mount table
▪/etc/crontab — System-wide scheduled tasks
▪/etc/sudoers — Sudo privilege definitions
▪/etc/pam.d/ — Pluggable Authentication Modules config

STRICT SECURE AUDIT RULE

⚠️ Never edit /etc/sudoers directly with a text editor. Always use 'visudo' which validates syntax before saving. A syntax error in sudoers can lock you out of all administrative access.

quiz BLOCK (★ 50 XP)

During an incident response investigation, you need to find all files modified in the last 24 hours across the entire filesystem. Which command should you use?

Select your proof vectors above