Skip to content
SecForge
Hero illustration for: Linux fundamentals for security, the working subset.
LEVEL 2 CYBERSECURITY

Linux fundamentals for security, the working subset.

The 25 commands you will type every day, the five you will type in a hurry, and the file permissions that decide who owns the box.

13 min read SecForge Research

Most "intro to Linux" material teaches you Linux as a Unix system. We are going to teach you Linux as a security workstation — what you actually do at the keyboard during recon, triage, and post-exploitation.

The shell, in one paragraph

The shell is a program that reads a line, runs it, and prints output. Three special characters do most of the work: | sends output to another program, > sends it to a file, and && chains two commands so the second only runs if the first succeeds. You can build anything from there.

The 25 commands

If you can use these without thinking, you can read 80% of real-world security workflows.

CommandWhat it doesUsed for
ls -laList files with detailsRecon, permission audit
cd / pwdMove / where am IAlways
cat / lessRead a fileConfigs, logs
grep -rSearch text recursivelyFinding secrets, errors
findSearch by name / size / timeLocating dropped files
chmod / chownChange permissions / ownerHardening, lateral movement
ps -efList processesWhat is running
top / htopLive process viewTriage
netstat -tulpnOpen ports + processWhat is listening
ss -tulpnModern replacementSame
curl -vHTTP from CLIAPI testing
wgetDownload filesPulling tools
ssh / scpRemote shell / copyLateral movement
tarPack / unpack archivesExfil, deploy
systemctlService controlPersistence, audit
journalctlRead systemd logsTriage
tail -fFollow a logLive monitoring
historyWhat was typedForensics
sudoRun as rootPrivilege use / audit
id / whoamiWho am I, what groupsRecon on yourself
uname -aKernel infoExploit selection
iptables -LFirewall rulesEgress mapping
dig / hostDNS lookupRecon
scp / rsyncMove files reliablyBackups, exfil
tmux / screenPersistent sessionsLong jobs

Permissions in five minutes

Every file has three triplets of permissions: owner, group, everyone. Each triplet has three bits: read, write, execute.

$ ls -l /etc/shadow
-rw-r----- 1 root shadow 1832 May  6 14:01 /etc/shadow
   ^ owner=root  group=shadow
   rw- = read+write for owner
   r-- = read for shadow group
   --- = no access for everyone else

Numeric form: each triplet is a 0–7 digit. chmod 750 file means owner=rwx, group=r-x, world=none. The numbers are read=4, write=2, execute=1.

SUID, the one footnote that matters

A file with the SUID bit set runs as its owner, not as you. find / -perm -4000 -type f 2>/dev/null lists all of them. On a compromised box, this is where you look first.

The five "in a hurry" commands

When the alert is fresh and the senior engineer is in a meeting, these are the ones you reach for.

  1. last -a | head -20 — who logged in recently, from where.
  2. w — who is on the box right now, what are they running.
  3. ss -tunap — active sockets and the process behind each one.
  4. ls -lat /tmp /var/tmp /dev/shm | head — fresh files in the obvious dumping grounds.
  5. journalctl --since "1 hour ago" -p warning — recent warnings in the system log.

Pipes — the move that doubles your effective vocabulary

Two commands you have can be combined into a third. A few examples worth memorising:

# Top 10 processes by RSS memory
ps -eo pid,rss,cmd --sort=-rss | head -11

# Find every world-writable file under /etc
find /etc -type f -perm -o=w 2>/dev/null

# Recent failed SSH logins, grouped by source IP
journalctl -u ssh | grep "Failed" | awk '{print $NF}' | sort | uniq -c | sort -rn

Memorising these is not the point. The point is internalising the shape: listfiltergroupcount. Once you see it, you will write your own.