Linux OS Internals

Cybersecurity Operations Faculty of Computer Systems and Technologies 1

 Linux Architecture

Cybersecurity Operations Faculty of Computer Systems and Technologies 2

 Window vs Linux (Analyst Consideration)
▪ Attack Surface Difference
Linux tends to be locked down and minimalist—making logs sparser but more deliberate.
Windows is feature-rich and complex—more noise, but also more telemetry hooks.
▪ Log Verbosity
Windows is verbose—great for catching TTPs with tools like Sysmon and Event IDs.
Linux needs tight tuning (e.g., [Link], [Link]) to extract useful signal.
▪ Detection Engineering
Linux: More reliant on behavioral analytics (e.g., execve() spikes, network anomalies).
Windows: Rule-based detections (MITRE ATT&CK mappings via Event IDs and Sysmon logs) work well.
Core Components of Linux
 Core Components of Linux
i. Hardware: Computer hardware refers to the physical parts of a computer, like the brain (CPU),
memory (RAM), and storage (hard drive). These components work together to make the operating
system and programs run.
ii. Kernel: The Linux kernel is like a manager for the computer. It takes care of important tasks like
managing the CPU, memory, and devices.
iii. Shell: The shell is like a translator between you and the computer. It’s the part of the operating
system that lets you give commands and interact with it.
iv. Application: Applications are programs that you use on your computer. They have a user-friendly
interface and rely on the kernel to work properly.
 INIT Systems
In Linux, the "init system" is the first process that runs after the kernel loads and is responsible for
starting all other processes, including system services and daemons.
It acts as the parent of all other processes and ensures the system reaches a usable
state. Traditionally, the System V init (SysVinit) was the standard, but modern distributions
increasingly use systemd as the default init system.
File system Hierarchy
File system Hierarchy
• / — This is top level directory
• /root — It is home directory for root user
• /home — It is home directory for other users
• /boot — It contains bootable files for Linux
• /bin — It contains commands used by all users
• /sbin — It contains commands used by only root user (root)
• /usr — by default soft wares are installed in this directory
• /var — It contains variable files
• /dev — It contains device files
• /etc — It contains all configuration files
• /opt — It contains Third-party applications
• /media — It contains Removable devices
 Critical Files for SOC
1. Authentication & User Activity
/var/log/[Link] (Debian/Ubuntu)
➢ Purpose: Logs all authentication events: login attempts, sudo use, SSH access.
➢ Monitor for:
➢ Repeated failed login attempts → brute-force
➢ Unexpected root logins or sudo usage
➢ SSH logins from suspicious IPs
grep "Failed password" /var/log/[Link]
grep "Accepted password" /var/log/secure
Critical Files for SOC
Critical Files for SOC
2. /etc/passwd
➢ Purpose: Contains user account information
(username, UID, shell).
➢ SOC Use:
➢ Detect unauthorized user creation.
➢ Monitor for users with UID 0 (root-level
access).
➢ Red Flag: User added with UID 0 other than root.

3. /etc/shadow
➢ Purpose: Stores hashed passwords for local users (readable only by root).
➢ SOC Use:
➢ Look for changes → could indicate password cracking, backdoor setup.
➢ Red Flag: Modified without corresponding /etc/passwd change.
 Critical Files for SOC
4. Network & Firewall Configs
/etc/hosts
•Purpose: Local DNS resolution.
•SOC Use: Attackers may use it to redirect or block domains.
Red Flag: Redirection to malicious IPs or localhost for security tools.

/etc/ssh/sshd_config
•Purpose: SSH server configuration.
•SOC Use:
•Ensure secure settings: no root login, key-based auth only.
•Watch for weakened configs like PermitRootLogin yes
grep PermitRootLogin /etc/ssh/sshd_config

/etc/[Link]
•Purpose: DNS resolver config.
•SOC Use: Rogue DNS servers used for data exfiltration (DNS tunneling).
Linux Permissions
 Linux Permissions
I. File Types and Owners
Every file and directory in Linux is associated with a file type and an owner. The file type can be
regular, directory, or special types like symbolic links, denoted by the initial letter in the permission
string (e.g., - for regular files and d for directories). Files are owned by a user and a group which
determine the default access controls .

II. Permission Groups

There are three main permission groups in Linux: owner, group, and others. Each group has
specific permissions that can be set, including read (r), write (w), and execute (x). These
permissions determine the level of interaction users can have with a file or directory .

III. Symbolic and Numeric Representations

Permissions are represented symbolically as r, w, x for read, write, and execute respectively, and
numerically using octal values where read is 4, write is 2, and execute is 1. This numeric
representation helps in setting permissions using commands like chmod
Linux Permissions
Linux Permissions
Special Permissions and Security

Beyond the basic permissions, Linux supports special permissions such as SUID, SGID, and sticky
bits. SUID allows a file to be executed with the permissions of the file's owner, SGID executes a file
with the permissions of the group owner, and sticky bits are used mainly in directories to restrict file
deletion to the file's owner or root. These special permissions are crucial for maintaining security
and functionality in multi-user environments.
Summary

▪ Linux has a modular architecture with user space, kernel space, and system calls—understanding this
helps SOCs track how attackers move and escalate privileges.
▪ Critical files like /etc/passwd, /etc/shadow, and /var/log/[Link] reveal user activity, authentication
attempts, and potential account compromise.
▪ Attackers often use cron jobs, systemd services, and shell profiles to establish persistence—watch for
suspicious entries in /etc/cron.*, /etc/systemd/system/, and ~/.bashrc.
▪ Temporary directories like /tmp/ and /dev/shm/ are frequently abused for storing payloads and launching
attacks undetected.
▪ Process and network monitoring via /proc/, netstat, lsof, and auditd is key for real-time threat detection
and forensic triage.
▪ SOC analysts must actively monitor Linux logs, permissions, and services to detect rootkits, privilege
abuse, lateral movement, and log tampering.
 Linux Logs

Cybersecurity Operations Faculty of Computer Systems and Technologies 18

 Linux Logs
• The initial point is to understand the two primary types of logging mechanisms: kernel and user.

• Kernel logs provide a backstage pass into your system's inner workings. They include messages
related to hardware events, driver operations, and system errors.

• User logs capture user interactions between users, applications, and the operating system. They
include login attempts, command executions, and app-specific activities.
Kernel Logs
Kernel logs are messages generated by the Linux kernel — the core part of the operating system
responsible for managing hardware, processes, memory, and system calls. These logs provide insight
into:
• System boot processes
• Hardware detection and failures
• Loaded/unloaded kernel modules
• Filesystem mounts
• Device plug-ins (USB, drives)
• Kernel panics, crashes
Why should you keep an eye on Kernel Logs

SOC Use Case What to Look For

Rootkit detection Hidden modules, unusual kernel behavior

Unauthorized USB activity USB device insertions in dmesg

Filesystem abuse Remounting / or /tmp as exec

Boot-time persistence Suspicious modules loaded at startup

Kernel exploit indicators (BUG:, Null Pointer

Privilege escalation
Dereference, Kernel Panic)
 /var/log Directory

The /var/log directory in Linux systems is a critical repository of log files that provide
insights into system activities and events. These logs are indispensable in forensic
investigations, as they contain records of system processes, user activities, network
connections, and much more.
 /var/log Directory
[Link]
▪ The /var/log/[Link] file is your go-to for all authentication-related events on your Linux system. It
records every login attempt, whether successful or failed, along with commands executed using
elevated privileges and SSH logins. This makes it an invaluable resource for tracking potential security
breaches.
▪ It is also important to monitor successful login attempts, especially those occurring outside normal
business hours or from unusual IP addresses, by running grep 'Accepted password'
/var/log/[Link] to filter these entries.
 /var/log Directory
Syslog

• The /var/log/syslog file serves as a catch-all for various system messages, making it a central point for
understanding system-wide events. This log captures everything from cron job executions to kernel
activities, providing a comprehensive view of your system's health and activities.
• Kernel-related messages can also be viewed via syslog. These entries can indicate hardware issues or
potential attacks targeting the kernel. By running grep 'kernel' /var/log/syslog, you can sift through
these messages and pinpoint problems
/var/log Directory
/var/log/wtmp records all login and logout events.
This file helps you answer:
✓ Who logged in?
✓ From where (IP or terminal)?
✓ When did they log in/out?
✓ Was the system rebooted?

Includes Examples

User logins Terminal, SSH, graphical sessions

Logouts Logout, disconnect, shutdowns

Reboots/shutdown System reboots and poweroffs

/var/log Directory
What is btmp?
/var/log/btmp records failed login attempts.
This file helps you detect:
▪ Brute-force SSH attempts
▪ Failed sudo attempts
▪ Attacks on login services

Includes Examples
Incorrect passwords Mistyped logins
Invalid usernames Brute-force attempts, guessing
Log Severity
 Syslog Facilities
Syslog facilities are categories used to classify the source or type of a log message.
They help the system (or your SIEM/log server) decide where to log a message — or whether to log it at all.
Summary

▪ Authentication logs (/var/log/[Link] or /var/log/secure) reveal login attempts, sudo usage, and
SSH access — critical for spotting brute-force attacks or privilege misuse.
▪ System logs (/var/log/syslog, /var/log/messages) capture general daemon activity, errors, and
system-wide events like service restarts or crashes.
▪ Kernel logs (journalctl -k, /var/log/[Link]) and dmesg show low-level hardware and module
events, helping detect rootkits or unauthorized device access.
▪ Audit logs (/var/log/audit/[Link]) provide fine-grained tracking of file access, commands, and
user actions — essential for forensics and compliance.
▪ Login history logs (wtmp, btmp, lastlog) help trace successful and failed login attempts, reboot
history, and user session origins.
▪ SOC analysts use tools like journalctl, ausearch, lastb, and auditctl to detect anomalies, trace attacks,
and monitor system integrity in real time.