• Why cybersecurity professionals rely on Linux.
• Overview of security-focused distributions: Ubuntu, Kali, Parrot OS.
• Setting up your own lab using VMware or VirtualBox with ISOs.
• Demo: Installing Kali Linux safely and performing first boot configuration.

Security Angle: Recognize where attackers hide scripts or modify configs.

• Directory Hierarchy (FHS):
  '] space-y-2 pl-5">
  • /etc: System configuration files (passwords, service configs).
  • /var: Variable data, like logs (/var/log) and web content (/var/www).
  • /usr: User-installed software and binaries.
  • /home: User's personal directories.
  • /tmp: Temporary files (often world-writable, a common target for attackers).
• Navigation & Listing Commands:
  '] space-y-2 pl-5">
  • pwd: Print Working Directory (shows where you are).
  • cd: Change Directory (cd .. to go up, cd ~ for home).
  • ls: List directory contents.
  • ls -la: List all files (including hidden) in long format (shows permissions, owner, size).
  • ls -lR: Recursively list all files in subdirectories.
  • ls -lt: Sort by modification time (shows newest files first).
• tree: View directory structure as a tree (may need to be installed).

Security Angle: Recognize where attackers hide scripts (e.g., hidden files in /tmp) or modify configs in /etc.

• File Operations (View & Edit):
  '] space-y-2 pl-5">
  • cat: Concatenate and print files. Use cat -n to show line numbers.
  • less: View large files page by page (press 'q' to quit, '/' to search).
  • head / tail: Show the top or bottom 10 lines of a file.
  • tail -n 50: Show the last 50 lines.
  • tail -f /var/log/auth.log: "Follow" a log file in real-time. (Crucial for SOC analysis).
• grep: Search for patterns in text.
• grep "Failed password" /var/log/auth.log: Find all failed login attempts.
• grep -iR "password" /etc: Recursively search (-R) for "password", ignoring case (-i), in the /etc directory.

nano: A simple, beginner-friendly text editor.

vi / vim: A powerful, modal text editor. Essential for servers.

File Management (Move, Copy, Delete):

'] space-y-2 pl-5">
• mkdir: Make directories. Use mkdir -p "parent/child" to create nested directories.
• rmdir: Remove *empty* directories.
• cp: Copy files/directories. Use cp -r for recursive copy (directories).
• mv: Move or rename files/directories.
• rm: Remove files. Use rm -r to remove directories and rm -f to force removal. (Use with caution!)
• find: Search for files.
• find / -name "config.txt".
• find /tmp -user hacker: Find files in /tmp owned by user 'hacker'.
• find / -mmin -60: Find files modified in the last 60 minutes.

Command Chaining (Pipes & Redirects):

'] space-y-2 pl-5">
• Pipe |: Sends the output of one command as the input to another. Ex: cat /var/log/syslog | grep "error".
• Redirect >: Overwrites a file with command output.
• Append >>: Appends command output to the end of a file.

Security Angle: Learn how analysts use grep, tail, and find to hunt for indicators of compromise (IOCs), monitor live logs, and find attacker tools.

• User Management:
  '] space-y-2 pl-5">
  • useradd hacker: Creates a new user named 'hacker'.
  • passwd hacker: Set (or change) the password for 'hacker'.
  • usermod -aG sudo hacker: Add user 'hacker' to the 'sudo' group (grant admin rights).
  • userdel -r hacker: Remove user 'hacker' and their home directory.
• Group Management:
  '] space-y-2 pl-5">
  • groupadd analysts: Create a new group 'analysts'.
  • gpasswd -a user1 analysts: Add 'user1' to the 'analysts' group.
  • gpasswd -d user1 analysts: Remove 'user1' from the 'analysts' group.
• Privilege Management:
  '] space-y-2 pl-5">
  • sudo [command]: Run a command with root (admin) privileges.
  • visudo or nano /etc/sudoers: Edit the file that defines who can use sudo. (Very sensitive!)

Security Angle: Understand how attackers add rogue users or add themselves to the 'sudo' group to maintain persistent access and escalate privileges.

• Understanding Permissions (rwx):
  '] space-y-2 pl-5">
  • Permissions are set for User (owner), Group, and Other (everyone else).
  • r (read): View file contents / list directory contents.
  • w (write): Modify file / create or delete files in directory.
  • x (execute): Run a script / enter a directory (cd).
• Changing Permissions (chmod):
  '] space-y-2 pl-5">
  • Symbolic Mode: chmod u+x script.sh (adds execute for user). chmod o-w file.txt (removes write for other).
  • Octal (Numeric) Mode: r=4, w=2, x=1.
  • chmod 644 web.config (User=rw-, Group=r--, Other=r--). Common for web files.
  • chmod 600 key.pem (User=rw-, Group=---, Other=---). This is secure for private keys.

Changing Ownership (chown):

chown -R www-data:www-data /var/www: Recursively set web server user/group for a web directory.

umask: Sets the default permissions for newly created files (e.g., 022 is a common default).

Special Permissions (SUID/SGID):

'] space-y-2 pl-5">
• SUID (Set User ID): Allows a user to run an executable with the permissions of the *file owner* (often root). Shows as an 's' in the user execute bit (e.g., -rwsr-xr-x).
• Example: The passwd command uses SUID to let a normal user change their own password in the root-owned /etc/shadow file.
• Attacker Focus: Attackers search for misconfigured SUID binaries to get a root shell.
• Find SUID files: find / -perm -u=s -type f 2>/dev/null (find files with SUID bit set, ignore errors).

Real Case: How misconfigured file access led to the Polkit privilege escalation (CVE-2021-4034).

Security Angle: Attackers hunt for world-writable files (chmod 777) to inject malware. Misconfigured SUID bits are a classic and powerful privilege escalation vector.