87% of cybersecurity professionals use Linux daily for defense operations. This tutorial covers 35 essential commands, advanced security scripting, and forensic techniques used by SOC analysts and penetration testers.
Linux Command Line: Cybersecurity Operator's Guide
Command Usage in Security Operations
1. File System Forensics
Essential Commands:
stat file.txt- Show file metadata/timestampssha256sum suspect.exe- Generate file hashgrep -r "malicious" /var/log/- Recursive pattern searchfind / -mtime -1 -type f- Find files modified in last 24h
Security Use Case:
Identifying webshells with find /var/www/ -name "*.php" -exec grep -l "eval(" {} \;
Advanced Tip:
Combine find with clamscan for on-demand malware scanning:
find /uploads/ -type f -exec clamscan --no-summary {} \;
2. Network Investigation
Essential Commands:
ss -tulnp- Show listening ports (modern netstat)tcpdump -i eth0 'port 53'- Capture DNS trafficlsof -i :22- List processes using SSH portnetstat -anp | grep ESTABLISHED- Active connections
Security Use Case:
Detecting C2 traffic with tcpdump -nn -i any 'tcp[20:2]=0x0000'
Advanced Tip:
Continuous monitoring with watch -n 1 ss -s
3. Process & Memory Analysis
Essential Commands:
ps auxf- Detailed process treetop -H -p [PID]- Thread-level monitoringstrace -p 1234- Trace system callspmap -x [PID]- Process memory mapping
Security Use Case:
Identifying cryptominers with ps aux | grep -E '[x]mrig|[m]iner'
Advanced Tip:
Capture process memory with gcore [PID] for later analysis
4. User & Privilege Management
Essential Commands:
sudo -l- Check available sudo privilegeslast -a- Review authentication logsgetfacl /etc/shadow- Check sensitive file permissionsgrep '^sudo' /etc/group- List sudo users
Security Use Case:
Finding SUID binaries with find / -perm -4000 2>/dev/null
Advanced Tip:
Audit user activities with ausearch -k auth-check
Security Command Cheat Sheet
| Category | Command | Purpose | Example |
|---|---|---|---|
| File Analysis | strings | Extract readable content | strings malware.bin | grep http |
| Network | ngrep | Pattern matching | ngrep -q 'password' port 21 |
| Process | kill -9 | Force stop | kill -9 $(pgrep miner) |
5. Security Scripting Essentials
Bash One-Liners for Security:
# Find all world-writable files
find / -xdev -type f -perm -0002 -exec ls -l {} \;
# Monitor SSH auth attempts in real-time
tail -f /var/log/auth.log | grep sshd
# Check for suspicious cron jobs
crontab -l | grep -E '(wget|curl|bash|sh)'
Automated Log Analysis:
#!/bin/bash
# Analyze failed logins
grep "Failed password" /var/log/auth.log |
awk '{print $9}' |
sort | uniq -c |
sort -nr
Daily Security Checks
✓ Review active processes (ps auxf)
✓ Check listening ports (ss -tulnp)
✓ Audit sudo access (sudo -l)
✓ Scan for unauthorized SUID binaries
SOC Analyst Insight: The 2023 SANS survey found that 92% of incident responders rely on Linux command line tools during investigations. Mastering these commands reduces mean time to detect (MTTD) by an average of 47% compared to GUI-only approaches.
0 Interaction
0 Views
0 Likes
×
