Linux Command Line: Cybersecurity Operator's Guide

87% of cybersecurity professionals use Linux daily for defense operations. This tutorial covers 35 essential commands, advanced security scripting, and forensic techniques used by SOC analysts and penetration testers.

Command Usage in Security Operations

File Analysis (30%)
Network (25%)
Process (20%)
User (15%)
Other (10%)

1. File System Forensics

Terminal showing file analysis commands

Essential Commands:

  • stat file.txt - Show file metadata/timestamps
  • sha256sum suspect.exe - Generate file hash
  • grep -r "malicious" /var/log/ - Recursive pattern search
  • find / -mtime -1 -type f - Find files modified in last 24h

Security Use Case:

Identifying webshells with find /var/www/ -name "*.php" -exec grep -l "eval(" {} \;

Advanced Tip:

Combine find with clamscan for on-demand malware scanning:

find /uploads/ -type f -exec clamscan --no-summary {} \;

2. Network Investigation

Network command output examples

Essential Commands:

  • ss -tulnp - Show listening ports (modern netstat)
  • tcpdump -i eth0 'port 53' - Capture DNS traffic
  • lsof -i :22 - List processes using SSH port
  • netstat -anp | grep ESTABLISHED - Active connections

Security Use Case:

Detecting C2 traffic with tcpdump -nn -i any 'tcp[20:2]=0x0000'

Advanced Tip:

Continuous monitoring with watch -n 1 ss -s

3. Process & Memory Analysis

Process tree visualization

Essential Commands:

  • ps auxf - Detailed process tree
  • top -H -p [PID] - Thread-level monitoring
  • strace -p 1234 - Trace system calls
  • pmap -x [PID] - Process memory mapping

Security Use Case:

Identifying cryptominers with ps aux | grep -E '[x]mrig|[m]iner'

Advanced Tip:

Capture process memory with gcore [PID] for later analysis

4. User & Privilege Management

User permission analysis

Essential Commands:

  • sudo -l - Check available sudo privileges
  • last -a - Review authentication logs
  • getfacl /etc/shadow - Check sensitive file permissions
  • grep '^sudo' /etc/group - List sudo users

Security Use Case:

Finding SUID binaries with find / -perm -4000 2>/dev/null

Advanced Tip:

Audit user activities with ausearch -k auth-check

Security Command Cheat Sheet

Category Command Purpose Example
File Analysis strings Extract readable content strings malware.bin | grep http
Network ngrep Pattern matching ngrep -q 'password' port 21
Process kill -9 Force stop kill -9 $(pgrep miner)

5. Security Scripting Essentials

Bash One-Liners for Security:

# Find all world-writable files
find / -xdev -type f -perm -0002 -exec ls -l {} \;

# Monitor SSH auth attempts in real-time
tail -f /var/log/auth.log | grep sshd

# Check for suspicious cron jobs
crontab -l | grep -E '(wget|curl|bash|sh)'

Automated Log Analysis:

#!/bin/bash
# Analyze failed logins
grep "Failed password" /var/log/auth.log | 
awk '{print $9}' | 
sort | uniq -c | 
sort -nr

Daily Security Checks

✓ Review active processes (ps auxf)
✓ Check listening ports (ss -tulnp)
✓ Audit sudo access (sudo -l)
✓ Scan for unauthorized SUID binaries

SOC Analyst Insight: The 2023 SANS survey found that 92% of incident responders rely on Linux command line tools during investigations. Mastering these commands reduces mean time to detect (MTTD) by an average of 47% compared to GUI-only approaches.

0 Interaction
0 Views
Views
0 Likes

You need to be logged in to participate in this discussion.

×
×
×
🍪 CookieConsent@Ptutorials:~

Welcome to Ptutorials

$ Allow cookies on this site ? (y/n)

Terms & Conditions Cookies Policy
top-home