ae ee 11) ae ~COMMANDS Wee GUN aR Rae aS sudo cat /etc/shadow root@linux : # a o } iacPenbienoetne socal ° oa JUNE 2025 -_Introduction Linux has become the operating system of choice for cybersecurity professionals, serving as both a powerful platform for security operations and a critical component of modern infrastructure that requires protection. The command line interface provides unparalleled control and visibility into system operations, making it an indispensable tool for security analysis, incident response, penetration testing, and system hardening. This technical deep-dive explores the essential Linux commands that form the foundation of professional cybersecurity work, examining not just the basic syntax but the advanced usage patterns, security implications, and practical applications that distinguish expert practitioners from novices. Understanding the Linux Security Command Ecosystem The Security Professional's Command Line Architecture The Linux command line ecosystem for security professionals can be conceptualized as a layered architecture: Security Analysis Layer ———___ | File system | Analysis | | Analysis | Analysis | ee SS sce, :XK | | | | Network I Proc I | Core system Utilities | | | -—— | | system | user 1 | | Information | Management | | | a t ; j I Kernel Interface | L_-——__ -—_ | | /proc | /sys | System Calls | | I Filesystem I esystem I I | po t H Understanding this architecture helps security professionals select the appropriate tools for specific tasks and understand how different commands interact with system components at various levels.Network Analysis and Security Commands Advanced Network Connection Analysis with ss and netstat The ss (socket statistics) command has largely replaced netstat in modem Linux distributions, offering faster performance and more detailed information about network connections. Security professionals use these tools to identify suspicious connections, verify service configurations, and detect potential compromises. Pere see) Poe een ie Saeed For deeper analysis, combining ss with other tools provides comprehensive network visibility ss -tnp | eae SC Stan) -rn $(date) Poe see a eee ER ee)evarese meee ee ce ss -tnp | proto CH te Coe Ceo Pee CNC LCrm LU ERY ere Cte noe) cee Ke TEU ee SL ZL) oat CMe Memo rc CR Eres ct Network Traffic Analysis with tcpdump ‘The tcpdump command provides packet-level network analysis capabilities essential for security investigations: see er acer a tcpdump -i any -w suspicious_traffic.pcap Rear eee ed Re eet cea recy cea rely Sea lete age) feo eetcpdump -i etho -w /var/log/tcpdump/capture-%Y%m%dXxHXMKS .pcap -G ezip ee este eC ec i Rc ieee pea Ree TT) SE | 0-9}{2,3)\.[-9]{2,3)\. [8-912 3} ee Ree cota] eC Ct econ orn Rete ee a) Cara o teter casi iptables for Traffic Analysis and Control While primarily a firewall tool, iptables provides powerful traffic analysis capabilities: Pere OM ie ees CRUE Tac tas Bsc at tea OL Pr eas CCC a LSet crac soy SOS tea aes ca a aceaan Pee ists t Se eee yas ed crest Bes ee aes Seed am eC a COR OR coed Tic CoN Boece ee nae EN Seema ames) ST teanry Bes ee nares # Rate limiting for DoS protection analysis creo Sees ee ee UCU CL Cae Ey SOP UreoU Tae Mes B cca Pee ee eas tae ic Reece st) PC Me ec Rec ees ease ammeo O Dae aa eu ec acaraces eee Crees OC ey aes iptables -t mangle -A PREROUTING ~ Sar a Sma ee Process Analysis and System Monitoring Advanced Process Investigation Techniques Process analysis forms a critical component of security investigations, helping identify malicious activities and compromised systems: Coo ta Pees ps -eZ Ce ce a Crewe, eae /tmp/ps.old /tmp/ps.new 2>/dev/null | grep "A>" | awk ‘{print $: CRC ee SCR CHSC Rey vee 5 /tmp/ps.new /tmp/ps.old; sleep 1; pid in $(1s /proc | grep -E '*[@-9]+$'); ee Sew C7ie aes eC eee oe ce SERS CM Rae Cee eN pid in $(ps aux | awk "{print $2}' | grep -E ‘*[2-9]+$"); [ -r /proc/$pid/maps ]; Car) PID: $pid aa LE NGM ose SCL eyedIsof -p $(pgrep -d, suspicious_process) BEC ee ste eee gecets System Performance and Resource Monitoring Understanding system performance is crucial for detecting resource-based attacks and system compromise: pe esu ae acura Sury Sieiaae Parse se ene Cee ee ee) COR CRE Cae RI eee eee cL Peru ee ete ce ea tet) Cac # Network I/O by process cee aes Pacem ietst) Pare ee es Ce aCe Cue een Fee eer eV Pee eR eee See ee ean ep iee ane? File Descriptor and Open File Analysis The Isof command provides comprehensive visibility into open files and network connections: # List all open files by a specific user cee eeeUrea Testa wes Sem vaca eC aye Eee em Ti ced Sea une ste CTs. cs files still in use (potential malware indicator) ea Ch St Cesc sc eum yest: Prrsa) Seem UCststL ace # Identify processe Cece pera eT reece oe ee ee ee # Track network connections by process Isof -i -n -P | grep ESTABLISHED St eo a ee sos Ce Meat) eae eas le System Security and Analysis Advanced File System Investigation File system analysis is fundamental to security investigations, helping identify compromises, backdoors, and data breaches: find / -type f -mtime -1 -1s 2>/dev/null | grep -v SU Wes] a ee REEL. find / -type f -perm -o+w -1s 2>/dev/\ | grep SNL find / -type f -links +1 -1s 2>/dev/null | grep -v “/proc\|/sysfind / -name ".*" -type f -1s 2>/dev/ ced find / -name "* " -o -name "*.." -1s 2>/dev/ Pee Nee Ogee SeL, find /bin /sbin /usr/bin /usr/sbin -type f -exec sha256sum {} \; > URS Ur See LI find / -type f -exec Isattr {} \j 2>/dev/ | grep - File System Timeline Analysis Creating timelines helps reconstruct security inci cot Aen eae aa ECO ss eu sEC as cd Curae CON Aue aCe cee UE roto NUE DeaCen p (mtime)\n" -0 \ Coco hUmEEy VTE Semeur veuciesd SoU Wes eee eee Ziel Cees Permission and Ownership Analysis Understanding file permissions is crucial for security hardening Post Erstc sce tacle CySoe Re ue eye aN Perc ese Coe eae Lt) Cee Me net es MESS N # Check for unusual executable permissions UC es Reece Cette CUL TT Bear Cues) cat /ete/sudoers /etc/sudoers.d/* 2>/dev/null | grep -v POO ECR Steet Pcs eae Union Pee C eae Pee Reece CL em a Log Analysis and Security Monitoring System Log Analysis Commands Effective log analysis is essential for detecting security incidents: # Monitor authentication attempts journalctl -u ssh.service -f Pare rect ieey saa Pe ee Ee yee oS a eae Pee ae cy Pa eMC ee tee Ces aE cu re ee tail -f /var/log/syslog | grep -£ “error|fail|denied| invalid” Ee Seer css Coe ee ee re Ses eee Poe er ene grep -E -o "([@-9]{1,3)[\-]){3}[-9]{1,3)" /var/log/auth.Jog | sort | unig esetEase LOSER merce tse Pes eee Nearer Prec nr eeu ee et Ea ete ene oe ae Seer R Cen Cetra See ACI eCT TTC awk ‘$1 > 10 {print}* Advanced Log Correlation and Analysis Complex security investigations often require correlating events across multiple log sources: Ey EMus tes imc moray Mecca Ca POUR Ceme Cnet oe ac set eT are Ea ers "[0-9]{2,3}\.[6-9]{1,3}\.[8-9]{1,3)\.[2-91{1,3)" | a Pe Renee tea ees) eee CnC OTT ie aS SAC Te ae creed ea done Pee Seed i Tie FO a) se Nae CCR Meee TC Ba ee a eee eee se peat) COA ee yeas Te Cd SCs Pas eC CU Cerys et a Pe een e a /var/log/auth.log | we - peer tae Nene aC DC ete Cc eS esc ere MWA Rt 97s CW AC Cee eee aa ord| Invalid user |POSSIBLE BREAK-IN| authentication St eeC cierto retry User and Access Management Security CommandsUser Account Analysis and Auditing User account security is fundamental to system protection: Pena een ae ee = 1000 {print $1, $3, $6, CSE OM aco) ST cd) BW acd ero chage -1 $user 2>/dev/null | grep "P: ee Ue Os -la /home | grep -v “total\|*d" eco, Waseca ad last -F | head -20 lastlog | grep -v “Never logged in” pC ea eer ae ns oc eee Cee) user in $(cut -d: -f1 /etc/passwd); Pao eer eye! eset SSH Security Configuration Analy: SSHis a critical attack vector requiring careful security analysis: MNES mc er)Pee eee ste lett on esters C Lacs swords |X11Forwarding’ find / -name “author: Pay ssh-keygen -1 -f /etc/ssh/ssh_host_*key.pub Sue reas er eg key in /etc/ssh/ssh_host_*_key. pub; ea oie ssh-keygen -1 -f "$key ssh-keygen -1 -E md5 -f "$key sshd -T | grep -E “permitroot login | passwordauthentication|pubkeyauthentication" System Security Auditing Commands Security Configuration Assessm Comprehensive security auditing requires systematic configuration analysis: ase a Dhaene, oar eee Smug Peaster ae caiSSM ee CUL ea ay forwarding| redirects | source Peneattry Pree ated SOW ee tab -1 -u $user 2>/de Come ante eee cee ar res Package and Software Integrity Verification Verifying system integrity helps detect compromises debsums -c 2>/dev/ ead Pee ee Canes sts CN eee eae eC oN ed Coes MEU OCR accom CLC) eas rpm -qa > installed_packages_$(date +%Y%n&d).txt SUL Saas UW aaety 7 | grep -v “linux-vdso\|1d-linux" | awkeae binary in /bin/* /sbin/* /usr/bin/* /usr/sbin/*; ceri st ae i een RNS Cen Memory Analysis and Forensics Commands Live Memory Analysis Memory analysis can reveal hidden processes and rootkits: pa aed ey eee EC ee yes ate) Pause ee Boruc DSU AC ete Stott tyr es Peete esas sy # Check kernel modules Ismod | grep -v "Module" modinfo $(1smod | awk ‘{print $1)" | tail -n +2) Ca Ca [elas Tee a ee a pers ears Cees al ocr eT Cea ea ee) # Memory usage by process ps aux --sort=-Xnen | head # Shared EULESS PU Fa $(ipcs -m | awk '/2x, Ce eae ess cease Cony exes 9 Beane cat /Incident Response Command Workflows Initial Incident Response Triage ‘When responding to a security incident, a structured approach using Linux commands is. essential: r 1 | Incident Response Workflow l i Containment Eradication Commands Commands | Recovery & Lessons Initial triage script example: pret a Lene eC Cue CCN aS mkdir -p "$INCIDENT_DIR" Come asus CC ccs can ad System Information uptime date Pens Ud eS cues rk Connections eae iaecho -e "\n=== Established Connections Pe occ Se seo tm ayer ments ra Co eet Poa oe eee en es Pera sista ay, atte ad VSM ORO w Coe om last -20 Ce aT eum tac ad eC CCM AC eC Tee ace eee "$INCIDENT_DIR/user_activity. txt” Po ees a REC REL SeCra Uwe UN Sune y ue eee unas meet eras Eye Co vo Onset Se Waser ee O ERPE TAO perce C tm Cito macy er Sr Umc amen uat ( aE of Pe CCC Eenec sara ie ore See ee Seo Lao Ly Network Isolation Commands During an incident, network isolation may be necessat iptables -I INPUT -s suspicious_ip -j DROP iptables -I OUTPUT -d suspicious_ip -j DROPPac Cee ReaD Pace eee ae ce ei aca iptables -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT FOB Eu eee er tcpdump -i any -s 0 -w /forensics/capture $(date +xV%nk%d_9 Cee Ree eee Security Automation and Scripting Automated Security Monitoring Script Creating automated security monitoring enhances detection capabilities: eae LOGFILE="/var/log/security_monitor Camere toc Cs sao echo "[$(date check_failed_logins() { Steen) local failed_count=$(grep “Failed password" /var/log/auth.log | \ awk -v d="$(date -d 'S minutes ago’ oa $@>d° | we failed_count" -gt "$threshold” ]; then Tee eee eC eee CUR ace Gee Po maareec errs u ae Seema}em sekt ee tt check_new_users() { seve an ae CPM eT ae aa Cee Ee ce], ee ca cee eC ome Pcy Derm Cou eCe ME am peer Le a ec trae us Nm Penh teers 1\ ETyemereec tose vc s" “$ALERT_EMAIL" aD a ae CR Doe Cie ee crO nn Scone ecw, eee ples Magee aes Pree suey 70a aC Potree eer Lee ee ey Cree Ce re se Car ee ec Tae ese ad eee Cece Crests UR eae eve aaa cat eas Peueieaerin Ci ao mu osu Omneocal suspicious_ports= PORseuReete ste C tee at Pores See a ea Sara) und connection on port Se ee as CEP aee aati tor c no Pia Cia acre cur) Cram es Cec ae erase td Ie a eae sleep 300 System Hardening Automation ‘Automating security hardening ensures consistent security configurations: cee ecm ca Cras Sr Pa CaM Cid a oat cop as Eee ec eee Og Paces sue esse eset Rec aey Pe seks net. ipva. conf. Ay eecs a ae re Cel ta Peet Rees Pee ee ac Peet Ree Peseta tac # Ignore send redirect Peseta Lee Marea BT aaBer canst Pose Uae Pee ect eet ee mc Pose CRC ae Pee ec Tet gem c asc Le) sec, cae Eee mcs cL Pee eeu aad Deere Rt rae peer Ce eta ans CSE CRC ee eer Cet eS Peseta arer sca PaO CBC este POSE aU cto Pee ee rst Peer er ast Peer ec em ess oe eeu TEU oeeeeCesg PCat) Poneto) Pee Seo Na og Sas Ooo ns nae eee cae nea Pa ven OMe es mea as mers CECI Cy systemct] disable cups eas Meroe} Ce Saree CLd eat asaya) sedese td Ter yeN _MAX_DA 7 Scop Uae MN Pag MACS a Cone ag 7 asap Une TC Caer Advanced Forensics and Investigation Commands Timeline Creation and Analysi Creating comprehensive timelines is crucial for incident reconstruction: st ae aK s ig %p\n" 2>/dev/null | Pesca asc! PLE Seas MA Cc EICLER cD mSUL Seu ocd oro c ues peer rst (date -d "@$timestamp" "+Xb %d %H:%M") Me UAL cnet ACCT eee COIS CsUC ic diss ae ere journalctl --since “1 day ago" -o json | \ Fee eco cen Meera (.MESSAGE)"* | \ Data Recovery and Analy: When investigating incidents, data recovery capabilities are essential: Peat tcc) PCEr MEETS cary edCoMsetos Cee ae rd\ confidential” Be Cee ee Ere tw esc est ese eed Cc OM saccures Cte Ra srs aut eAr a ute) exiftool -r /suspicious/directory Porte RU essere Cites tte Eta aCe ae beats EL cnet SC Re CHRO ane Came Best Practices for Security Command Usage Command Logging and Audit Trail Maintaining comprehensive logs of security commands is essential: 10 "HISTTIMEFORMAT="XF %T "' >> /etc/profile ee Cases SMe, Tete er cho ‘HISTFILESIZE-10000" >> /etc/profile ST mee beac See CC) ec Be cap eget eee sree ean ee #1/bin/bash orn ae ec wet eet Sem LLLCeyecho "[$(date '+%Y-Xm-%d %H:%M:%S")] User: $(whoami) Command: Sitesi Cae eo) rg Cr eee eee Seta Petes ae Mae ce Pec nnea a Sets SCE Re ae ace Peace SU ra aes oc) Performance and Resource Considerations Security commands can be resource-intensive. Optimizing their usage is important: Pre eC Cte SU, Wess, ee ete SSC Se ets Meee em st To) ulimit -t 3600 ereeaeCr Ly /usr/bin/time -v conmand_to_monitor Ton eu fom a ceca Tas Conclusion The Linux command line provides cybersecurity professionals with unparalleled power and flexibility for security analysis, incident response, and system hardening. Mastery of these commands requires not just memorization of syntax, but understanding of their security implications, performance characteristics, and integration into comprehensive security workflows, The commands and techniques presented in this guide represent the foundation of professional cybersecurity work on Linux systems. From network analysis with tcpdump and ss, through process investigation with ps and Isof, to forensic analysis with find and custom scripts, each tool serves a specific purpose in the security professional's arsenal.As threats continue to evolve, the importance of command-line proficiency only increases. The ability to quickly analyze systems, detect anomalies, and respond to incidents using these fundamental tools remains a critical skill that distinguishes expert practitioners. Combined with automation through scripting and integration with modern security tools, these commands form the backbone of effective security operations. Regular practice, continuous learning, and adaptation of these techniques to specific environments will ensure that security professionals can effectively protect systems against both current and emerging threats. The command line remains not just a tool, but a powerful ally in the ongoing battle for cybersecurity Frequently Asked Questions What are the most critical Linux commands every cybersecurity professional should master first? For cybersecurity professionals beginning their Linux journey, these commands form the essential foundation: Network Analysis Commands: ‘* 88 or netstat: Understanding network connections is fundamental to detecting ‘compromises ‘* tepdump: Packet-level analysis reveals attack patterns and data exfitration ‘* nmap: Network discovery and vulnerability identification (though not native to all distributions) Process Analysis Commands: ‘* ps.with various flags (aux, ejH, etc.): Process visibility is crucial for malware detection ‘* sof: Links processes to files and network connections ‘* top/htop: Real-time resource monitoring for detecting cryptominers and DoS File System Commands: ‘* find: The Swiss Army knife of file system investigation ‘* grep: Pattern matching across files and logs ‘* Is with various flags: Understanding file permissions and attributes Log Analysis Commands: tail, head, less: Basic log navigation ‘* journaletl: Modern systemd log analysis ‘* awk, sed: Text processing for log analysis User and Permission Commands: ‘* who, w, last: User activity monitoring ‘* chmod, chown: Permission management * sudo, su: Privilege escalation understanding These commands provide the foundation for more advanced security operations and should be practiced regularly in various scenarios.How can | effectively combine mul comprehensive security analysis? tiple Linux commands for Effective command combination leverages pipes, redirection, and command substitution to create powerful analysis workflows: Pipeline Techniques: Pee Pc cect Ret ae Ceca sy cn caer ee a uniq -c | sort -rn | head -10 This identifies top 10 IP addresses with established connections. Command Substitution: # Analyze files rT ee ae oly Pee Cee eae tee ei ear eC Sess UL Loops for Comprehensive Analysis: ee nce eet for user in $(cut -d: -f1 /etc/passwd); Parallel Processing: Pa TUCO Uses mat sty find /bin /sbin Sa Tecs Resi Mec icteO nes Pues u matt esd Complex Analysis Scripts: Create reusable scripts that combine multiple commands for specific security tasks, such as incident response triage or baseline creation. The key is understanding each command's output format and how to parse it for the next command in the pipeline. What are the best practices for using Linux commands without disrupting production systems?Using security commands on production systems requires careful consideration to avoid service disruption: Resource Management: ‘* Use nice and ionice to lower command priority ‘* Implement ulimit restrictions to prevent resource exhaustion ‘* Use timeout to prevent commands from running indefinitely '* Monitor system load with uptime before running intensive commands Read-Only Operations: ‘Always use read-only mount options when analyzing file systems * Prefer non-invasive commands that don't modify system state * Use --dry-run options when available ‘* Test commands on development systems first ing Considerations: Schedule intensive operations during maintenance windows Use incremental approaches for large-scale analysis, Implement rate limiting in scripts Consider impact on backup and replication systems Output Management: Redirect output to avoid filling up system partitions ‘* Use dedicated forensics storage for large captures '* Implement log rotation for continuous monitoring scripts ‘* Compress output files to save space Safety Measures: ‘Always have rollback plans ‘© Document all commands executed * Use screen or tmux for long-running operations ‘* Implement confirmation prompts for destructive operations How do Linux security commands differ across how can | write portable scripts? tributions, and While core commands are similar across distributions, there are important differences to consider: Package Management Differences: ‘* Debian/Ubuntu: dpkg, apt * RedHat/CentOS: rpm, yum/dnf ‘* Create wrapper functions that detect the distribution Service Management: ‘* SystemD: systemetl, journaletl ‘* SysV Init: service, traditional /varilog files * Check for command availability before useFile Loc. © Log files may be in different locations * Configuration files might have different paths ‘* Use variables for paths and detect locations dynamically ns: Command Options: ‘© Some commands have different flags across distributions ‘* GNU vs BSD versions of commands differ ‘* Test for specific options before using them Portable Scripting Techniques: Sta aco SS CUS Ce ac Cera ee cae ets oe Dyce CE cat Co SUEY VL ORe aE Ra cea Pose urne velar cy) 1006 prea ee, Leena creel Sree Rea USL Vo ea rpm -qa ae What are the essential Linux commands for detecting and analyzing cryptocurrency mining malware? Cryptocurrency mining malware has become a prevalent threat, requiring specific detection techniques: CPU Usage Analysis: PC Css mC Re ae acted top -b -n 1 | awk ‘$9 > 80.0 {print $0)" arte Ces En ee ae CeCeProcess Name Analysis: ps aux | grep -E “xnrig|minerd|ccminer|xnr-stak|minergate|nanopool” casa Pear eC a Navi mat ae # Check for min: Fe eed 5555|:7777| Sa eee es eee ee CeO Rua -ecust tars our ae xec grep -1 "pool\|wallet\ |mining’ Fey 7a} ee eC ORE a tac rd find / -type d -name ".*" -exec 1s -la {} \; 2>/dev/null | Ps eA mera mares ese se are Cra Or See aC eee CU te ee er eet Automated Detection Script: Cer Messe CaS Scot um Uae Ue Ceehe Pree an Peete ear: Ce ea een rae ss -tnp 2>/dev/null | grep Se eee te Cte eras rE $(cut - em acad LT ae es Mee eae tye eT ee] Regular monitoring using these commands helps identify mining malware before it significantly impacts system performance. Related Articles and Resources ‘SANS Linux Security Documentation Red Hat Security Guide CIS Linux Benchmarks Linux Kemel Security Documentation NIST Cybersecurity Framework for Linux Linux Security Wiki Offensive Security Linux Resources Diaital Forensics with Linux - DFIR Training Kali Linux Documentation Linux Audit System Documentation OWASP Linux Security Cheat Sheet Ubuntu Security Documentation ‘Arch Linux Security Wiki Linux Command Line Forensics - SANS The Linux Documentation Project - Security HOWTO MITRE ATT&CK Linux Techniques