Cheat sheet — Linux for Security¶
Companion to Module 04 — Linux for Security · CC BY 4.0 — print it, pin it, share it.
Last reviewed: 2026-07
Finding things¶
find / -name "*.conf" 2>/dev/null # by name (dump permission noise to /dev/null)
find /var/log -mtime -1 # modified in the last day
find / -size +100M 2>/dev/null # big files
find / -perm -4000 -type f 2>/dev/null # SUID binaries — the classic privesc sweep
grep -rn "password" /etc/ 2>/dev/null # recursive text search, with line numbers
grep -rEi "passw(or)?d|secret|api[_-]?key" . # regex + case-insensitive secret hunt
Permissions — reading and changing¶
ls -l file # -rwsr-xr-x ← the 's' where 'x' should be = SUID
chmod 640 file # owner rw, group r, other nothing
chmod u+x file # symbolic form: add execute for owner
chown user:group file
umask # what new files get by default
- Read
-rwxr-x---in triples: owner / group / other.sin the owner triple = SUID (runs as the file's owner),sin group = SGID,ton a directory = sticky bit (only owners delete, e.g./tmp). - A world-writable script that root runs from cron is a root shell with extra steps.
Users and privilege¶
id # who am I, which groups
sudo -l # what can I sudo? — first command after any foothold
cat /etc/passwd # users (world-readable; shells at the end of each line)
sudo cat /etc/shadow # password hashes (root only — that's the point)
last; who # recent and current logins
Processes¶
ps aux # everything running (ps aux | grep <name>)
ps -ef --forest # parent/child tree — who spawned that shell?
top # live view (or htop if installed)
kill -9 <pid> # force-kill
lsof -p <pid> # files a process has open
lsof -i :8080 # which process owns a port
Services and logs¶
systemctl status ssh # is it running, and its last log lines
systemctl list-units --type=service --state=running
journalctl -u ssh -f # follow one service's log
journalctl --since "1 hour ago" # recent everything
tail -f /var/log/auth.log # auth events on Debian/Ubuntu (secure on RHEL)
/var/log/auth.logis where brute-force attempts, sudo use, and new sessions land — the first file a defender reads and the first one an attacker wants to clean.
Scheduled tasks (persistence lives here)¶
crontab -l # current user's cron jobs
sudo ls /etc/cron.* /var/spool/cron 2>/dev/null
systemctl list-timers # systemd's cron equivalent
Moving data around¶
tar czf out.tar.gz dir/ # create compressed archive
tar xzf out.tar.gz # extract (add -C /dest for a target dir)
scp file user@host:/tmp/ # copy over SSH
python3 -m http.server 8000 # instant file server from any directory
Gotchas worth remembering¶
- Almost everything is a file — devices, sockets, process state (
/proc/<pid>/)./procis a live map of the system:cat /proc/<pid>/cmdlinebeats trusting a renamed binary. - History files (
~/.bash_history,~/.zsh_history) record what was typed — gold for forensics, a leak for anyone who types secrets on the command line. 2>/dev/nullhides errors, not results — use it to silence permission-denied spam in sweeps, never in scripts where the error is the signal.
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).