Bash › Linux Fundamentals
The Linux file system, from a security angle
The Linux file system isn’t just where files live — it’s a map of where interesting things hide. Knowing which directories hold secrets, logs, and configuration is what makes you fast on a Linux assessment. This lesson is that map, with the commands to read it.
You'll learn to
- Know which directories matter for security
- Read files and listings with the right flags
- Surface credentials and config across a system
The directories that matter
| Path | What lives there | Why you care |
|---|---|---|
/etc | System config | passwd, shadow, sudoers, SSH config |
/home | User home dirs | .bash_history, .ssh, saved credentials |
/var/log | Logs | auth.log, syslog, web access logs |
/tmp, /dev/shm | World-writable temp | staging space, dropped files |
/opt, /srv | Third-party apps | often badly permissioned, secret-rich |
/proc | Live process data | /proc/PID/environ leaks env vars |
/root | Root’s home | keys, history, scripts (if you can read it) |
Reading files and listings
ls -la /etc/ # list everything, including hidden files, with permissions
cat /etc/passwd # user accounts (usernames, shells, home dirs)
cat /etc/os-release # what distro and version
head -20 file # first 20 lines
tail -f /var/log/auth.log # follow a log live as it's written
ls -la is the listing you’ll use most: -l for the long format (permissions, owner, size) and -a for hidden files (the dotfiles, where a lot of secrets live — .env, .ssh, .aws).
Finding things across the whole system
# Find SSH private keys anywhere readable:
find / -name "id_rsa" 2>/dev/null
# Find files containing the word 'password':
grep -rl "password" /etc /opt /var/www 2>/dev/null
# Find recently modified config files:
find /etc -name "*.conf" -mtime -7 2>/dev/null
# Find .env and credential files:
find / -name ".env" -o -name "*.pem" -o -name "credentials" 2>/dev/null
That 2>/dev/null at the end of every command is essential: as a non-root user, find / produces a flood of “Permission denied” messages, and redirecting the error stream to nowhere keeps only the useful results.
Checkpoint
You want to see ALL files in a user's home directory, including the dotfiles where credentials hide. What command and flags do you use?
ls -la /home/username — the -a flag shows hidden (dot) files like .ssh, .env, .aws, and .bash_history, and -l shows permissions and ownership. A plain ls would hide exactly those credential-bearing files.
Try it yourself
On a Linux system you control, run ls -la ~ to see your own hidden files. Then try find / -name "*.conf" 2>/dev/null | head -20 and notice how the error redirect keeps the output clean. Finally, cat /etc/passwd | cut -d: -f1 to list every username.
Summary
The Linux file system maps where interesting data lives: /etc (config and credentials), /home (user secrets and dotfiles), /var/log (logs), /proc (live process env), and /opt//srv (third-party apps). Read with ls -la (always -a for hidden files) and cat/tail. find with the right filter and 2>/dev/null surfaces keys, .env files, and credentials across the whole system — your first-pass enumeration.
Key takeaways
- Know the security-relevant dirs:
/etc,/home,/var/log,/proc,/opt. ls -lashows hidden dotfiles — where credentials hide.find / ... 2>/dev/nullsurfaces keys and configs without permission-denied noise.- This checklist becomes an automated assessment script in Module 9.
Quick quiz
Next, permissions and ownership — the bits that decide what you can read, and how a single SUID binary becomes a path to root.