Courses
DefensiveBeginner

Linux Security Essentials

Linux security for SOC analysts: distributions, permissions, SUID, sudo, logging, auditd, and command-line investigation skills.

4 modules
19 lessons
10 practical tasks
Linux Security Essentials course element

About This Course

Linux Security Essentials teaches SOC analysts the Linux knowledge required for incident response and security investigation. Module 1 builds a security-focused Linux foundation: enterprise distributions and their differences (Red Hat family with SELinux, Debian/Ubuntu with AppArmor), the Filesystem Hierarchy Standard and security-relevant paths (/tmp, /etc, /proc, /dev/shm), process inspection using ps and /proc/, and the Linux boot sequence with all persistence locations (systemd, cron, shell startup scripts, ld.so.preload). Module 2 covers permissions and access control: reading octal and symbolic permissions, SUID and SGID privilege escalation risks, sudo configuration analysis and dangerous sudoers patterns, /etc/passwd and /etc/shadow account auditing for backdoor accounts, and SSH key-based authentication with authorized_keys investigation. Module 3 covers the Linux logging ecosystem: syslog and rsyslog architecture and SIEM forwarding configuration, journald and systemd journal investigation with journalctl, the complete reference of key log file locations across distributions (auth.log vs secure, dpkg.log, web server logs), and the auditd kernel audit framework with EXECVE record analysis. Module 4 builds command-line investigation skills: essential investigation commands (find, stat, lsof, strace), grep/awk/sed log parsing pipelines for security analysis, systematic suspicious file and process discovery, network connection investigation with ss and lsof, and comprehensive cron and service persistence auditing.

What You'll Learn

  • Identify enterprise Linux distributions by family and know the resulting differences in log locations, package management, and default mandatory access control systems
  • Find and audit SUID root files outside standard system paths and identify dangerous sudoers configurations that provide unintended shell access
  • Detect /etc/passwd and /etc/shadow indicators of backdoor accounts including UID 0 duplicates, service accounts with interactive shells, and empty password fields
  • Read and query the systemd journal with journalctl to recover authentication evidence that survives syslog text file tampering
  • Use find, ps, ss, and lsof to systematically discover suspicious files in world-writable directories, processes with deleted executables, and unexpected listening ports
  • Conduct a complete cron and systemd service persistence audit across all five cron configuration locations and /etc/systemd/system/

Prerequisites

Security Operations Center (SOC) Fundamentals

Course Curriculum