Linux security for SOC analysts: distributions, permissions, SUID, sudo, logging, auditd, and command-line investigation skills.
Linux Security Essentials teaches SOC analysts the Linux knowledge required for incident response and security investigation. Module 1 builds a security-focused Linux foundation: enterprise distributions and their differences (Red Hat family with SELinux, Debian/Ubuntu with AppArmor), the Filesystem Hierarchy Standard and security-relevant paths (/tmp, /etc, /proc, /dev/shm), process inspection using ps and /proc/, and the Linux boot sequence with all persistence locations (systemd, cron, shell startup scripts, ld.so.preload). Module 2 covers permissions and access control: reading octal and symbolic permissions, SUID and SGID privilege escalation risks, sudo configuration analysis and dangerous sudoers patterns, /etc/passwd and /etc/shadow account auditing for backdoor accounts, and SSH key-based authentication with authorized_keys investigation. Module 3 covers the Linux logging ecosystem: syslog and rsyslog architecture and SIEM forwarding configuration, journald and systemd journal investigation with journalctl, the complete reference of key log file locations across distributions (auth.log vs secure, dpkg.log, web server logs), and the auditd kernel audit framework with EXECVE record analysis. Module 4 builds command-line investigation skills: essential investigation commands (find, stat, lsof, strace), grep/awk/sed log parsing pipelines for security analysis, systematic suspicious file and process discovery, network connection investigation with ss and lsof, and comprehensive cron and service persistence auditing.
Security Operations Center (SOC) Fundamentals