Linux fundamentals for security, the working subset.
The 25 commands you will type every day, the five you will type in a hurry, and the file permissions that decide who owns the box.
Most "intro to Linux" material teaches you Linux as a Unix system. We are going to teach you Linux as a security workstation — what you actually do at the keyboard during recon, triage, and post-exploitation.
The shell, in one paragraph
The shell is a program that reads a line, runs it, and prints output. Three special characters do most of the work: | sends output to another program, > sends it to a file, and && chains two commands so the second only runs if the first succeeds. You can build anything from there.
The 25 commands
If you can use these without thinking, you can read 80% of real-world security workflows.
| Command | What it does | Used for |
|---|---|---|
ls -la | List files with details | Recon, permission audit |
cd / pwd | Move / where am I | Always |
cat / less | Read a file | Configs, logs |
grep -r | Search text recursively | Finding secrets, errors |
find | Search by name / size / time | Locating dropped files |
chmod / chown | Change permissions / owner | Hardening, lateral movement |
ps -ef | List processes | What is running |
top / htop | Live process view | Triage |
netstat -tulpn | Open ports + process | What is listening |
ss -tulpn | Modern replacement | Same |
curl -v | HTTP from CLI | API testing |
wget | Download files | Pulling tools |
ssh / scp | Remote shell / copy | Lateral movement |
tar | Pack / unpack archives | Exfil, deploy |
systemctl | Service control | Persistence, audit |
journalctl | Read systemd logs | Triage |
tail -f | Follow a log | Live monitoring |
history | What was typed | Forensics |
sudo | Run as root | Privilege use / audit |
id / whoami | Who am I, what groups | Recon on yourself |
uname -a | Kernel info | Exploit selection |
iptables -L | Firewall rules | Egress mapping |
dig / host | DNS lookup | Recon |
scp / rsync | Move files reliably | Backups, exfil |
tmux / screen | Persistent sessions | Long jobs |
Permissions in five minutes
Every file has three triplets of permissions: owner, group, everyone. Each triplet has three bits: read, write, execute.
$ ls -l /etc/shadow
-rw-r----- 1 root shadow 1832 May 6 14:01 /etc/shadow
^ owner=root group=shadow
rw- = read+write for owner
r-- = read for shadow group
--- = no access for everyone else
Numeric form: each triplet is a 0–7 digit. chmod 750 file means owner=rwx, group=r-x, world=none. The numbers are read=4, write=2, execute=1.
A file with the SUID bit set runs as its owner, not as you. find / -perm -4000 -type f 2>/dev/null lists all of them. On a compromised box, this is where you look first.
The five "in a hurry" commands
When the alert is fresh and the senior engineer is in a meeting, these are the ones you reach for.
last -a | head -20— who logged in recently, from where.w— who is on the box right now, what are they running.ss -tunap— active sockets and the process behind each one.ls -lat /tmp /var/tmp /dev/shm | head— fresh files in the obvious dumping grounds.journalctl --since "1 hour ago" -p warning— recent warnings in the system log.
Pipes — the move that doubles your effective vocabulary
Two commands you have can be combined into a third. A few examples worth memorising:
# Top 10 processes by RSS memory
ps -eo pid,rss,cmd --sort=-rss | head -11
# Find every world-writable file under /etc
find /etc -type f -perm -o=w 2>/dev/null
# Recent failed SSH logins, grouped by source IP
journalctl -u ssh | grep "Failed" | awk '{print $NF}' | sort | uniq -c | sort -rn
Memorising these is not the point. The point is internalising the shape: list → filter → group → count. Once you see it, you will write your own.