DEV Community

Faizan Nazir
Faizan Nazir

Posted on

Day 8 Linux File System Hierarchy

Linux File System Hierarchy Explained (SOC Analyst Perspective)
When you step into the world of cybersecurity — especially into a Security Operations Center (SOC) — your relationship with an operating system changes completely. You no longer see Linux as “just an OS”. You start seeing it as a crime scene, where every directory can contain evidence, every file can tell a story, and every log can confirm or deny an attack.

One of the most important foundations for any SOC analyst is a clear and deep understanding of the Linux File System Hierarchy. Without this, log analysis, incident response, threat hunting, and even SIEM investigations become guesswork.

This article explains the Linux File System Hierarchy from a SOC Analyst’s perspective, not just what directories exist, but why they matter in real-world investigations.

Understanding the Linux File System Hierarchy
Linux follows a hierarchical, tree-like file system structure.
At the top of this hierarchy is a single directory called the root directory, represented by /.

Unlike Windows, Linux does not use multiple drive letters such as C: or D:.
Instead:

Everything exists under /
All files, folders, logs, devices, and configurations are part of one unified structure
This predictability is one of the biggest advantages for security investigations
For a SOC analyst, this means:

If an attack happens, the evidence is always somewhere inside the Linux file system hierarchy.

Understanding this hierarchy is equivalent to understanding where attackers operate and where defenders must look first.

Root Directory / – The Foundation of the System
The root directory / is the top-most directory in Linux.

Key points:

Every directory and file is a child of /
Nothing exists outside this directory
It acts as the foundation of the operating system
From a SOC perspective:

Every investigation logically starts from /
Analysts mentally map the system beginning at root
Incorrect actions at this level can impact the entire system
Root is not just a directory — it is the entry point to understanding the whole system.

/home – User Activity and Initial Compromise Zone
The /home directory contains home folders for normal (non-root) users.

What lives here:

User documents
Downloads
Scripts
Tools
User-specific configuration files
Command history files such as .bash_history
Why /home matters in SOC:

Most attacks begin with user-level compromise
Phishing attacks, stolen credentials, and malicious downloads all land here
Attackers often operate inside user directories before escalating privileges
SOC analysts examine /home to:

Identify suspicious scripts and binaries
Check hidden files used to evade detection
Review command history for attacker behavior
Confirm the initial access vector
In many incidents, /home tells you how the attack started.

/root – Privilege Escalation Evidence
The /root directory is the home directory of the root (administrator) user.

Important characteristics:

Only accessible by the root account
Normal users should never interact with this directory
SOC relevance:

Activity inside /root strongly indicates privilege escalation
Once attackers gain root access, they often operate from here
Tools, scripts, and archives found in /root are high-risk indicators
For SOC analysts:

Any suspicious activity in /root is treated as high severity
It confirms that the attacker has full control over the system
If /home shows how the attack began, /root often confirms how far it went.

/etc – Configuration and Persistence Zone
The /etc directory contains system-wide configuration files.

This directory controls:

User accounts
Authentication behavior
Service configurations
Network settings
Critical files include:

/etc/passwd – user account definitions
/etc/shadow – encrypted password hashes
/etc/ssh/sshd_config – SSH access control
/etc/crontab – scheduled tasks
SOC importance of /etc:

Attackers modify configuration files to maintain persistence
Backdoor users may be added here
SSH settings may be weakened for easier access
Cron jobs are often abused to execute malware repeatedly
SOC analysts carefully inspect /etc to detect:

Unauthorized user creation
Configuration tampering
Long-term persistence mechanisms
This directory often reveals how attackers plan to stay.

/var – Variable Data Directory
The /var directory stores data that changes frequently.

Become a Medium member
It includes:

Logs
Cache files
Runtime data
Spool files
While /var itself is important, its most critical subdirectory for SOC analysts is /var/log.

/var/log – The Heart of SOC Investigations
/var/log contains system and application log files.

This is the most important directory for any SOC analyst.

Typical logs include:

Authentication logs (login attempts)
System logs (errors, warnings, service activity)
Application logs
Web server access and error logs
Why /var/log is critical:

Logs provide evidence, not assumptions
Brute-force attacks are visible through repeated failed logins
Successful logins confirm account compromise
Attack timelines are built using log timestamps
Incident reconstruction depends on logs
A core SOC rule:

If logs were not reviewed, the investigation is incomplete.

Logs transform suspicion into confirmation.

/tmp – Malware Execution and Staging Area
The /tmp directory is used for temporary files.

Key characteristics:

World-writable (any user can write here)
Files are often short-lived
Commonly cleaned automatically
Why attackers love /tmp:

Easy to write files
Often lightly monitored
Ideal for executing malicious scripts
Used for fileless or in-memory attacks
SOC red flags:

Executable files inside /tmp
Running processes originating from /tmp
Correlation between /tmp activity and suspicious logs
For SOC analysts, /tmp often indicates active or recent attacks.

/bin and /sbin – System Binary Integrity
These directories contain essential system commands.

/bin – commands used by all users
/sbin – administrative and system management commands
SOC relevance:

Attackers may replace legitimate binaries with malicious ones
Trojanized commands allow stealthy execution
PATH hijacking can redirect execution to malicious binaries
SOC analysts may:

Verify command integrity
Compare binary hashes with known baselines
Investigate unexpected command behavior
Binary integrity issues can turn trusted tools into attack vectors.

/proc – Live System and Memory View
The /proc directory is a virtual filesystem created by the kernel.

Important characteristics:

Does not store data on disk
Shows real-time system information
Exposes running processes and memory usage
SOC importance:

Some malware exists only in memory
Hidden or injected processes can be detected here
Useful during live incident response
/proc answers the question:

What is happening on the system right now?

Linux File System Hierarchy in a SOC Investigation Flow
In real incidents, SOC analysts often follow this pattern:

/home – identify initial access and user compromise
/tmp – check for malware execution
/etc – detect persistence mechanisms
/root – confirm privilege escalation
/var/log – build the incident timeline
/proc – observe live attacker activity
This flow is not theoretical — it mirrors real SOC investigations.

Final Thoughts
The Linux File System Hierarchy is not just an operating system concept — it is a map of attacker behavior and defender response.

For SOC analysts:

Tools generate alerts
Logs provide evidence
File systems reveal the truth
Mastering the Linux file system hierarchy means knowing where to look before what to search. It transforms you from someone who reacts to alerts into someone who understands incidents.

This foundation is essential before moving into SIEM, EDR, threat hunting, or incident response.

🔚 End of Article
(Day 2 — Linux File System Hierarchy)

Top comments (0)