- September 12, 2023
- Posted by: SouTech Team
- Category: Blog
A Security Operations Center (SOC) analyst plays a pivotal role in monitoring and responding to security incidents in an organization. Understanding Linux commands is crucial for several reasons, primarily because a vast number of servers, tools, and systems run on Linux-based operating systems. Let’s delve into the significance of the commands mentioned earlier and their relevance for a SOC analyst:
- Understanding the Environment: Many corporate servers, cloud instances, and even cybersecurity tools run on Linux or Unix-like environments. Understanding basic and advanced Linux commands helps an analyst navigate and manage these environments.
- Investigation and Forensics: When security incidents happen, an analyst needs to investigate what took place, which often involves deep dives into system logs, network traffic captures, and system behaviors. Commands like
tcpdump
,grep
,awk
,find
, andstrings
allow analysts to inspect network traffic, search through vast logs quickly, and extract relevant data from files. - System Monitoring: Keeping an eye on active processes (
ps
), network connections (netstat
orss
), and disk activities (lsof
) are pivotal. These can give insights into any anomalies or unexpected activities on a system, which could indicate a security breach or malware activity. - Network Monitoring: Tools like
tcpdump
,nmap
, andiptables
help in understanding, inspecting, and controlling network activities. They can be used to spot unusual traffic, understand the network landscape, or even implement rapid containment actions. - Incident Response: During an ongoing security incident, quick and decisive actions are often needed. Commands like
iptables
for blocking specific network traffic,kill
for stopping suspicious processes, orchown
andchmod
for altering file permissions can be vital for containing threats. - Auditing and Hardening: Periodic security checks and system hardening are a part of proactive security measures. Tools like
lynis
help in system auditing, while commands such aschmod
,chown
, andiptables
assist in system hardening. - Threat Hunting: Proactively searching for signs of malicious activities often requires a combination of commands. For example, correlating data from various logs, checking system integrity with hashing tools like
hashdeep
, or searching for indicators of compromise in files. - Operational Tasks: Routine tasks like checking system performance, managing scheduled tasks (
crontab
), or configuring network interfaces (ifconfig
) are essential to ensure the smooth operation of security tools and systems. - Data Analysis: With the amount of data that SOCs deal with, quick on-the-fly analysis using
grep
,awk
, ortail
can be invaluable. They can filter out the noise and zoom in on the actual issues. - Automation: Basic understanding of Linux and shell scripting can help in automating mundane tasks or even customizing alerts and responses. Many of the commands can be combined in scripts to automate repetitive tasks or produce formatted reports.
In summary, understanding and mastering Linux commands empowers a SOC analyst to perform their job more effectively. Whether it’s responding to incidents, investigating breaches, proactively hunting threats, or maintaining and optimizing the security infrastructure, these commands provide the fundamental building blocks. The versatility of the Linux command line, combined with the open nature of the operating system, allows for endless combinations and solutions tailored to unique security challenges.
- netstat: Display network connections, routing tables, and network statistics.
- Example 1: List all active connections:
netstat -at
- Example 2: Show listening ports with numeric values:
netstat -lnt
- Example 1: List all active connections:
- tcpdump: Capture and inspect network packets.
- Example 1: Capture the first 100 packets on the eth0 interface:
tcpdump -i eth0 -c 100
- Example 2: Capture TCP packets on port 80:
tcpdump tcp port 80
- Example 1: Capture the first 100 packets on the eth0 interface:
- nmap: Discover devices running on a network and find open ports along with various attributes of the network.
- Example 1: Scan a specific host:
nmap 192.168.1.5
- Example 2: Scan a range of IPs for open ports:
nmap 192.168.1.1-20
- Example 1: Scan a specific host:
- grep: Search specific patterns within files.
- Example 1: Search for “error” in a logfile:
grep 'error' /var/log/syslog
- Example 2: Use with regular expression:
grep '^2023' /var/log/auth.log
- Example 1: Search for “error” in a logfile:
- awk: Extract, filter, and report on data in files.
- Example 1: Extract the fifth column from a space-separated file:
awk '{print $5}' file.txt
- Example 2: Sum values in a column:
awk '{sum+=$1} END {print sum}' file.txt
- Example 1: Extract the fifth column from a space-separated file:
- ps: Show current processes.
- Example 1: View all processes:
ps aux
- Example 2: Show processes for a specific user:
ps -u username
- Example 1: View all processes:
- find: Search for files based on criteria like name, size, or modification date.
- Example 1: Find files modified in the last day:
find / -mtime -1
- Example 2: Find files with a specific name:
find / -name filename.txt
- Example 1: Find files modified in the last day:
- chmod & chown: Change file permissions and ownership.
- Example 1: Make a script executable:
chmod +x script.sh
- Example 2: Change ownership of a file:
chown user:group filename.txt
- Example 1: Make a script executable:
- diff: Compare the contents of files or directories.
- Example 1: Compare two configuration files:
diff old.conf new.conf
- Example 2: Compare directories recursively:
diff -r dir1/ dir2/
- Example 1: Compare two configuration files:
- iptables: Manage Linux firewall rules.
- Example 1: Block incoming traffic from an IP:
iptables -A INPUT -s ip_address -j DROP
- Example 2: Allow traffic on a specific port:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- ss: Display socket statistics.
- Example 1: Show listening TCP sockets:
ss -lt
- Example 2: Show UDP sockets:
ss -lu
- whois: Query databases for domain or IP information.
- Example 1: Look up a domain:
whois example.com
- Example 2: Look up an IP address:
whois 192.168.1.5
- dig: Query DNS records.
- Example 1: Fetch A record for a domain:
dig example.com A
- Example 2: Fetch MX records:
dig example.com MX
- last: Display the list of last logged-in users.
- Example 1: Show recent logins:
last
- Example 2: Show reboots:
last reboot
- tail: Display the last part of a file.
- Example 1: View the last 50 lines of a log file:
tail -n 50 /var/log/syslog
- Example 2: Monitor a log file in real-time:
tail -f /var/log/syslog
- lynis: Security auditing and hardening tool.
- Example 1: Perform a system audit:
lynis audit system
- Example 2: Check for available updates:
lynis update info
- lsof: List open files and their associated processes.
- Example 1: See who’s accessing a file:
lsof /path/to/file
- Example 2: Find processes using a specific port:
lsof -i :22
- dd: Disk dumping and data copying.
- Example 1: Create an image of a disk:
dd if=/dev/sda of=/path/to/image.img
- Example 2: Backup MBR:
dd if=/dev/sda of=/backup/mbr_backup bs=512 count=1
- strings: Extract strings from binary files.
- Example 1: Extract readable content from a binary:
strings executable.bin
- Example 2: Extract strings and write to a file:
strings malware_sample > output.txt
- hashdeep: Compute, match, and audit hashsets.
- Example 1: Compute MD5, SHA-1, and SHA-256 hashes of files in a directory:
hashdeep -rlc md5,sha1,sha256 *
- Example 2: Check hashes against a known list:
hashdeep -k known_hashes.txt -x *
- ifconfig: Interface configuration tool for network interfaces.
- Example 1: Display information on all network interfaces:
ifconfig -a
- Example 2: Set IP address for an interface:
ifconfig eth0 192.168.1.5
- crontab: Schedule tasks.
- Example 1: List scheduled jobs for the current user:
crontab -l
- Example 2: Edit the list of jobs:
crontab -e
- alias: Create shortcuts for commands.
- Example 1: Make an alias for checking open ports:
alias ports='netstat -tuln'
- Example 2: Make an alias for updating the system:
alias update='sudo apt update && sudo apt upgrade'
- journalctl: Query the systemd journal.
- Example 1: Show all logs since last boot:
journalctl -b
- Example 2: Show logs for a specific service:
journalctl -u nginx
- cat: Concatenate and display the content of files.
- Example 1: Display the content of a file:
cat /etc/passwd
- Example 2: Combine two files into one:
cat file1.txt file2.txt > combined.txt
- kill: Send a signal to a process.
- Example 1: Kill a process with PID 1234: `kill -9 1234
—–Get started with cybersecurity TODAY!!!
Linux training for SOC analysts, Security Operations Center Linux courses, Cybersecurity Linux command training, SOC analyst Linux tutorials, Linux command line for cybersecurity, Linux tools for security monitoring, Cybersecurity incident response Linux training, Network security Linux command courses, Linux forensic investigation tutorials, Advanced Linux for SOC professionals, Security system auditing Linux workshops, Threat hunting with Linux commands, Linux-based security tool training, Linux for cybersecurity threat containment, Security Operations Linux certification, Cybersecurity Linux operational training, Proactive Linux threat detection courses, Cyber threat analysis using Linux commands, Linux command mastery for cybersecurity, SOC Linux command line bootcamp