The Root of It All: Understanding the Linux File System Hierarchy

In cybersecurity, particularly within a Security Operations Center (SOC), the Linux operating system transforms from a mere tool into a complex digital crime scene. Every directory, file, and log entry holds potential evidence. A deep understanding of the Linux File System Hierarchy (FHS) is not just foundational; it's critical for effective log analysis, incident response, threat hunting, and SIEM investigations. Without it, these crucial tasks devolve into mere guesswork.

Linux employs a hierarchical, tree-like file system structure. At the apex of this structure is the root directory, denoted by a single forward slash (/). All other directories and files stem from this root. This organized structure is key to how the system manages its components, from essential system binaries to user-specific configurations and temporary files.

Essential System Directories and Their Significance

/bin: Essential User Binaries

The /bin directory contains essential command-line executables (binaries) that are required by all users, including the superuser (root). These are the fundamental commands needed for system operation and basic user interaction, such as ls, cp, mv, and bash. In a SOC context, compromised executables in /bin could indicate a severe system takeover, as attackers might replace legitimate tools with malicious versions to hide their tracks or gain persistent access.

/sbin: System Binaries

Similar to /bin, /sbin houses essential system administration binaries. These commands are typically used by the system administrator (root) for system maintenance and repair. Examples include fdisk, fsck, and reboot. Malware targeting administrative functions might reside here, attempting to disrupt system integrity or gain elevated privileges.

/etc: Configuration Files

The /etc directory is paramount for system configuration. It stores system-wide configuration files and directories, including network settings, user accounts, software configurations, and startup scripts. For a SOC analyst, /etc is a treasure trove of evidence. Unexpected changes to network configurations (e.g., in /etc/network/interfaces or /etc/sysconfig/network), user account modifications (e.g., in /etc/passwd or /etc/shadow), or altered service configurations can point directly to an intrusion or policy violation.

/dev: Device Files

/dev contains special files that represent hardware devices, such as hard drives (/dev/sda), terminals (/dev/tty), and null devices (/dev/null). These are not regular files but interfaces through which the kernel communicates with hardware. While less frequently a direct target for attackers, understanding these files is important for system diagnostics and recognizing unusual device access patterns.

/proc: Process Information

/proc is a virtual file system that provides information about running processes and kernel status. It's dynamically generated and doesn't store persistent data. Files within /proc, such as /proc/meminfo or /proc/[pid]/status, offer real-time insights into system performance and running applications. In incident response, examining /proc can help identify rogue processes, understand resource consumption anomalies, and trace the lineage of malicious activity.

/var: Variable Data Files

The /var directory holds variable data files whose size is expected to grow over time. This is a critical directory for SOC analysts. It includes:

  • /var/log: System logs, application logs, and audit logs. This is arguably the most important subdirectory for incident investigation. Logs here can detail user logins, command execution, network connections, and system errors, providing a chronological record of events.
  • /var/spool: Data waiting for processing, such as mail queues or print jobs.
  • /var/tmp: Temporary files that should be preserved between reboots.
  • /var/cache: Application cache data.
  • /var/lib: State information for programs.

Analyzing logs in /var/log is a primary activity for identifying suspicious patterns, unauthorized access attempts, or the aftermath of a successful breach.

User and Home Directories

/home: User Home Directories

This directory contains the home directories for regular users. Each user typically has a subdirectory (e.g., /home/username) where their personal files, documents, and application settings are stored. For a SOC analyst, compromised user accounts can lead to data theft or lateral movement from within a user's environment. Examining files and activity within /home directories can reveal exfiltrated data or evidence of user account abuse.

/root: Superuser's Home Directory

/root is the home directory for the superuser (root). It's separate from /home to maintain administrative separation. Like user home directories, its contents can be critical in understanding administrative actions, especially if malicious activities were performed with root privileges.

System Resources and Temporary Files

/tmp: Temporary Files

/tmp is for temporary files that can be deleted by the system at any time, often upon reboot. Many applications and services use this directory for temporary storage. While its contents are volatile, attackers may use /tmp to drop malicious scripts or tools, or to stage data for exfiltration. Its permissions often allow any user to write to it, making it a common staging ground.

/usr: User Programs and Data

The /usr directory hierarchy contains user-installed programs, libraries, documentation, and other shared data. It's a large directory, often containing subdirectories like:

  • /usr/bin: Non-essential user command binaries.
  • /usr/sbin: Non-essential system administration binaries.
  • /usr/lib: Libraries for programs in /usr/bin and /usr/sbin.
  • /usr/share: Architecture-independent shared data.
  • /usr/local: Locally installed software, often used for manually compiled programs.

While /bin and /sbin are for essential, single-user mode commands, /usr/bin and /usr/sbin contain the bulk of the system's executable programs. Compromises here can affect a wide range of applications.

/opt: Optional Application Software

/opt is intended for installing optional application software packages that are not part of the standard distribution. These are often third-party applications. If a specific application is found to be compromised, its installation directory within /opt would be the primary focus.

System Boot and Kernel Information

/boot: Boot Loader Files

/boot contains files required for the system to boot, including the kernel itself and the boot loader configuration (e.g., GRUB). Tampering with files in /boot can prevent the system from starting or allow an attacker to load a malicious kernel. This is a high-impact target for sophisticated attacks aimed at system control.

/lib and /lib64: Essential Shared Libraries

These directories contain shared libraries needed by the essential binaries in /bin and /sbin. Shared libraries are crucial for modularity and efficiency, allowing multiple programs to use the same code. If these libraries are compromised, it can affect the integrity of many system functions and executables.

System Management and Miscellaneous

/mnt: Mounted File Systems

/mnt is a generic mount point for temporarily mounting file systems, such as network shares or removable media. It's a convenient place to access data from other storage devices. In a forensics context, understanding what was mounted here and when can be vital.

/media: Removable Media Mount Points

Similar to /mnt, /media is typically used for mounting removable media devices like USB drives or CD-ROMs. It provides a standardized location for these devices.

/srv: Data for Services

/srv contains site-specific data that services running on the system provide. For example, web server data might be in /srv/www. If a server is hosting services, this directory is key to understanding the data those services operate on.

/sys: System Devices and Information

/sys is another virtual file system that provides information about devices and the system's kernel. It offers a more structured view of the hardware and kernel modules than /proc. It's used for managing devices and kernel parameters.

/run: Runtime Variable Data

/run stores runtime variable data, typically created at boot time and cleared on shutdown. It holds information about running processes, system daemons, and other runtime state. It's a more modern replacement for some uses of /var/run.

The SOC Analyst's Advantage

A detailed understanding of the FHS allows a SOC analyst to navigate a Linux system with precision. Knowing where logs reside (/var/log), where configuration changes are stored (/etc), and where executables are located (/bin, /sbin, /usr/bin) drastically speeds up investigations. It transforms abstract system components into concrete locations for evidence. This knowledge is the bedrock upon which effective digital forensics and incident response are built, turning a complex operating system into a navigable landscape of potential clues.