Linux systems contain thousands of files and directories.
Fortunately, most operationally relevant information is concentrated within a relatively small number of locations.
Whether performing administration, incident response, digital forensics, malware analysis, threat hunting, or penetration testing, these locations appear repeatedly.
Understanding their purpose significantly reduces the time required to investigate an unfamiliar system.
Filesystem Hierarchy Standard (FHS)
Most Linux distributions follow a common organizational structure known as the Filesystem Hierarchy Standard (FHS).
This standard defines where different categories of data should reside.
As a result, many important locations are consistent across:
- Ubuntu
- Debian
- Kali
- CentOS
- Rocky Linux
- Red Hat Enterprise Linux
- Fedora
Although minor differences exist between distributions, the overall structure remains largely familiar.
High-Level Overview
| Directory | Purpose |
|---|---|
| /etc | System configuration |
| /home | User data |
| /tmp | Temporary files |
| /var | Variable system data |
| /var/log | Logs |
| /opt | Optional software |
| /proc | Process and kernel information |
/etc
Purpose
Stores system-wide configuration files.
Examples:
- Network configuration
- Service configuration
- User configuration
- Authentication configuration
- Scheduled task configuration
Examples:
/etc/passwd
/etc/group
/etc/hosts
/etc/crontab
/etc/ssh/sshd_config
Operator Perspective
Common questions:
- How is the system configured?
- What users exist?
- What services are configured?
- What scheduled tasks exist?
- What authentication mechanisms are used?
Many investigations begin within /etc.
Common Files
| File | Purpose |
|---|---|
| passwd | User information |
| shadow | Password hashes and password policy information |
| group | Group information |
| hosts | Local DNS overrides |
| crontab | Scheduled tasks |
| sshd_config | SSH configuration |
/home
Purpose
Stores user home directories.
Example:
/home
├── alice
├── peter
└── bob
Each user typically receives a dedicated directory.
Examples:
/home/alice
/home/peter
Common Contents
- Documents
- Downloads
- SSH keys
- Browser data
- Shell history
- User configuration
Examples:
/home/alice/.ssh
/home/alice/.bash_history
/home/alice/Documents
Operator Perspective
Questions:
- Who uses the system?
- What files belong to users?
- What credentials exist?
- What evidence exists?
User directories frequently contain:
- Credentials
- SSH keys
- Malware
- Persistence
- Investigation artifacts
- Personal files (like password vaults)
/tmp
Purpose
Stores temporary files.
Applications commonly place short-lived data here.
Examples:
/tmp/script.sh
/tmp/archive.zip
/tmp/update.bin
Characteristics
- Intended for temporary data
- Typically writable by all users
- Frequently abused by attackers
- Often used during software installation
- Protected by the sticky bit to prevent users from deleting each other's files (e.g.
drwxrwxrwt, the trailingtbit - will make sense later)
Operator Perspective
Questions:
- What was recently executed?
- Was malware staged here?
- Did an attacker leave artifacts behind?
Many payloads and scripts appear within /tmp due to it being usually globally-accessible. There are retention configurations which dictate the frequency at which the directory is cleaned up - contents may be erased upon reboot, but also it may be configured to not erase at all.
/var
Purpose
Stores variable system data.
Variable data changes as the system operates.
Examples:
- Logs
- Databases
- Cache files
- Service data
- Queues
Examples
/var/log
/var/cache
/var/lib
/var/tmp
Operator Perspective
Questions:
- What activity occurred?
- What services store data?
- Where does the application keep state?
Many server-side investigations eventually lead into /var.
/var/log
Purpose
Stores operating system and application logs.
This is one of the most important locations on a Linux system.
Examples:
/var/log/syslog
/var/log/auth.log
/var/log/apache2/
/var/log/nginx/
Common Evidence Sources
| Log | Typical Information |
|---|---|
| auth.log | Authentication activity |
| syslog | General system activity |
| journald | System and service logs (may be in /run/log/journal depending on configuration) |
| apache2 | Web server activity |
| nginx | Web server activity |
Operator Perspective
Questions:
- Who logged in?
- What failed?
- What service crashed?
- When did activity occur?
Many investigations begin here.
/opt
Purpose
Stores optional third-party software.
Unlike operating system components installed through package managers, manually installed applications are often placed within /opt.
Examples:
/opt/splunk
/opt/customapp
/opt/securitytool
Operator Perspective
Questions:
- What third-party software exists?
- What security tools are installed?
- What custom applications are present?
Many enterprise applications reside within /opt.
/proc
Purpose
Provides a virtual interface to process and kernel information.
Most entries within /proc do not exist as traditional files on disk.
Instead, the kernel generates their contents dynamically when accessed.
The kernel exposes these virtual entries dynamically when they are accessed.
Examples
/proc/cpuinfo
/proc/meminfo
/proc/version
Process-specific directories:
/proc/1234
Where:
1234 = Process ID (PID)
Operator Perspective
Questions:
- What processes are running?
- What command line launched them?
- What memory information exists?
- What network connections exist?
Many forensic and investigative tools ultimately obtain information from /proc. Heaps of metadata, environment variables, configurations and other system and process related information can be recovered here.
Operator Workflow
When approaching an unfamiliar Linux system, Operators commonly examine locations in roughly this order:
| Priority | Location | Reason |
|---|---|---|
| 1 | /home | User activity |
| 2 | /var/log | Evidence |
| 3 | /etc | Configuration |
| 4 | /tmp | Temporary artifacts |
| 5 | /opt | Third-party software |
| 6 | /proc | Runtime state |
This is not a strict methodology.
The order varies depending on the objective, operating environment, and investigative scope - for now, we are just building a mental map of the big picture.
Key Takeaways
- Linux systems organize important information into predictable locations.
/etcstores configuration./homestores user data./tmpstores temporary data./varstores variable system data./var/logstores logs./optstores optional software./procexposes process and kernel information.- These directories frequently contain evidence, configuration, credentials, persistence mechanisms, and operational artifacts.
Understanding these locations dramatically improves navigation, investigation, administration, and offensive operations on Linux systems.