Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter I - Foundation / 01. Operating Systems / Linux / 02. Important Locations

Important Locations

Linux systems contain thousands of files and directories.

Fortunately, most operationally relevant information is concentrated within a relatively small number of locations.

Whether performing administration, incident response, digital forensics, malware analysis, threat hunting, or penetration testing, these locations appear repeatedly.

Understanding their purpose significantly reduces the time required to investigate an unfamiliar system.


Filesystem Hierarchy Standard (FHS)

Most Linux distributions follow a common organizational structure known as the Filesystem Hierarchy Standard (FHS).

This standard defines where different categories of data should reside.

As a result, many important locations are consistent across:

  • Ubuntu
  • Debian
  • Kali
  • CentOS
  • Rocky Linux
  • Red Hat Enterprise Linux
  • Fedora

Although minor differences exist between distributions, the overall structure remains largely familiar.


High-Level Overview

DirectoryPurpose
/etcSystem configuration
/homeUser data
/tmpTemporary files
/varVariable system data
/var/logLogs
/optOptional software
/procProcess and kernel information

/etc

Purpose

Stores system-wide configuration files.

Examples:

  • Network configuration
  • Service configuration
  • User configuration
  • Authentication configuration
  • Scheduled task configuration

Examples:

/etc/passwd
/etc/group
/etc/hosts
/etc/crontab
/etc/ssh/sshd_config

Operator Perspective

Common questions:

  • How is the system configured?
  • What users exist?
  • What services are configured?
  • What scheduled tasks exist?
  • What authentication mechanisms are used?

Many investigations begin within /etc.


Common Files

FilePurpose
passwdUser information
shadowPassword hashes and password policy information
groupGroup information
hostsLocal DNS overrides
crontabScheduled tasks
sshd_configSSH configuration

/home

Purpose

Stores user home directories.

Example:

/home  
├── alice  
├── peter  
└── bob

Each user typically receives a dedicated directory.

Examples:

/home/alice
/home/peter

Common Contents

  • Documents
  • Downloads
  • SSH keys
  • Browser data
  • Shell history
  • User configuration

Examples:

/home/alice/.ssh
/home/alice/.bash_history
/home/alice/Documents

Operator Perspective

Questions:

  • Who uses the system?
  • What files belong to users?
  • What credentials exist?
  • What evidence exists?

User directories frequently contain:

  • Credentials
  • SSH keys
  • Malware
  • Persistence
  • Investigation artifacts
  • Personal files (like password vaults)

/tmp

Purpose

Stores temporary files.

Applications commonly place short-lived data here.

Examples:

/tmp/script.sh
/tmp/archive.zip
/tmp/update.bin

Characteristics

  • Intended for temporary data
  • Typically writable by all users
  • Frequently abused by attackers
  • Often used during software installation
  • Protected by the sticky bit to prevent users from deleting each other's files (e.g. drwxrwxrwt, the trailing t bit - will make sense later)

Operator Perspective

Questions:

  • What was recently executed?
  • Was malware staged here?
  • Did an attacker leave artifacts behind?

Many payloads and scripts appear within /tmp due to it being usually globally-accessible. There are retention configurations which dictate the frequency at which the directory is cleaned up - contents may be erased upon reboot, but also it may be configured to not erase at all.


/var

Purpose

Stores variable system data.

Variable data changes as the system operates.

Examples:

  • Logs
  • Databases
  • Cache files
  • Service data
  • Queues

Examples

/var/log
/var/cache
/var/lib
/var/tmp

Operator Perspective

Questions:

  • What activity occurred?
  • What services store data?
  • Where does the application keep state?

Many server-side investigations eventually lead into /var.


/var/log

Purpose

Stores operating system and application logs.

This is one of the most important locations on a Linux system.

Examples:

/var/log/syslog
/var/log/auth.log
/var/log/apache2/
/var/log/nginx/

Common Evidence Sources

LogTypical Information
auth.logAuthentication activity
syslogGeneral system activity
journaldSystem and service logs (may be in /run/log/journal depending on configuration)
apache2Web server activity
nginxWeb server activity

Operator Perspective

Questions:

  • Who logged in?
  • What failed?
  • What service crashed?
  • When did activity occur?

Many investigations begin here.


/opt

Purpose

Stores optional third-party software.

Unlike operating system components installed through package managers, manually installed applications are often placed within /opt.

Examples:

/opt/splunk
/opt/customapp
/opt/securitytool

Operator Perspective

Questions:

  • What third-party software exists?
  • What security tools are installed?
  • What custom applications are present?

Many enterprise applications reside within /opt.


/proc

Purpose

Provides a virtual interface to process and kernel information.

Most entries within /proc do not exist as traditional files on disk.

Instead, the kernel generates their contents dynamically when accessed.

The kernel exposes these virtual entries dynamically when they are accessed.


Examples

/proc/cpuinfo
/proc/meminfo
/proc/version

Process-specific directories:

/proc/1234

Where:

1234 = Process ID (PID)

Operator Perspective

Questions:

  • What processes are running?
  • What command line launched them?
  • What memory information exists?
  • What network connections exist?

Many forensic and investigative tools ultimately obtain information from /proc. Heaps of metadata, environment variables, configurations and other system and process related information can be recovered here.


Operator Workflow

When approaching an unfamiliar Linux system, Operators commonly examine locations in roughly this order:

PriorityLocationReason
1/homeUser activity
2/var/logEvidence
3/etcConfiguration
4/tmpTemporary artifacts
5/optThird-party software
6/procRuntime state

This is not a strict methodology.

The order varies depending on the objective, operating environment, and investigative scope - for now, we are just building a mental map of the big picture.


Key Takeaways

  • Linux systems organize important information into predictable locations.
  • /etc stores configuration.
  • /home stores user data.
  • /tmp stores temporary data.
  • /var stores variable system data.
  • /var/log stores logs.
  • /opt stores optional software.
  • /proc exposes process and kernel information.
  • These directories frequently contain evidence, configuration, credentials, persistence mechanisms, and operational artifacts.

Understanding these locations dramatically improves navigation, investigation, administration, and offensive operations on Linux systems.