Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter I - Foundation / 01. Operating Systems / Linux

Introduction

Linux Layers

Linux OS Ecosystem

Application
    ↓
glibc / Libraries
    ↓
System Call
    ↓
Linux Kernel
    ↓
Kernel Subsystems
    ↓
Drivers
    ↓
Hardware

This is the Linux equivalent of:

Application
    ↓
Win32 API
    ↓
ntdll.dll
    ↓
System Call
    ↓
Kernel

User Space Components

ComponentPurposeExamples
ApplicationsUser programsFirefox, Nginx, Vim
ProcessesRunning programsnginx
ThreadsUnits of executionWorker threads
Shared LibrariesReusable codelibc.so
ShellsUser interactionBash, Zsh
DaemonsBackground servicessshd, cron
Package ManagersSoftware managementapt, yum

User Space Library Layer

Most applications call:

glibc

before reaching the kernel.

Examples:

FunctionSyscall
open()open/openat
read()read
write()write
fork()clone
execve()execve
socket()socket

Linux Process Model

Everything runs as a process.

PID 1 (systemd)
        ↓
Service
        ↓
Child Processes

Examples:

systemd
 ├─ sshd
 ├─ nginx
 ├─ cron
 └─ docker

Process Creation

fork()
      ↓
Child Process
      ↓
execve()
      ↓
New Program Image

Example:

bash
  ↓
fork()
  ↓
child
  ↓
execve("ls")

Linux Kernel Components

ComponentResponsibility
SchedulerCPU allocation
Memory ManagerRAM management
VFSFilesystem abstraction
Networking StackNetwork processing
IPC SubsystemProcess communication
Security FrameworksAccess control
Driver FrameworkHardware interaction

Core Kernel Responsibilities

ComponentPurpose
SchedulerChooses next task
Interrupt HandlingHardware events
System Call HandlerUser→Kernel transition
Memory ManagerVirtual memory
VFSUnified filesystem access
Network StackTCP/IP processing

Linux Scheduler

Purpose:

CPU
 ↓
Scheduler
 ↓
Task Selection

Responsible for:

  • Fair CPU allocation
  • Process priorities
  • Context switching

Memory Management

ConceptDescription
Virtual MemoryProcess address space
PagingMemory ↔ Disk
mmap()File mapping
HeapDynamic allocation
StackFunction calls
Page CacheCached files

Linux Filesystem Architecture

Application
      ↓
VFS
      ↓
Filesystem Driver
      ↓
Block Layer
      ↓
Disk Driver
      ↓
Storage

Virtual Filesystem (VFS)

Purpose:

Application
      ↓
VFS
      ↓
ext4
xfs
btrfs
ntfs

Allows applications to use one interface regardless of filesystem.


Linux Security Model

User IDs

IDPurpose
UIDUser identity
GIDGroup identity
EUIDEffective privileges

Example:

uid=1000
gid=1000

Root

UID 0

Equivalent to:

NT AUTHORITY\SYSTEM

in Windows.

Root bypasses most permission checks.


Linux Permission Model

Owner
Group
Others

Example:

-rwxr-x---
PermissionMeaning
rRead
wWrite
xExecute

Capabilities

Modern Linux splits root privileges.

Examples:

CapabilityPurpose
CAP_NET_ADMINNetwork administration
CAP_SYS_ADMINSystem administration
CAP_SYS_PTRACEDebugging
CAP_DAC_OVERRIDEIgnore file permissions

Important for modern privesc.


Linux Namespaces

Used heavily by containers.

NamespaceIsolation
PIDProcesses
NETNetworking
MNTMounts
IPCIPC
USERUsers
UTSHostname

cgroups

Control resources.

Container
      ↓
cgroup
      ↓
CPU Limits
Memory Limits
I/O Limits

Foundation of Docker and Kubernetes.


Kernel Modules

Equivalent to Windows drivers.

Examples:

ModulePurpose
e1000Network
nvidiaGPU
ext4Filesystem
usb_storageUSB

Commands:

lsmod
modprobe
insmod
rmmod

Device Model

Everything is a file.

Examples:

DeviceFile
Disk/dev/sda
Terminal/dev/tty
Random/dev/random
Null/dev/null

Network Stack

Application
      ↓
Socket
      ↓
TCP/IP Stack
      ↓
NIC Driver
      ↓
NIC
      ↓
Network

IPC Mechanisms

MechanismPurpose
PipeParent-child communication
FIFONamed pipe
SocketNetwork/local communication
Shared MemoryFast communication
SignalProcess notifications

Service Architecture

Windows:

SCM
  ↓
Service

Linux:

systemd
   ↓
Service Unit

Examples:

systemctl status ssh
systemctl start nginx

Important Linux Directories

DirectoryPurpose
/binEssential binaries
/sbinAdministrative binaries
/etcConfiguration
/homeUser data
/varLogs and runtime
/tmpTemporary files
/procKernel process info
/sysDevice/kernel info
/devDevices

Important DFIR Artifacts

AreaExamples
Authenticationauth.log
Processesps history
Persistencesystemd units
Executionbash_history
Networkingjournalctl
Scheduled Taskscron
Servicessystemctl
Loginslast, wtmp

Important Offensive Targets

TargetWhy
sudoPrivilege escalation
SUID binariesPrivilege escalation
CapabilitiesPrivilege escalation
Cron JobsPersistence
systemd UnitsPersistence
SSH KeysCredential access
DockerContainer escape
Kernel ModulesKernel access
NFSLateral movement
/procReconnaissance

Containers Architecture

Application
      ↓
Container
      ↓
Namespaces
      ↓
cgroups
      ↓
Kernel
      ↓
Hardware

Unlike VMs:

Container
      ↓
Shares Host Kernel

Linux Mental Model for Operators

User Space
      ↓
glibc
      ↓
System Calls
      ↓
Kernel
      ↓
Subsystems
      ↓
Drivers
      ↓
Hardware

Everything in Linux eventually becomes one of four things:

  1. CPU execution
  2. Memory access
  3. File I/O
  4. Network I/O

Every Linux attack, forensic artifact, kernel exploit, container breakout, persistence mechanism, and defensive control ultimately manipulates one or more of these four resources.