COURSE 4: TOOLS OF THE TRADE: LINUX AND SQL

Introduction to operating systems

Devices like computers, smartphones, and tablets all have operating systems.

If you've used a desktop or laptop computer, you may have used the Windows or MacOs

operating systems. Smartphones and tablets run on mobile operating systems like Android and

iOS. Another popular operating system is Linux. Linux is used in the security industry, and as

a security professional, it's likely that you'll interact with the Linux OS.

So, what exactly is an operating system? It's the interface between the computer hardware and

the user. The operating system, or the OS as it's commonly called, is responsible for making

the computer run as efficiently as possible while also making it easy to use.

Hardware may be another new term. Hardware refers to the physical components of a

computer.

The OS interface that we now rely on every day is something that early computers didn't have.

In the 1950s the biggest challenge with early computers was the amount of time it took to run

a computer program.

At the time, computers could not run multiple programs simultaneously. Instead, people had to

wait for a program to finish running, reset the computer, and load up the new program. Imagine

having to turn your computer on and off each time you had to open a new application! It would

take a long time to complete a simple task like sending an email. Since then, operating systems

have evolved, and we no longer have to worry about wasting time in this way. Thanks to

operating systems and their evolution, today's computers run efficiently.

They run multiple applications at once, and they also access external devices like printers,

keyboards, and mice.

1
Another reason why operating systems are important is that they help humans and computers

communicate with each other. Computers communicate in a language called binary, which

consists of 0s and 1s. The OS provides an interface to bridge this communication gap between

the user and the computer, allowing you to interact with the computer in complex ways.

Operating systems are critical for the use of computers. Likewise, OS security is also critical

for the security of a computer. This involves securing files, data access, and user authentication

to help protect and prevent against threats such as viruses, worms, and malware. Knowing how

operating systems work is essential for completing different security related tasks. For

example, as a security analyst, you may be responsible for configuring and maintaining the

security of a system by managing access. You may also be responsible for managing and

configuring firewalls, setting security policies, enabling virus protection, and performing

auditing, accounting, and logging to detect unusual behavior.

Compare Operating Systems

You previously explored why operating systems are an important part of how a computer

works. In this reading, you’ll compare some popular operating systems used today. You’ll also

focus on the risks of using legacy operating systems.

Common Operating Systems

The following operating systems are useful to know in the security industry: Windows,

macOS®, Linux, ChromeOS, Android, and iOS.

Windows and macOS

Windows and macOS are both common operating systems. The Windows operating system

was introduced in 1985, and macOS was introduced in 1984. Both operating systems are used

in personal and enterprise computers.

2
Windows is a closed-source operating system, which means the source code is not shared freely

with the public. macOS is partially open source. It has some open-source components, such as

macOS’s kernel. macOS also has some closed-source components.

Linux

The first version of Linux was released in 1991, and other major releases followed in the early

1990s. Linux is a completely open-source operating system, which means that anyone can

access Linux and its source code. The open-source nature of Linux allows developers in the

Linux community to collaborate.

Linux is particularly important to the security industry. There are some distributions that are

specifically designed for security. Later in this course, you’ll learn about Linux and its

importance to the security industry.

ChromeOS

ChromeOS launched in 2011. It’s partially open source and is derived from Chromium OS,

which is completely open source. ChromeOS is frequently used in the education field.

Android and iOS

Android and iOS are both mobile operating systems. Unlike the other operating systems

mentioned, mobile operating systems are typically used in mobile devices, such as phones,

tablets, and watches. Android was introduced for public use in 2008, and iOS was introduced

in 2007. Android is open source, and iOS is partially open source.

3
Operating systems and vulnerabilities

Security issues are inevitable with all operating systems. An important part of protecting an

operating system is keeping the system and all its components up to date.

Legacy operating systems

A legacy operating system is an operating system that is outdated but still being used. Some

organizations continue to use legacy operating systems because software they rely on is not

compatible with newer operating systems. This can be more common in industries that use a

lot of equipment that requires embedded software—software that’s placed inside components

of the equipment.

Legacy operating systems can be vulnerable to security issues because they’re no longer

supported or updated. This means that legacy operating systems might be vulnerable to new

threats.

Other vulnerabilities

Even when operating systems are kept up to date, they can still become vulnerable to attack.

Below are several resources that include information on operating systems and their

vulnerabilities.

• Microsoft Security Response Center (MSRC): A list of known vulnerabilities affecting

Microsoft products and services.

• Apple Security Updates: A list of security updates and information for Apple®

operating systems, including macOS and iOS, and other products.

• Common Vulnerabilities and Exposures (CVE) Report for Ubuntu: A list of known

vulnerabilities affecting Ubuntu, which is a specific distribution of Linux.

4
 • Google Cloud Security Bulletin: A list of known vulnerabilities affecting Google Cloud

products and services.

Keeping an operating system up to date is one keyway to help the system stay secure. Because

it can be difficult to keep all systems always updated, it’s important for security analysts to be

knowledgeable about legacy operating systems and the risks they can create.

The Operating System at Work

Inside the operating system

In this section, you'll learn what happens with an operating system, or OS, when someone uses

a computer for a task.

Think about when someone drives a car. They push the gas pedal, and the car moves

forward. They don't need to pay attention to all the mechanics that allow the car to move. Just

like a car can't work without its engine, a computer can't work without its operating system.

The job of an OS is to help other computer programs run efficiently. The OS does this by taking

care of all the messy details related to controlling, the computer's hardware, so you don't have

to.

First, let's see what happens when you turn on the computer. When you press the power

button, you're interacting with the hardware. This boots the computer and brings up the

operating system. Booting the computer means that a special microchip called a BIOS is

activated. On many computers built after 2007, the chip was replaced by the UEFI. Both BIOS

and UEFI contain booting instructions that are responsible for loading a special program called

the bootloader. Then, the bootloader is responsible for starting the operating system. Just like

that, your computer is on.

5
As a security analyst, understanding these processes can be helpful for you. Vulnerabilities can

occur in something like a booting process. Often, the BIOS is not scanned by the antivirus

software, so it can be vulnerable to malware infection.

Let's look at how you and all users communicate with the system to complete a task.

The process starts with you, the user. And to complete tasks, you use applications on your

computer. An application is a program that performs a specific task. When you do this, the

application sends your request to the operating system. From there, the operating system

interprets this request and directs it to the appropriate component of the computer's hardware.

Previously, we learned that the hardware consists of all the physical components of the

computer. The hardware will also send information back to the operating system. And this in

turn is sent back to the application.

Let's give a simple overview of how this works when you want to use the calculator on your

computer. You use your mouse to click on the calculator application on your computer. When

you type in the number you want to calculate, the application communicates with the operating

system. Your operating system then sends a calculation to a component of the hardware, the

central processing unit, or CPU. Once the hardware does the work of determining the final

number, it sends the answer back to your operating system. Then, it can be displayed in your

calculator application.

Understanding this process is helpful when investigating security events. Security analysts

should be able to trace back through this process flow to analyze where a security event could

have occurred. Just like a mechanic needs to understand the inner workings of a car more than

an average driver, recognizing how operating systems work is important knowledge for a

security analyst.

6
Requests to the Operating System

Operating systems are a critical component of a computer. They make connections between

applications and hardware to allow users to perform tasks. In this section, you’ll explore this

complex process further and consider it using a new analogy and a new example.

Booting the computer

When you boot, or turn on, your computer, either a BIOS or UEFI microchip is activated. The

Basic Input/Output System (BIOS) is a microchip that contains loading instructions for the

computer and is prevalent in older systems. The Unified Extensible Firmware Interface

(UEFI) is a microchip that contains loading instructions for the computer and replaces BIOS

on more modern systems.

The BIOS and UEFI chips both perform the same function for booting the computer. BIOS

was the standard chip until 2007, when UEFI chips increased in use. Now, most new computers

include a UEFI chip. UEFI provides enhanced security features.

The BIOS or UEFI microchips contain a variety of loading instructions for the computer to

follow. For example, one of the loading instructions is to verify the health of the computer’s

hardware.

The last instruction from the BIOS or UEFI activates the bootloader. The bootloader is a

software program that boots the operating system. Once the operating system has finished

booting, your computer is ready for use.

7
Completing a task

As previously discussed, operating systems help us use computers more efficiently. Once a

computer has gone through the booting process, completing a task on a computer is a four-part

process.

User

The first part of the process is the user. The user initiates the process by having something they

want to accomplish on the computer. Right now, you’re a user! You’ve initiated the process

of accessing this reading.

Application

The application is the software program that users interact with to complete a task. For

example, if you want to calculate something, you will use the calculator application. If you

want to write a report, you will use a word processing application. This is the second part of

the process.

Operating system

The operating system receives the user’s request from the application. It’s the operating

system’s job to interpret the request and direct its flow. To complete the task, the operating

system sends it on to applicable components of the hardware.

8
Hardware

The hardware is where all the processing is done to complete the tasks initiated by the user.

For example, when a user wants to calculate a number, the CPU figures out the answer. As

another example, when a user wants to save a file, another component of the hardware, the hard

drive, handles this task.

After the work is done by the hardware, it sends the output back through the operating system

to the application so that it can display the results to the user.

The OS at work behind the scenes

Consider once again how a computer is like a car. There are processes that someone won’t

directly observe when operating a car, but they do feel it move forward when they press the

gas pedal. It’s the same with a computer. Important work happens inside a computer that you

don’t experience directly. This work involves the operating system.

You can explore this through another analogy. The process of using an operating system is also

like ordering at a restaurant. At a restaurant you place an order and get your food, but you don’t

see what’s happening in the kitchen when the cooks prepare the food.

Ordering food is like using an application on a computer. When you order your food, you make

a specific request like “a small soup, very hot.” When you use an application, you also make

specific requests like “print three double-sided copies of this document.”

You can compare the food you receive to what happens when the hardware sends output. You

receive the food that you ordered. You receive the document that you wanted to print.

9
Finally, the kitchen is like the OS. You don’t know what happens in the kitchen, but it’s critical

in interpreting the request and ensuring you receive what you ordered. Similarly, though the

work of the OS is not directly transparent to you, it’s critical in completing your tasks.

An example: Downloading a file from an internet browser.

Previously, you explored how operating systems, applications, and hardware work together by

examining a task involving a calculation. You can expand this understanding by exploring how

the OS completes another task, downloading a file from an internet browser:

• First, the user decides they want to download a file that they found online, so they click

on a download button near the file in the internet browser application.

• Then, the internet browser communicates this action to the OS.

• The OS sends the request to download the file to the appropriate hardware for

processing.

• The hardware begins downloading the file, and the OS sends this information to the

internet browser application. The internet browser then informs the user when the file

has been downloaded.

Resource Allocation via the OS

Not only does the OS interact with other parts of your computer, but it's also responsible

for managing the resources of the system. This is a big task that requires a lot of balance to

make sure all the resources of the computer are used efficiently. Think of this like the concept

of energy. A person needs energy to complete different tasks. Some tasks need more

energy, while others require less. For example, going for a run requires more energy than

watching TV.

10
A computer's OS also needs to make sure that it has enough energy to function correctly for

certain tasks. Running an antivirus scan on your computer will use more energy than using the

calculator application.

Imagine your computer is an orchestra. Many different instruments like violins, drums, and

trumpets are all part of the orchestra. An orchestra also has a conductor to direct the flow of

the music.

In a computer, the OS is the conductor. The OS handles resource and memory management to

ensure the limited capacity of the computer system is used where it's needed most. A variety

of programs, tasks, and processes are constantly competing for the resources of the central

processing unit, or CPU. They all have their own reasons why they need memory, storage, and

input/output bandwidth. The OS is responsible for ensuring that each program is allocating and

de-allocating resources. All this occurs in your computer at the same time so that your system

functions efficiently.

Much of this is hidden from you as a user. But your task manager will list all the tasks that are

being processed, along with their memory and CPU usage.

As an analyst, it's helpful to know where a system's resources are used. Understanding usage

of resources can help you respond to an incident and troubleshoot applications in the system.

For example, if a computer is running slowly, an analyst might discover its allocating resources

to malware. A basic understanding of how operating systems work will help you better

understand the security skills you will learn later in this program.

Virtualization Technology

You've explored a lot about operating systems. One more aspect to consider is that operating

systems can run on virtual machines. In this reading, you’ll learn about virtual machines and

the general concept of virtualization. You’ll explore how virtual machines work and the

benefits of using them.

11
What is a Virtual Machine?

A virtual machine (VM) is a virtual version of a physical computer. Virtual machines are one

example of virtualization. Virtualization is the process of using software to create virtual

representations of various physical machines. The term “virtual” refers to machines that don’t

exist physically but operate like they do because their software simulates physical hardware.

Virtual systems don’t use dedicated physical hardware. Instead, they use software-defined

versions of the physical hardware. This means that a single virtual machine has a virtual CPU,

virtual storage, and other virtual hardware. Virtual systems are just code.

You can run multiple virtual machines using the physical hardware of a single computer. This

involves dividing the resources of the host computer to be shared across all physical and virtual

components. For example, Random Access Memory (RAM) is a hardware component used

for short-term memory. If a computer has 16GB of RAM, it can host three virtual machines so

that the physical computer and virtual machines each have 4GB of RAM. Also, each of these

12
virtual machines would have their own operating system and function similarly to a typical

computer.

Benefits of virtual machines

Security professionals commonly use virtualization and virtual machines. Virtualization can

increase security for many tasks and can also increase efficiency.

Security

One benefit is that virtualization can provide an isolated environment, or a sandbox, on the

physical host machine. When a computer has multiple virtual machines, these virtual machines

are “guests” of the computer. Specifically, they are isolated from the host computer and other

guest virtual machines. This provides a layer of security, because virtual machines can be kept

separate from the other systems. For example, if an individual virtual machine becomes

infected with malware, it can be dealt with more securely because it’s isolated from the other

machines. A security professional could also intentionally place malware on a virtual machine

to examine it in a more secure environment.

Note: Although using virtual machines is useful when investigating potentially infected

machines or running malware in a constrained environment, there are still some risks. For

example, a malicious program can escape virtualization and access the host machine. This is

why you should never completely trust virtualized systems.

Efficiency

Using virtual machines can also be an efficient and convenient way to perform security tasks.

You can open multiple virtual machines at once and switch easily between them. This allows

you to streamline security tasks, such as testing and exploring various applications.

13
You can compare the efficiency of a virtual machine to a city bus. A single city bus has a lot

of room and is an efficient way to transport many people simultaneously. If city buses didn’t

exist, then everyone on the bus would have to drive their own cars. This uses more gas, cars,

and other resources than riding the city bus.

Like how many people can ride one bus, many virtual machines can be hosted on the same

physical machine. That way, separate physical machines aren't needed to perform certain tasks.

Managing virtual machines

Virtual machines can be managed with a software called a hypervisor. Hypervisors help users

manage multiple virtual machines and connect the virtual and physical hardware. Hypervisors

also help with allocating the shared resources of the physical host machine to one or more

virtual machines.

One hypervisor that is useful for you to be familiar with is the Kernel-based Virtual Machine

(KVM). KVM is an open-source hypervisor that is supported by most major Linux

distributions. It is built into the Linux kernel, which means it can be used to create virtual

machines on any machine running a Linux operating system without the need for additional

software.

Other Forms of Virtualization

In addition to virtual machines, there are other forms of virtualization. Some of these

virtualization technologies do not use operating systems. For example, multiple virtual servers

can be created from a single physical server. Virtual networks can also be created to use the

hardware of a physical network more efficiently.

14
GUI vs CLI

So far, you've learned that a computer has an operating system, hardware, and

applications. Remember, the operating system communicates with the hardware to execute

tasks. The user communicates with the operating system via an interface. A user interface is a

program that allows a user to control the functions of the operating system. Two user interfaces

that we'll discuss are the graphical user interface, or GUI, and the command-line interface, or

CLI.

A GUI is a user interface that uses icons on the screen to manage different tasks on the

computer. Most operating systems can be used with a graphical user interface. If you've used

a personal computer or a cell phone, you have experienced operating a GUI.

Most GUIs include these components: a start menu with program groups, a task bar for

launching programs, and a desktop with icons and shortcuts. All these components help

you communicate with the OS to execute tasks. In addition to clicking on icons, when you use

a GUI, you can also search for files or applications from the start menu. You just have to

remember the icon or name of the program to activate an application.

Now let's discuss the command-line interface. In comparison, the command-line interface, or

CLI, is a text-based user interface that uses commands to interact with the computer. These

commands communicate with the operating system and execute tasks like opening

programs. The command-line interface is a much different structure than the graphical user

interface. When you use the CLI, you'll immediately notice a difference. There are no icons or

graphics on the screen. The command-line interface looks like lines of code using certain text

languages.

A CLI is more flexible and more powerful than a GUI. Think about using a CLI like creating

whatever meal you'd like from ingredients bought at a grocery store. This gives you a lot of

control and customization about what you're going to eat.

15
In comparison, using a GUI is more like ordering food from a restaurant. You can only order

what's on the menu. If you want both a noodle dish and pizza, but the first restaurant you go to

only has pizza, you'll have to go to another restaurant to order the noodles. With a graphical

user interface, you must do one task at a time. But the command-line interface allows for

customization, which lets you complete multiple tasks simultaneously. For example, imagine

you have a folder with hundreds of files of different file types, and you need to move only the

JPEG files to a new folder. Think about how slow and tedious this would be as you use a GUI

to find each JPEG file in this folder and move it into the new one. On the other hand, the CLI

would allow you to streamline this process and move them all at once.

As you can see, there are very big differences in these two types of user interfaces. As a security

analyst, some of your work may involve the command-line interface. When analyzing logs

or authenticating and authorizing users, security analysts commonly use a CLI in their

everyday work.

The command line in use

Previously, you explored graphical user interfaces (GUI) and command-line user interfaces

(CLI). In this reading, you’ll compare these two interfaces and learn more about how they’re

used in cybersecurity.

CLI vs. GUI

A graphical user interface (GUI) is a user interface that uses icons on the screen to manage

different tasks on the computer. A command-line interface (CLI) is a text-based user interface

that uses commands to interact with the computer.

16
Display

One notable difference between these two interfaces is how they appear on the screen. A GUI

has graphics and icons, such as the icons on your desktop or taskbar for launching programs.

In contrast, a CLI only has text. It looks like lines of code.

Function

These two interfaces also differ in how they function. A GUI is an interface that only allows

you to make one request at a time. However, a CLI allows you to make multiple requests at a

time.

Advantages of a CLI in Cybersecurity

The choice between using a GUI or CLI is partly based on personal preference, but security

analysts should be able to use both interfaces. Using a CLI can provide certain advantages.

Efficiency

Some prefer the CLI because it can be used more quickly when you know how to manage this

interface. For a new user, a GUI might be more efficient because they’re easier for beginners

to navigate.

17
Because a CLI can accept multiple requests at one time, it’s more powerful when you need to

perform multiple tasks efficiently. For example, if you had to create multiple new files in your

system, you could quickly perform this task in a CLI. If you were using a GUI, this could take

much longer, because you must repeat the same steps for each new file.

History file

For security analysts, using the Linux CLI is helpful because it records a history file of all the

commands and actions in the CLI. If you were using a GUI, your actions are not necessarily

saved in a history file.

For example, you might be in a situation where you’re responding to an incident using a

playbook. The playbook’s instructions require you to run a series of different commands. If

you used a CLI, you’d be able to go back to the history and ensure all the commands were

correctly used. This could be helpful if there were issues using the playbook and you had to

review the steps you performed in the command line.

Additionally, if you suspect an attacker has compromised your system, you might be able to

trace their actions using the history file.

Introduction to Linux

You might have seen or heard the name Linux in the past. But did you know Linux is the most-

used operating system in security today? Linux is an open-source operating system. It was

created in two parts. In the early 1990s, two different people were working separately on

projects to improve computer engineering. The first person was Linus Torvalds. At the time,

the UNIX operating system was already in use. He wanted to improve it and make it open

18
source and accessible to anyone. What was revolutionary was his introduction of the Linux

kernel. We're going to learn what the kernel does later.

Around the same time, Richard Stallman started working on GNU. GNU was also an operating

system based on UNIX. Stallman shared Torvalds' goal of creating software that was free and

open to anyone. After working on GNU for a few years, the missing element for the software

was a kernel. Together, Torvalds' and Stallman’s innovations made what is commonly

referred to as Linux.

Now that you've learned the history behind Linux, let's look at what makes Linux unique. As

mentioned before, Linux is open source, meaning anyone can have access to the operating

system and the source code. Linux and many of the programs that come with Linux are licensed

under the terms of the GNU Public License, which allow you to use, share, and modify them

freely. Thanks to Linux's open-source philosophy as well as a strong feature set, an entire

community of developers has adopted this operating system. These developers can collaborate

on projects and advance computing together. As a security analyst, you'll discover that Linux

is used at different organizations. More specifically, Linux is used in many security

programs. Another unique feature about Linux is the different distributions, or varieties, that

have been developed. Because of the large community contribution, there are over 600

distributions of Linux.

As a security analyst, you'll use many tools and programs in everyday work. You might

examine different types of logs to identify what's going on in the system. For example, you

might find yourself looking at an error log when investigating an issue. Another place where

you will use Linux is to verify access and authorization in an identity and access management

system. In security, managing access is key to ensure a secure system.

Finally, as an analyst, you might find yourself working with specific distributions designed for

a particular task. For example, you might use a distribution that has a digital forensic tool to

19
investigate what happened in an event alert. You might also use a distribution that's for pen

testing in offensive security to look for vulnerabilities in the system. Distributions are created

to fit the needs of their users.

Linux Architecture

Understanding the Linux architecture is important for a security analyst. When you understand

how a system is organized, it makes it easier to understand how it functions. In this reading,

you’ll learn more about the individual components in the Linux architecture. A request to

complete a task starts with the user and then flows through applications, the shell, the

Filesystem Hierarchy Standard, the kernel, and the hardware.

User

The user is the person interacting with a computer. They initiate and manage computer tasks.

Linux is a multi-user system, which means that multiple users can use the same resources at

the same time.

Applications

An application is a program that performs a specific task. There are many different

applications on your computer. Some applications typically come pre-installed on your

computer, such as calculators or calendars. Other applications might have to be installed, such

as some web browsers or email clients. In Linux, you'll often use a package manager to install

applications. A package manager is a tool that helps users install, manage, and remove

packages or applications. A package is a piece of software that can be combined with other

packages to form an application.

20
Shell

The shell is the command-line interpreter. Everything entered the shell is text based. The shell

allows users to give commands to the kernel and receive responses from it. You can think of

the shell as a translator between you and your computer. The shell translates the commands

you enter so that the computer can perform the tasks you want.

Filesystem Hierarchy Standard (FHS)

The Filesystem Hierarchy Standard (FHS) is the component of the Linux OS that organizes

data. It specifies the location where data is stored in the operating system.

A directory is a file that organizes where other files are stored. Directories are sometimes

called “folders,” and they can contain files or other directories. The FHS defines how

directories, directory contents, and other storage is organized so the operating system knows

where to find specific data.

Kernel

The kernel is the component of the Linux OS that manages processes and memory. It

communicates with the applications to route commands. The Linux kernel is unique to the

Linux OS and is critical for allocating resources in the system. The kernel controls all major

functions of the hardware, which can help get tasks expedited more efficiently.

Hardware

The hardware is the physical components of a computer. You might be familiar with some

hardware components, such as hard drives or CPUs. Hardware is categorized as either

peripheral or internal.

21
Peripheral devices

Peripheral devices are hardware components that are attached and controlled by the computer

system. They are not core components needed to run the computer system. Peripheral devices

can be added or removed freely. Examples of peripheral devices include monitors, printers, the

keyboard, and the mouse.

Internal hardware

Internal hardware are the components required to run the computer. Internal hardware

includes a main circuit board and all components attached to it. This main circuit board is also

called the motherboard. Internal hardware includes the following:

• The Central Processing Unit (CPU) is a computer’s main processor, which is used to

perform general computing tasks on a computer. The CPU executes the instructions

provided by programs, which enables these programs to run.

• Random Access Memory (RAM) is a hardware component used for short-term

memory. It’s where data is stored temporarily as you perform tasks on your computer.

For example, if you’re writing a report on your computer, the data needed for this is

stored in RAM. After you’ve finished writing the report and closed down that program,

this data is deleted from RAM. Information in RAM cannot be accessed once the

computer has been turned off. The CPU takes the data from RAM to run programs.

• The hard drive is a hardware component used for long-term memory. It’s where

programs and files are stored for the computer to access later. Information on the hard

drive can be accessed even after a computer has been turned off and on again. A

computer can have multiple hard drives.

22
Linux distributions

In this section, you’ll be introduced to the different distributions of Linux. This includes KALI

LINUX ™. (KALI LINUX ™ is a trademark of OffSec.) In addition to KALI LINUX ™, there

are multiple other Linux distributions that security analysts should be familiar with.

KALI LINUX ™

KALI LINUX ™ is an open-source distribution of Linux that is widely used in the security

industry. This is because KALI LINUX ™, which is Debian-based, is pre-installed with many

useful tools for penetration testing and digital forensics. A penetration test is a simulated

attack that helps identify vulnerabilities in systems, networks, websites, applications, and

processes. Digital forensics is the practice of collecting and analyzing data to determine what

has happened after an attack. These are key activities in the security industry.

However, KALI LINUX ™ is not the only Linux distribution that is used in cybersecurity.

Ubuntu

Ubuntu is an open-source, user-friendly distribution that is widely used in security and other

industries. It has both a command-line interface (CLI) and a graphical user interface (GUI).

Ubuntu is also Debian-derived and includes common applications by default. Users can also

download many more applications from a package manager, including security-focused tools.

Because of its wide use, Ubuntu has an especially large number of community resources to

support users.

Ubuntu is also widely used for cloud computing. As organizations migrate to cloud servers,

cybersecurity work may more regularly involve Ubuntu derivatives.

23
Parrot

Parrot is an open-source distribution that is commonly used for security. Like KALI LINUX

™, Parrot comes with pre-installed tools related to penetration testing and digital forensics.

Like both KALI LINUX ™ and Ubuntu, it is based on Debian.

Parrot is also considered to be a user-friendly Linux distribution. This is because it has a GUI

that many find easy to navigate. This is in addition to Parrot’s CLI.

Red Hat® Enterprise Linux®

Red Hat Enterprise Linux is a subscription-based distribution of Linux built for enterprise

use. Red Hat is not free, which is a major difference from the previously mentioned

distributions. Because it’s built and supported for enterprise use, Red Hat also offers a

dedicated support team for customers to call about issues.

CentOS

CentOS is an open-source distribution that is closely related to Red Hat. It uses source code

published by Red Hat to provide a similar platform. However, CentOS does not offer the same

enterprise support that Red Hat provides and is supported through the community.

Package Managers for Installing Applications

Previously, you learned about Linux distributions and that different distributions derive from

different sources, such as Debian or Red Hat Enterprise Linux distribution. You were also

introduced to package managers and learned that Linux applications are commonly distributed

through package managers.

24
Introduction to Package Managers

A package is a piece of software that can be combined with other packages to form an

application. Some packages may be large enough to form applications on their own.

Packages contain the files necessary for an application to be installed. These files include

dependencies, which are supplemental files used to run an application.

Package managers can help resolve any issues with dependencies and perform other

management tasks. A package manager is a tool that helps users install, manage, and remove

packages or applications. Linux uses multiple package managers.

Note: It’s important to use the most recent version of a package when possible. The most recent

version has the most up-to-date bug fixes and security patches. These helps keep your system

more secure.

Types of Package Managers

Many commonly used Linux distributions are derived from the same parent distribution. For

example, KALI LINUX ™, Ubuntu, and Parrot all come from Debian. CentOS comes from

Red Hat.

This knowledge is useful when installing applications because certain package managers work

with certain distributions. For example, the Red Hat Package Manager (RPM) can be used for

Linux distributions derived from Red Hat, and package managers such as dpkg can be used for

Linux distributions derived from Debian.

Different package managers typically use different file extensions. For example, Red Hat

Package Manager (RPM) has files which use the .rpm file extension, such as Package-

25
Version-Release_Architecture.rpm. Package managers for Debian-derived Linux

distributions, such as dpkg, have files which use the .deb file extension, such as

Package_Version-Release_Architecture.deb.

Package Management Tools

In addition to package managers like RPM and dpkg, there are also package management tools

that allow you to easily work with packages through the shell. Package management tools are

sometimes utilized instead of package managers because they allow users to perform basic

tasks more easily, such as installing a new package. Two notable tools are the Advanced

Package Tool (APT) and Yellowdog Updater Modified (YUM).

Advanced Package Tool (APT)

APT is a tool used with Debian-derived distributions. It is run from the command-line interface

to manage, search, and install packages.

Yellowdog Updater Modified (YUM)

YUM is a tool used with Red Hat-derived distributions. It is run from the command-line

interface to manage, search, and install packages. YUM works with .rpm files.

Introduction to Shell

In this section, we're going to discuss the Linux shell. This part of the Linux architecture is

where the action will happen for you as a security analyst. We introduced the shell with other

components of the Linux OS earlier, but let's take a deeper look at what the shell is and what

it does.

26
The shell is the command-line interpreter. That means it helps you communicate with the

operating system through the command line. Previously, we discussed a command-line

interface. This is essentially the shell. The shell provides the command-line interface for you

to interact with the OS. To tell the OS what to do, you enter commands into this interface. A

command is an instruction telling the computer to do something. The shell communicates with

the kernel to execute these commands.

Earlier, we discussed how the operating system helps humans and computers speak with each

other. The shell is the part of the OS that allows you to do this. Think of this as a very helpful

language interpreter between you and your system. Since you do not speak computer language

or binary, you can't directly communicate with your system. This is where the shell comes in

to help you. Your OS doesn't need the shell for most of its work, but it is an interface between

you and what your system can offer. It allows you to perform math, run tests, and execute

applications. More importantly, it allows you to combine these operations and connect

applications to each other to perform complex and automated tasks.

Just as there are many Linux distributions, there are many different types of shells. We'll

primarily focus on the Bash shell in this course.

Different types of Shells

Knowing how to work with Linux shells is an important skill for cybersecurity professionals.

Shells can be used for many common tasks. Previously, you were introduced to shells and their

functions. This reading will review shells and introduce you to different types, including the

one that you'll use in this course.

Communicate through a Shell

As you explored previously, the shell is the command-line interpreter. You can think of a shell

as a translator between you and the computer system. Shells allow you to give commands to

27
the computer and receive responses from it. When you enter a command into a shell, the shell

executes many internal processes to interpret your command, send it to the kernel, and return

your results.

Types of Shells

The many different types of Linux shells include the following:

• Bourne-Again Shell (bash)

• C Shell (csh)

• Korn Shell (ksh)

• Enhanced C shell (tcsh)

• Z Shell (zsh)

All Linux shells use common Linux commands, but they can differ in other features. For

example, ksh and bash use the dollar sign ($) to indicate where users type in their commands.

Other shells, such as zsh, use the percent sign (%) for this purpose.

Bash

Bash is the default shell in most Linux distributions. It’s considered a user-friendly shell. You

can use bash for basic Linux commands as well as larger projects.

Bash is also the most popular shell in the cybersecurity profession. You’ll use bash throughout

this course as you learn and practice Linux commands.

Input and Output in the Shell

Communicating with a computer is like having a conversation with your friend. One person

asks a question and the other person answers with a response. If you don't know the

28
answer, you can just say you don't know the answer. When you communicate with the shell, the

commands in the shell can take input, give output, or give error messages.

Standard input consists of information received by the OS via the command line. This is like

you asking your friend a question during a conversation. The information is input from your

keyboard to the shell. If the shell can interpret your request, it asks the kernel for the resources

it needs to execute the related task.

Standard output is the information returned by the OS through the shell. In the same way that

your friend gives an answer to your question, output is a computer's response to the command

you input. Output is what you receive.

Finally, standard error contains error messages returned by the OS through the shell. Just like

your friend might indicate that they can't answer a question, the system responds with an error

message if they can't respond to your command. Sometimes this might occur when we

misspell a command, or the system doesn't know the response to the command. Other times, it

might happen because we don't have the appropriate permissions to perform a command.

Communication with the shell can only go in one of three ways: the system receives a

command—this is input; the system responds to the command and produces output; and

finally, the system doesn't know how to respond, resulting in an error.

Navigate Linux and Read File Content

In this reading, you’ll review how to navigate the file system using Linux commands in Bash.

You’ll further explore the organization of the Linux Filesystem Hierarchy Standard, review

several common Linux commands for navigation and reading file content, and learn a couple

of new commands.

29
Filesystem Hierarchy Standard (FHS)

Previously, you learned that the Filesystem Hierarchy Standard (FHS) is the component of

Linux that organizes data. The FHS is important because it defines how directories, directory

contents, and other storage are organized in the operating system.

This diagram illustrates the hierarchy of relationships under the FHS:

Under the FHS, a file’s location can be described by a file path. A file path is the location of a

file or directory. In the file path, the different levels of the hierarchy are separated by a forward

slash (/).

Root directory

The root directory is the highest-level directory in Linux, and it’s always represented with a

forward slash (/). All subdirectories branch off the root directory. Subdirectories can continue

branching out to as many levels as necessary.

30
Standard FHS directories

Directly below the root directory, you’ll find standard FHS directories. In the diagram, home,

bin, etc are standard FHS directories. Here are a few examples of what standard directories

contain:

• /home: Each user in the system gets their own home directory.

• /bin: This directory stands for “binary” and contains binary files and other executables.

Executables are files that contain a series of commands a computer needs to follow to

run programs and perform other functions.

• /etc: This directory stores the system’s configuration files.

• /tmp: This directory stores many temporary files. The /tmp directory is commonly used

by attackers because anyone in the system can modify data in these files.

• /mnt: This directory stands for “mount” and stores media, such as USB drives and hard

drives.

Pro Tip: You can use the man hier command to learn more about the FHS and its standard

directories.

User-specific subdirectories

Under home are subdirectories for specific users. In the diagram, these users are analyst and

analyst2. Each user has their own personal subdirectories, such as projects, logs, or reports.

Note: When the path leads to a subdirectory below the user’s home directory, the user’s home

directory can be represented as the tilde (~). For example, /home/analyst/logs can also be

represented as ~/logs.

31
You can navigate to specific subdirectories using their absolute or relative file paths. The

absolute file path is the full file path, which starts from the root. For example,

/home/analyst/projects is an absolute file path. The relative file path is the file path that starts

from a user's current directory.

Note: Relative file paths can use a dot (.) to represent the current directory, or two dots (..) to

represent the parent of the current directory. An example of a relative file path could be

../projects.

Key commands for navigating the file system

The following Linux commands can be used to navigate the file system: pwd, ls, and cd.

pwd

The pwd command prints the working directory to the screen. Or in other words, it returns the

directory that you’re currently in.

The output gives you the absolute path to this directory. For example, if you’re in your home

directory and your username is analyst, entering pwd returns /home/analyst.

Pro Tip: To learn what your username is, use the whoami command. The whoami command

returns the username of the current user. For example, if your username is analyst, entering

whoami returns analyst.

ls

The ls command displays the names of the files and directories in the current working directory.

32
Note: If you want to return the contents of a directory that’s not your current working directory,

you can add an argument after ls with the absolute or relative file path to the desired directory.

For example, if you’re in the /home/analyst directory but want to list the contents of its

projects subdirectory, you can enter ls /home/analyst/projects or just ls projects.

cd

The cd command navigates between directories. When you need to change directories, you

should use this command.

To navigate to a subdirectory of the current directory, you can add an argument after cd with

the subdirectory name. For example, if you’re in the /home/analyst directory and want to

navigate to its projects subdirectory, you can enter cd projects.

You can also navigate to any specific directory by entering the absolute file path. For example,

if you’re in /home/analyst/projects, entering cd /home/analyst/logs changes your current

directory to /home/analyst/logs.

Pro Tip: You can use the relative file path and enter cd .. to go up one level in the file structure.

For example, if the current directory is /home/analyst/projects, entering cd .. would change

your working directory to /home/analyst.

Common Commands for Reading File Content.

The following Linux commands are useful for reading file content: cat, head, tail, and less.

cat

The cat command displays the content of a file. For example, entering cat updates.txt returns

everything in the updates.txt file.

33
head

The head command displays just the beginning of a file, by default 10 lines. The head

command can be useful when you want to know the basic contents of a file but don’t need the

full contents. Entering head updates.txt returns only the first 10 lines of the updates.txt file.

Pro Tip: If you want to change the number of lines returned by head, you can specify the

number of lines by including -n. For example, if you only want to display the first five lines of

the updates.txt file, enter head -n 5 updates.txt.

tail

The tail command does the opposite of head. This command can be used to display just the

end of a file, by default 10 lines. Entering tail updates.txt returns only the last 10 lines of the

updates.txt file.

Pro Tip: You can use tail to read the most recent information in a log file.

less

The less command returns the content of a file one page at a time. For example, entering less

updates.txt changes the terminal window to display the contents of updates.txt one page at a

time. This allows you to easily move forward and backward through the content.

Once you’ve accessed your content with the less command, you can use several keyboard

controls to move through the file:

• Space bar: Move forward one page.

• b: Move back one page.

• Down arrow: Move forward one line.

34
 • Up arrow: Move back one line.

• q: Quit and return to the previous terminal window.

Filter content in Linux

In this reading, you’ll continue exploring Linux commands, which can help you filter for the

information you need. You’ll learn a new Linux command, find, which can help you search

files and directories for specific information.

Filtering for information

You previously explored how filtering information is an important skill for security analysts.

Filtering is selecting data that matches a certain condition. For example, if you had a virus in

your system that only affected the .txt files, you could use filtering to find these files quickly.

Filtering allows you to search based on specific criteria, such as file extension or a string of

text.

grep

The grep command searches for a specified file and returns all lines in the file containing a

specified string. The grep command commonly takes two arguments: a specific string to search

for and a specific file to search through.

For example, entering grep OS updates.txt returns all lines containing OS in the updates.txt

file. In this example, OS is the specific string to search for, and updates.txt is the specific file

to search through.

35
Piping

The pipe command is accessed using the pipe character (|). Piping sends the standard output

of one command as standard input to another command for further processing. As a reminder,

standard output is information returned by the OS through the shell, and standard input is

information received by the OS via the command line.

The pipe character (|) is in various places on a keyboard. On many keyboards, it’s located on

the same key as the backslash character (\). On some keyboards, the | can look different and

have a small space through the middle of the line. If you can’t find the |, search online for its

location on your keyboard.

When used with grep, the pipe can help you find directories and files containing a specific

word in their names. For example, ls /home/analyst/reports | grep users return the file and

directory names in the reports directory that contain users. Before the pipe, ls indicates to list

the names of the files and directories in reports. Then, it sends this output to the command

after the pipe. In this case, grep users return all the file or directory names containing users

from the input it received.

Note: Piping is a general form of redirection in Linux and can be used for multiple tasks other

than filtering. You can think of piping as a general tool that you can use whenever you want

the output of one command to become the input of another command.

find

The find command searches for directories and files that meet specified criteria. There’s a wide

range of criteria that can be specified with find. For example, you can search for files and

directories that:

36
 • Contain a specific string in the name,

• Are a certain file size, or

• Were last modified within a certain time frame.

When using find, the first argument after find indicates where to start searching. For example,

entering find /home/analyst/projects searches for everything starting at the projects

directory.

After this first argument, you need to indicate your criteria for the search. If you don’t include

a specific search criterion with your second argument, your search will likely return a lot of

directories and files.

Specifying criteria involves options. Options modify the behavior of a command and

commonly begin with a hyphen (-).

-name and -iname

One key criteria analyst might use with find is to find file or directory names that contain a

specific string. The specific string you’re searching for must be entered in quotes after the -

name or -iname options. The difference between these two options is that -name is case-

sensitive, and -iname is not.

For example, you might want to find all files in the projects directory that contain the word

“log” in the file name. To do this, you’d enter find /home/analyst/projects -name "*log*".

You could also enter find /home/analyst/projects -iname "*log*".

In these examples, the output would be all files in the projects directory that contain log

surrounded by zero or more characters. The "*log*" portion of the command is the search

criteria that indicates to search for the string “log”. When -name is the option, files with names

37
that include Log or LOG, for example, wouldn’t be returned because this option is case-

sensitive. However, they would be returned when -iname is the option.

Note: An asterisk (*) is used as a wildcard to represent zero or more unknown characters.

-mtime

Security analysts might also use find to find files or directories last modified within a certain

time frame. The -mtime option can be used for this search. For example, entering find

/home/analyst/projects -mtime -3 returns all files and directories in the projects directory

that have been modified within the past three days.

The -mtime option search is based on days, so entering -mtime +1 indicates all files or

directories last modified more than one day ago and entering -mtime -1 indicates all files or

directories last modified less than one day ago.

Note: The option -mmin can be used instead of -mtime if you want to base the search on

minutes rather than days.

Manage directories and files

Previously, you explored how to manage the file system using Linux commands. The following

commands were introduced: mkdir, rmdir, touch, rm, mv, and cp. In this reading, you’ll

review these commands, the nano text editor, and learn another way to write to files.

38
Creating and modifying directories

mkdir

The mkdir command creates a new directory. Like all the commands presented in this reading,

you can either provide the new directory as the absolute file path, which starts from the root,

or as a relative file path, which starts from your current directory.

For example, if you want to create a new directory called network in your /home/analyst/logs

directory, you can enter mkdir /home/analyst/logs/network to create this new directory. If

you’re already in the /home/analyst/logs directory, you can also create this new directory by

entering mkdir network.

Pro Tip: You can use the ls command to confirm the new directory was added.

rmdir

The rmdir command removes, or deletes, a directory. For example, entering rmdir

/home/analyst/logs/network would remove this empty directory from the file system.

Note: The rmdir command cannot delete directories with files or subdirectories inside. For

example, entering rmdir /home/analyst returns an error message.

Creating and modifying files

touch and rm

The touch command creates a new file. This file won’t have any content inside. If your current

directory is /home/analyst/reports, entering touch permissions.txt creates a new file in the

reports subdirectory called permissions.txt.

39
The rm command removes, or deletes, a file. This command should be used carefully because

it’s not easy to recover files deleted with rm. To remove the permissions file you just created,

enter rm permissions.txt.

Pro Tip: You can verify that permissions.txt was successfully created or removed by entering

ls.

mv and cp

You can also use mv and cp when working with files. The mv command moves a file or

directory to a new location, and the cp command copies a file or directory into a new location.

The first argument after mv or cp is the file or directory you want to move or copy, and the

second argument is the location you want to move or copy it to.

To move permissions.txt into the logs subdirectory, enter mv permissions.txt

/home/analyst/logs. Moving a file removes the file from its original location. However,

copying a file doesn’t remove it from its original location. To copy permissions.txt into the

logs subdirectory while also keeping it in its original location, enter cp permissions.txt

/home/analyst/logs.

Note: The mv command can also be used to rename files. To rename a file, pass the new name

in as the second argument instead of the new location. For example, entering mv

permissions.txt perm.txt renames the permissions.txt file to perm.txt.

nano text editor

nano is a command-line file editor that is available by default in many Linux distributions.

Many beginners find it easy to use, and it’s widely used in the security profession. You can

perform multiple basic tasks in nano, such as creating new files and modifying file contents.

40
To open an existing file in nano from the directory that contains it, enter nano followed by the

file name. For example, entering nano permissions.txt from the /home/analyst/reports

directory opens a new nano editing window with the permissions.txt file open for editing. You

can also provide the absolute file path to the file if you’re not in the directory that contains it.

You can also create a new file in nano by entering nano followed by a new file name. For

example, entering nano authorized_users.txt from the /home/analyst/reports directory

creates the authorized_users.txt file within that directory and opens it in a new nano editing

window.

Since there isn't an auto-saving feature in nano, it’s important to save your work before exiting.

To save a file in nano, use the keyboard shortcut Ctrl + O. You’ll be prompted to confirm the

file name before saving. To exit out of nano, use the keyboard shortcut Ctrl + X.

Note: Vim and Emacs are also popular command-line text editors.

Standard output redirection

There’s an additional way you can write to files. Previously, you learned about standard input

and standard output. Standard input is information received by the OS via the command line,

and standard output is information returned by the OS through the shell.

You’ve also learned about piping. Piping sends the standard output of one command as

standard input to another command for further processing. It uses the pipe character (|).

In addition to the pipe (|), you can also use the right-angle bracket (>) and double right angle

bracket (>>) operators to redirect standard output.

41
When used with echo, the > and >> operators can be used to send the output of echo to a

specified file rather than the screen. The difference between the two is that > overwrites your

existing file, and >> adds your content to the end of the existing file instead of overwriting

it. The > operator should be used carefully because it’s not easy to recover overwritten files.

When you’re inside the directory containing the permissions.txt file, enter echo "last updated

date" >> permissions.txt adds the string “last updated date” to the file contents. Entering echo

"time" > permissions.txt after this command overwrites the entire file contents of

permissions.txt with the string “time”.

Note: Both the > and >> operators will create a new file if one doesn’t already exist with your

specified name.

Permission commands

Previously, you explored file permissions and the commands that you can use to display and

change them. In this reading, you’ll review these concepts and also focus on an example of

how these commands work together when putting the principle of least privilege into practice.

Reading permissions

In Linux, permissions are represented with a 10-character string. Permissions include:

• read: for files, this is the ability to read the file contents; for directories, this is the

ability to read all contents in the directory including both files and subdirectories.

• write: for files, this is the ability to make modifications on the file contents; for

directories, this is the ability to create new files in the directory.

• execute: for files, this is the ability to execute the file if it’s a program; for directories,

this is the ability to enter the directory and access its files.

42
These permissions are given to these types of owners:

• user: the owner of the file

• group: a larger group that the owner is a part of

• other: all other users on the system

Each character in the 10-character string conveys different information about these

permissions. The following table describes the purpose of each character:

Character Example Meaning

file type

1st drwxrwxrwx • d for directory

• - for a regular file

read permissions for the user

2nd drwxrwxrwx • r if the user has read permissions

• - if the user lacks read permissions

write permissions for the user

3rd drwxrwxrwx • w if the user has write permissions

• - if the user lacks write permissions

execute permissions for the user

4th drwxrwxrwx • x if the user has execute permissions

• - if the user lacks execute permissions

43
Character Example Meaning

read permissions for the group

5th drwxrwxrwx • r if the group has read permissions

• - if the group lacks read permissions

write permissions for the group

6th drwxrwxrwx • w if the group has write permissions

• - if the group lacks write permissions

execute permissions for the group

7th drwxrwxrwx • x if the group has execute permissions

• - if the group lacks execute permissions

read permissions for other

8th drwxrwxrwx • r if the other owner type has read permissions

• - if the other owner type lacks read permissions

write permissions for other

9th drwxrwxrwx • w if the other owner type has write permissions

• - if the other owner type lacks write permissions

execute permissions for other

10th drwxrwxrwx
• x if the other owner type has execute permissions

44
Character Example Meaning

• - if the other owner type lacks execute permissions

Exploring existing permissions

You can use the ls command to investigate who has permissions on files and directories.

Previously, you learned that ls displays the names of files in directories in the current working

directory.

There are additional options you can add to the ls command to make your command more

specific. Some of these options provide details about permissions. Here are a few important ls

options for security analysts:

• ls -a: Displays hidden files. Hidden files start with a period (.) at the beginning.

• ls -l: Displays permissions to files and directories. Also displays other additional

information, including owner name, group, file size, and the time of last modification.

• ls -la: Displays permissions to files and directories, including hidden files. This is a

combination of the other two options.

Changing permissions

The principle of least privilege is the concept of granting only the minimal access and

authorization required to complete a task or function. In other words, users should not have

privileges that are beyond what is necessary. Not following the principle of least privilege can

create security risks.

The chmod command can help you manage this authorization. The chmod command changes

permissions on files and directories.

45
Using chmod

The chmod command requires two arguments. The first argument indicates how to change

permissions, and the second argument indicates the file or directory that you want to change

permissions for. For example, the following command would add all permissions to

login_sessions.txt:

chmod u+rwx,g+rwx,o+rwx login_sessions.txt

If you wanted to take all the permissions away, you could use

chmod u-rwx,g-rwx,o-rwx login_sessions.txt

Another way to assign these permissions is to use the equals sign (=) in this first argument.

Using = with chmod sets, or assigns, the permissions exactly as specified. For example, the

following command would set read permissions for login_sessions.txt for user, group, and

other:

chmod u=r,g=r,o=r login_sessions.txt

This command overwrites existing permissions. For instance, if the user previously had write

permissions, these write permissions are removed after you specify only read permissions with

=.

The following table reviews how each character is used within the first argument of chmod:

Character Description

u indicates changes will be made to user permissions

g indicates changes will be made to group permissions

46
Character Description

o indicates changes will be made to other permissions

+ adds permissions to the user, group, or other

- removes permissions from the user, group, or other

= assigns permissions for the user, group, or other

Note: When there are permission changes to more than one owner type, commas are needed to

separate changes for each owner type. You should not add spaces after those commas.

The principle of least privilege in action

As a security analyst, you may encounter a situation like this one: There’s a file called

bonuses.txt within a compensation directory. The owner of this file is a member of the Human

Resources department with a username of hrrep1. It has been decided that hrrep1 needs access

to this file. But, since this file contains confidential information, no one else in the hr group

needs access.

You run ls -l to check the permissions of files in the compensation directory and discover that

the permissions for bonuses.txt are -rw-rw----. The group owner type has read and write

permissions that do not align with the principle of least privilege.

To remedy the situation, you input chmod g-rw bonuses.txt. Now, only the user who needs to

access this file to carry out their job responsibilities can access this file.

Linux resources

Linux has a large online community, and this is a huge resource for Linux users of all levels.

You can likely find the answers to your questions with a simple online search. Troubleshooting

47
issues by searching and reading online is an effective way to discover how others approached

your issue. It’s also a great way for beginners to learn more about Linux.

The UNIX and Linux Stack Exchange is a trusted resource for troubleshooting Linux issues.

The Unix and Linux Stack Exchange is a question-and-answer website where community

members can ask and answer questions about Linux. Community members vote on answers,

so the higher quality answers are displayed at the top. Many of the questions are related to

specific topics from advanced users, and the topics might help you troubleshoot issues as you

continue using Linux.

Integrated Linux support

Linux also has several commands that you can use for support.

man

The man command displays information on other commands and how they work. It’s short for

“manual.” To search for information on a command, enter the command after man. For

example, entering man chown returns detailed information about chown, including the various

options you can use with it. The output of the man command is also called a “man page.”

apropos

The apropos command searches the man page descriptions for a specified string. Man pages

can be lengthy and difficult to search through if you’re looking for a specific keyword. To use

apropos, enter the keyword after apropos.

48
You can also include the -a option to search for multiple words. For example, entering apropos

-a graph editor outputs man pages that contain both the words “graph" and "editor” in their

descriptions.

whatis

The whatis command displays a description of a command on a single line. For example,

entering whatis nano outputs the description of nano. This command is useful when you don't

need a detailed description, just a general idea of the command. This might be as a reminder.

Or it might be after you discover a new command through a colleague or online resource and

want to know more.

Resources for more information

There are many resources available online that can help you learn new Linux concepts, review

topics, or ask and answer questions with the global Linux community. The Unix and Linux

Stack Exchange is one example, and you can search online to find others.

Introduction to SQL and Databases

Our modern world is filled with data, and that data almost always guides us in making

important decisions. When working with large amounts of data, we need to know how to store

it, so it's organized and quick to access and process. The solution to this is through databases,

and that's what we're exploring in this section.

To start us off, we can define a database as an organized collection of information or data.

Databases are often compared to spreadsheets. Some of you may have used Google Sheets or

another common spreadsheet program in the past. While these programs are convenient ways

to store data, spreadsheets are often designed for a single user or a small team to store less data.

49
In contrast, databases can be accessed by multiple people simultaneously and can store massive

amounts of data. Databases can also perform complex tasks while accessing data. As a security

analyst, you'll often need to access databases containing useful information. For example, these

could be databases containing information on login attempts, software and updates, or

machines and their owners.

Using databases allows us to store large amounts of data while keeping it quick and easy to

access. There are lots of different ways we can structure a database, but in this course, we'll be

working with relational databases. A relational database is a structured database containing

tables that are related to each other.

We'll start by examining an individual table in a larger database of organizational information.

Each table contains fields of information. For example, in this table on employees, these would

include fields like employee_id, device_id, and username. These are the columns of the tables.

In addition, tables contain rows also called records. Rows are filled with specific data related

to the columns in the table. For example, our first row is a record for an employee whose id is

1,000 and who works in the marketing department.

Relational databases often have multiple tables. Consider an example where we have two tables

from a larger database, one with employees of the company and another with machines given

to those employees. We can connect two tables if they share a common column. In this

example, we establish a relationship between them with a common employee_id column. The

columns that relate two tables to each other are called keys. There are two types of keys. The

first is called a primary key. The primary key refers to a column where every row has a unique

entry. The primary key must not have any duplicate values or any null or empty values. The

primary key allows us to uniquely identify every row in our table. For the table of employees,

50
employee_id is a primary key. Every employee_id is unique, and there are no employee_ids

that are duplicate or empty.

The second type of key is a foreign key. The foreign key is a column in a table that is a primary

key in another table. Foreign keys, unlike primary keys, can have empty values and duplicates.

The foreign key allows us to connect two tables together. In our example, we can look at the

employee_id column in the machines table. We previously identified this as a primary key in

the employees table, so we can use this to connect every machine to their corresponding

employee.

It's also important to know that a table can only have one primary key but multiple foreign

keys.

Query databases with SQL

As a security analyst, you'll need to be familiar with both databases and the tools used to access

them. Now that we know the basics of databases, let's focus on an important tool used to work

with them—SQL—and learn more about how analysts like yourself might utilize it. SQL, or

as it's also pronounced, S-Q-L, stands for Structured Query Language. SQL is a programming

language used to create, interact with, and request information from a database.

Before learning more about SQL, we need to define what a query means. A query is a request

for data from a database table or a combination of tables. Nearly all relational databases rely

on some version of SQL to query data. The different versions of SQL only have slight

differences in their structure, like where to place quotation marks. Whatever variety of SQL

you use, you'll find it to be a very important tool in your work as a security analyst.

51
First, let's discuss how SQL can help you retrieve logs. A log is a record of events that occur

within an organization's systems. As a security analyst, you might be tasked with reviewing

logs for various reasons. For example, some logs might contain details on machines used in a

company, and as an analyst, you would need to find those machines that weren't configured

properly. Other logs might describe the visitors to your website or web app and the tasks they

perform. In that case, you might be looking for unusual patterns that may point to malicious

activity. Security logs are often very large and hard to process. There are millions of data points,

and it's very time-consuming to find what you need. But this is where SQL comes in! It can

search through millions of data points to extract relevant rows of data using one query that

takes seconds to run.

SQL is also a very common language used for basic data analytics, another set of skills that

will set you apart as a security analyst. As a security analyst, you can use SQL's filtering to

find data to support security-related decisions and analyze when things may go wrong. For

instance, you can identify what machines haven't received the latest patch. This is important

because patches are updates that help secure against attacks. As another example, you can use

SQL to determine the best time to update a machine based on when it's least used.

SQL Filtering versus Linux Filtering

Previously, you explored the Linux commands that allow you to filter for specific information

contained within files or directories. And, more recently, you examined how SQL helps you

efficiently filter for the information you need. In this reading, you'll explore differences

between the two tools as they relate to filtering. You'll also learn that one way to access SQL is

through the Linux command line.

52
Accessing SQL

There are many interfaces for accessing SQL and many different versions of SQL. One way to

access SQL is through the Linux command line.

To access SQL from Linux, you need to type in a command for the version of SQL that you

want to use. For example, if you want to access SQLite, you can enter the command sqlite3 in

the command line.

After this, any commands typed in the command line will be directed to SQL instead of Linux

commands.

Differences between Linux and SQL Filtering

Although both Linux and SQL allow you to filter through data, there are some differences that

affect which one you should choose.

Structure

SQL offers a lot more structure than Linux, which is more free-form and not as tidy.

For example, if you wanted to access a log of employee log-in attempts, SQL would have each

record separated into columns. Linux would print the data as a line of text without this

organization. As a result, selecting a specific column to analyze would be easier and more

efficient in SQL.

In terms of structure, SQL provides results that are more easily readable and that can be

adjusted more quickly than when using Linux.

53
Joining tables

Some security-related decisions require information from different tables. SQL allows the

analyst to join multiple tables together when returning data. Linux doesn’t have that same

functionality; it doesn’t allow data to be connected to other information on your computer. This

is more restrictive for an analyst going through security logs.

Best uses

As a security analyst, it’s important to understand when you can use which tool. Although SQL

has a more organized structure and allows you to join tables, this doesn’t mean that there aren’t

situations that would require you to filter data in Linux.

A lot of data used in cybersecurity will be stored in a database format that works with SQL.

However, other logs might be in a format that is not compatible with SQL. For instance, if the

data is stored in a text file, you cannot search through it with SQL. In those cases, it is useful

to know how to filter in Linux.

Query a Database

Previously, you explored how SQL is an important tool in the world of cybersecurity and is

essential when querying databases. You examined a few basic SQL queries and keywords used

to extract needed information from a database. In this reading, you’ll review those basic SQL

queries and learn a new keyword that will help you organize your output. You'll also learn

about the Chinook database, which this course uses for queries in readings.

54
Basic SQL query

There are two essential keywords in any SQL query: SELECT and FROM. You will use these

keywords every time you want to query a SQL database. Using them together helps SQL

identify what data you need from a database and the table you are returning it from. An example

is shown below.

SELECT employee_id, device_id

FROM employees;

In reading, this course uses a sample database called the Chinook database to run queries. The

Chinook database includes data that might be created at a digital media company. A security

analyst employed by this company might need to query this data. For example, the database

contains eleven tables, including an employees table, a customers table, and an invoices table.

These tables include data such as names and addresses.

SELECT

The SELECT keyword indicates which columns to return. For example, you can return the

customerid column from the Chinook database with

SELECT customerid

You can also select multiple columns by separating them with a comma. For example, if you

want to return both the customerid and city columns, you should write SELECT customerid,

city.

If you want to return all columns in a table, you can follow the SELECT keyword with an

asterisk (*). The first line in the query will be SELECT *.

55
Note: Although the tables you're querying in this course are relatively small, using SELECT

* may not be advisable when working with large databases and tables; in those cases, the final

output may be difficult to understand and might be slow to run.

FROM

The SELECT keyword always comes with the FROM keyword. FROM indicates which table

to query. To use the FROM keyword, you should write it after the SELECT keyword, often

on a new line, and follow it with the name of the table you’re querying. If you want to return

all columns from the customers table, you can write:

SELECT *

FROM customers;

When you want to end the query here, you put a semicolon (;) at the end to tell SQL that this

is the entire query.

Note: Line breaks are not necessary in SQL queries, but are often used to make the query easier

to understand. If you prefer, you can also write the previous query on one line as

SELECT * FROM customers;

ORDER BY

Database tables are often very complicated, and this is where other SQL keywords come in

handy. ORDER BY is an important keyword for organizing the data you extract from a table.

ORDER BY sequences the records returned by a query based on a specified column or

columns. This can be in either ascending or descending order.

56
Sorting in ascending order

To use the ORDER BY keyword, write it at the end of the query and specify a column to base

the sort on. In this example, SQL will return the customerid, city, and country columns from

the customers table, and the records will be sequenced by the city column:

SELECT customerid, city, country

FROM customers

ORDER BY city;

The ORDER BY keyword sorts the records based on the column specified after this keyword.

By default, as shown in this example, the sequence will be in ascending order. This means:

• if you choose a column containing numeric data, it sorts the output from the smallest to

largest. For example, if sorting on customerid, the ID numbers are sorted from smallest

to largest.

• if the column contains alphabetic characters, such as in the example with the city

column, it orders the records from the beginning of the alphabet to the end.

Sorting in descending order

You can also use the ORDER BY with the DESC keyword to sort in descending order. The

DESC keyword is short for "descending" and tells SQL to sort numbers from largest to

smallest, or alphabetically from Z to A. This can be done by following ORDER BY with the

DESC keyword. For example, you can run this query to examine how the results differ when

DESC is applied:

SELECT customerid, city, country

57
FROM customers

ORDER BY city DESC;

You can also choose multiple columns to order by. For example, you might first choose the

country and then the city column. SQL then sorts the output by country, and for rows with

the same country, it sorts them based on city. You can run this to explore how SQL displays

this:

SELECT customerid, city, country

FROM customers

ORDER BY country, city;

The WHERE clause and basic operators

In this reading, you’ll further explore how to use the WHERE clause, the LIKE operator and

the percentage sign (%) wildcard. You’ll also be introduced to the underscore (_), another

wildcard that can help you filter queries.

How filtering helps

As a security analyst, you'll often be responsible for working with very large and complicated

security logs. To find the information you need, you'll often need to use SQL to filter the logs.

In a cybersecurity context, you might use filters to find the login attempts of a specific user or

all login attempts made at the time of a security issue. As another example, you might filter to

find the devices that are running a specific version of an application.

58
WHERE

To create a filter in SQL, you need to use the keyword WHERE. WHERE indicates the

condition for a filter.

If you needed to email employees with a title of IT Staff, you might use a query like the one in

the following example. You can run this example to examine what it returns:

SELECT firstname, lastname, title, email

FROM employees

WHERE title = 'IT Staff';

Rather than returning all records in the employees table, this WHERE clause instructs SQL to

return only those that contain 'IT Staff' in the title column. It uses the equals sign (=) operator

to set this condition.

Note: You should place the semicolon (;) where the query ends. When you add a filter to a

basic query, the semicolon is after the filter.

Filtering for patterns

You can also filter based on a pattern. For example, you can identify entries that start or end

with a certain character or characters. Filtering for a pattern requires incorporating two more

elements into your WHERE clause:

• a wildcard

• the LIKE operator

59
Wildcards

A wildcard is a special character that can be substituted with any other character. Two of the

most useful wildcards are the percentage sign (%) and the underscore (_):

• The percentage sign substitutes for any number of other characters.

• The underscore symbol only substitutes for one other character.

These wildcards can be placed after a string, before a string, or in both locations depending on

the pattern you’re filtering for.

The following table includes these wildcards applied to the string 'a' and examples of what

each pattern would return.

Pattern Results that could be returned

'a%' apple123, art, a

'a_' as, an, a7

'a__' ant, add, a1c

'%a' pizza, Z6ra, a

'_a' ma, 1a, Ha

'%a%' Again, back, a

'_a_' Car, ban, ea7

LIKE

To apply wildcards to the filter, you need to use the LIKE operator instead of an equals sign

(=). LIKE is used with WHERE to search for a pattern in a column.

60
For instance, if you want to email employees with a title of either 'IT Staff' or 'IT Manager',

you can use LIKE operator combined with the % wildcard:

SELECT lastname, firstname, title, email

FROM employees

WHERE title LIKE 'IT%';

This query returns all records with values in the title column that start with the pattern of 'IT'.

This means both 'IT Staff' and 'IT Manager' are returned.

As another example, if you want to search through the invoices table to find all customers

located in states with an abbreviation of 'NY', 'NV', 'NS' or 'NT', you can use the 'N_' pattern

on the state column:

SELECT firstname,lastname, state, country

FROM customers

WHERE state LIKE 'N_';

This returns all the records with state abbreviations that follow this pattern.

Operators for filtering dates and numbers

This reading summarizes what you learned and provides new examples of using operators in

filters.

61
Numbers, dates, and times in cybersecurity

Security analysts work with more than just string data, or data consisting of an ordered

sequence of characters.

They also frequently work with numeric data, or data consisting of numbers. A few examples

of numeric data that you might encounter in your work as a security analyst include:

• the number of login attempts

• the count of a specific type of log entry

• the volume of data being sent from a source

• the volume of data being sent to a destination

You'll also encounter date and time data, or data representing a date and/or time. As a first

example, logs will generally timestamp every record. Other time and date data might include:

• login dates

• login times

• dates for patches

• the duration of a connection

Comparison operators

In SQL, filtering numeric and date and time data often involves operators. You can use the

following operators in your filters to make sure you return only the rows you need:

operator use

< less than

> greater than

62
 = equal to

<= less than or equal to

>= greater than or equal to

<> not equal to

Note: You can also use != as an alternative operator for not equal to.

Incorporating operators into filters

These comparison operators are used in the WHERE clause at the end of a query. The

following query uses the > operator to filter the birthdate column. You can run this query to

explore its output:

SELECT firstname, lastname, birthdate

FROM employees

WHERE birthdate > '1970-01-01';

This query returns the first and last names of employees born after, but not on, '1970-01-01'

(or January 1, 1970). If you were to use the >= operator instead, the results would also include

results on exactly '1970-01-01'.

In other words, the > operator is exclusive and the >= operator is inclusive. An exclusive

operator is an operator that does not include the value of comparison. An inclusive operator

is an operator that includes the value of comparison.

63
BETWEEN

Another operator used for numeric data as well as date and time data is the BETWEEN

operator. BETWEEN filters for numbers or dates within a range. For example, if you want to

find the first and last names of all employees hired between January 1, 2002 and January 1,

2003, you can use the BETWEEN operator as follows:

SELECT firstname, lastname, hiredate

FROM employees

WHERE hiredate BETWEEN '2002-01-01' AND '2003-01-01';

Note: The BETWEEN operator is inclusive. This means records with a hiredate of January

1, 2002 or January 1, 2003 are included in the results of the previous query.

More on filters with AND, OR, and NOT

Logical operators

AND, OR, and NOT allow you to filter your queries to return the specific information that will

help you in your work as a security analyst. They are all considered logical operators.

AND

First, AND is used to filter on two conditions. AND specifies that both conditions must be met

simultaneously.

As an example, a cybersecurity concern might affect only those customer accounts that meet

both the condition of being handled by a support representative with an ID of 5 and the

condition of being located in the USA. To find the names and emails of those specific

64
customers, you should place the two conditions on either side of the AND operator in the

WHERE clause:

SELECT firstname, lastname, email, country, supportrepid

FROM customers

WHERE supportrepid = 5 AND country = 'USA';

Running this query returns four rows of information about the customers. You can use this

information to contact them about the security concern.

OR

The OR operator also connects two conditions, but OR specifies that either condition can be

met. It returns results where the first condition, the second condition, or both are met.

For example, if you are responsible for finding all customers who are either in the USA or

Canada so that you can communicate information about a security update, you can use an OR

operator to find all the needed records. As the following query demonstrates, you should place

the two conditions on either side of the OR operator in the WHERE clause:

SELECT firstname, lastname, email, country

FROM customers

WHERE country = 'Canada' OR country = 'USA';

The query returns all customers in either the US or Canada.

65
Note: Even if both conditions are based on the same column, you need to write out both full

conditions. For instance, the query in the previous example contains the filter WHERE

country = 'Canada' OR country = 'USA'.

NOT

Unlike the previous two operators, the NOT operator only works on a single condition, and not

on multiple ones. The NOT operator negates a condition. This means that SQL returns all

records that don’t match the condition specified in the query.

For example, if a cybersecurity issue doesn't affect customers in the USA but might affect those

in other countries, you can return all customers who are not in the USA. This would be more

efficient than creating individual conditions for all of the other countries. To use the NOT

operator for this task, write the following query and place NOT directly after WHERE:

SELECT firstname, lastname, email, country

FROM customers

WHERE NOT country = 'USA';

SQL returns every entry where the customers are not from the USA.

Pro tip: Another way of finding values that are not equal to a certain value is by using the <>

operator or the != operator. For example, WHERE country <> 'USA' and WHERE country

!= 'USA' are the same filters as WHERE NOT country = 'USA'.

66
Combining logical operators

Logical operators can be combined in filters. For example, if you know that both the USA and

Canada are not affected by a cybersecurity issue, you can combine operators to return

customers in all countries besides these two. In the following query, NOT is placed before the

first condition, it's joined to a second condition with AND, and then NOT is also placed before

that second condition. You can run it to explore what it returns:

SELECT firstname, lastname, email, country

FROM customers

WHERE NOT country = 'Canada' AND NOT country = 'USA';

Compare types of joins

Inner joins

The first type of join that you might perform is an inner join. INNER JOIN returns rows

matching on a specified column that exists in more than one table.

67
It only returns the rows where there is a match, but like other types of joins, it returns all

specified columns from all joined tables. For example, if the query joins two tables with

SELECT *, all columns in both of the tables are returned.

Note: If a column exists in both of the tables, it is returned twice when SELECT * is used.

The syntax of an inner join

To write a query using INNER JOIN, you can use the following syntax:

SELECT *

FROM employees

INNER JOIN machines ON employees.device_id = machines.device_id;

You must specify the two tables to join by including the first or left table after FROM and the

second or right table after INNER JOIN.

After the name of the right table, use the ON keyword and the = operator to indicate the column

you are joining the tables on. It's important that you specify both the table and column names

in this portion of the join by placing a period (.) between the table and the column.

In addition to selecting all columns, you can select only certain columns. For example, if you

only want the join to return the username, operating_system and device_id columns, you can

write this query:

SELECT username, operating_system, employees.device_id

FROM employees

68
INNER JOIN machines ON employees.device_id = machines.device_id;

Note: In the example query, username and operating_system only appear in one of the two

tables, so they are written with just the column name. On the other hand, because device_id

appears in both tables, it's necessary to indicate which one to return by specifying both the table

and column name (employees.device_id).

Outer joins

Outer joins expand what is returned from a join. Each type of outer join returns all rows from

either one table or both tables.

Left joins

When joining two tables, LEFT JOIN returns all the records of the first table, but only returns

rows of the second table that match on a specified column.

The syntax for using LEFT JOIN is demonstrated in the following query:

69
SELECT *

FROM employees

LEFT JOIN machines ON employees.device_id = machines.device_id;

As with all joins, you should specify the first or left table as the table that comes after FROM

and the second or right table as the table that comes after LEFT JOIN. In the example query,

because employees is the left table, all of its records are returned. Only records that match on

the device_id column are returned from the right table, machines.

Right joins

When joining two tables, RIGHT JOIN returns all of the records of the second table, but only

returns rows from the first table that match on a specified column.

The following query demonstrates the syntax for RIGHT JOIN:

SELECT *

FROM employees

70
RIGHT JOIN machines ON employees.device_id = machines.device_id;

RIGHT JOIN has the same syntax as LEFT JOIN, with the only difference being the

keyword RIGHT JOIN instructs SQL to produce different output. The query returns all

records from machines, which is the second or right table. Only matching records are returned

from employees, which is the first or left table.

Note: You can use LEFT JOIN and RIGHT JOIN and return the exact same results if you

use the tables in reverse order. The following RIGHT JOIN query returns the exact same

result as the LEFT JOIN query demonstrated in the previous section:

SELECT *

FROM machines

RIGHT JOIN employees ON employees.device_id = machines.device_id;

All that you have to do is switch the order of the tables that appear before and after the keyword

used for the join, and you will have swapped the left and right tables.

Full outer joins

FULL OUTER JOIN returns all records from both tables. You can think of it as a way of

completely merging two tables.

71
You can review the syntax for using FULL OUTER JOIN in the following query:

SELECT *

FROM employees

FULL OUTER JOIN machines ON employees.device_id = machines.device_id;

The results of a FULL OUTER JOIN query include all records from both tables. Similar to

INNER JOIN, the order of tables does not change the results of the query.

Continuous learning in SQL

You've explored a lot about SQL, including applying filters to SQL queries and joining multiple

tables together in a query. There's still more that you can do with SQL. This reading will

explore an example of something new you can add to your SQL toolbox: aggregate functions.

You'll then focus on how you can continue learning about this and other SQL topics on your

own.

72
Aggregate functions

In SQL, aggregate functions are functions that perform a calculation over multiple data points

and return the result of the calculation. The actual data is not returned.

There are various aggregate functions that perform different calculations:

• COUNT returns a single number that represents the number of rows returned from your

query.

• AVG returns a single number that represents the average of the numerical data in a

column.

• SUM returns a single number that represents the sum of the numerical data in a column.

Aggregate function syntax

To use an aggregate function, place the keyword for it after the SELECT keyword, and then

in parentheses, indicate the column you want to perform the calculation on.

For example, when working with the customers table, you can use aggregate functions to

summarize important information about the table. If you want to find out how many customers

there are in total, you can use the COUNT function on any column, and SQL will return the

total number of records, excluding NULL values. You can run this query and explore its output:

SELECT COUNT(firstname)

FROM customers;

The result is a table with one column titled COUNT(firstname) and one row that indicates the

count.

73
If you want to find the number of customers from a specific country, you can add a filter to

your query:

SELECT COUNT(firstname)

FROM customers

WHERE country = 'USA';

With this filter, the count is lower because it only includes the records where the country

column contains a value of 'USA'.

There are a lot of other aggregate functions in SQL. The syntax of placing them after SELECT

is exactly the same as the COUNT function.

Continuing to learn SQL

SQL is a widely used querying language, with many more keywords and applications. You can

continue to learn more about aggregate functions and other aspects of using SQL on your own.

Most importantly, approach new tasks with curiosity and a willingness to find new ways to

apply SQL to your work as a security analyst. Identify the data results that you need and try to

use SQL to obtain these results.

Fortunately, SQL is one of the most important tools for working with databases and analyzing

data, so you'll find a lot of support in trying to learn SQL online. First, try searching for the

concepts you've already learned and practiced to find resources that have accurate easy-to-

follow explanations. When you identify these resources, you can use them to extend your

knowledge.

74
Continuing your practical experience with SQL is also important. You can also search for new

databases that allow you to perform SQL queries using what you've learned.

75