L1. What Is Linux and Why Security Pros Use It

What Is Linux?

When people say "Linux," they usually mean an entire operating system. Technically, Linux is just the kernel: the core program that manages hardware, memory, and processes. The full operating system you interact with is a combination of the Linux kernel plus a large collection of utilities originally developed by the GNU project, along with package managers, desktop environments, and other software assembled by a distribution (more on that in Lesson 2).

The Kernel's Job

The kernel sits between your hardware and every application running on the machine. It handles:

• Process scheduling: deciding which programs get CPU time
• Memory management: allocating and protecting RAM for each process
• Device drivers: communicating with disks, network cards, and peripherals
• System calls: providing a controlled interface that applications use to request resources

From a security perspective, the kernel is the most privileged code on the system. A vulnerability in the kernel can compromise everything above it, which is why kernel hardening and timely patching are critical topics you will revisit throughout this course.

A Brief History

Linus Torvalds released the first Linux kernel in 1991 as a free alternative to the proprietary UNIX systems that dominated universities and enterprises. The GNU project, started by Richard Stallman in 1983, had already built most of the user-space tools (compilers, shells, file utilities) but lacked a working kernel. Combining the Linux kernel with GNU tools created a complete, free operating system that anyone could run, study, modify, and distribute.

This combination is sometimes called GNU/Linux to credit both projects, though most people simply say "Linux."

Why Linux Dominates in Security

Server and Cloud Market Share

Linux runs the vast majority of public cloud workloads on AWS, Azure, and GCP. Most web servers, container hosts, and Kubernetes nodes are Linux-based. If you work in cloud security, incident response, or DevSecOps, you will spend significant time on Linux systems.

Open-Source Security Model

The Linux kernel and most of its ecosystem are open source. This means:

• Anyone can audit the code. Security researchers worldwide review the source, find bugs, and submit patches.
• Vulnerabilities are fixed publicly. When a flaw is discovered, the patch is visible and verifiable. You do not have to trust a vendor's claim that a fix is adequate.
• No security through obscurity. The system's security does not rely on hiding how it works. It relies on sound design, proper configuration, and timely updates.

Open source does not automatically mean "more secure." It means the security is auditable. Misconfigured Linux systems are just as vulnerable as any other platform.

Security Tooling

The majority of offensive and defensive security tools are built for (and often on) Linux:

Many of these tools are Linux-first or Linux-only. Even when a Windows version exists, the documentation and community support tend to center on Linux usage.

Where You Will Encounter Linux

In a SOC (Security Operations Center)

SIEM collectors, log forwarders, and threat-hunting appliances typically run on Linux. You will SSH into these machines to troubleshoot agents, review logs, and deploy detection rules.

In Cloud Environments

When you launch an EC2 instance, a GCP Compute Engine VM, or an Azure virtual machine, the default choice is often Ubuntu or Amazon Linux. Understanding Linux file permissions, services, and logging is essential for cloud incident response.

In Containers and Kubernetes

Docker containers are built on Linux namespaces and cgroups. Even on a macOS or Windows development machine, your containers run a Linux kernel under the hood. Kubernetes nodes are almost exclusively Linux.

On Your Own Workstation

Many security professionals run Linux (or a Linux VM) as their daily driver for penetration testing, scripting, and lab environments. Distributions like Kali Linux come pre-loaded with hundreds of security tools.

The Linux Philosophy and Security

Linux inherits the UNIX philosophy: each tool does one thing well, and you combine tools using pipes and scripts. This modular approach has a direct security benefit. Instead of relying on a single monolithic application, you compose small, well-understood components. Each component can be individually audited, updated, and replaced without affecting the rest of the system.

You will see this philosophy in action throughout the course as you chain commands together, write shell scripts for automation, and configure individual services with their own dedicated configuration files.

What Comes Next

In the following lessons you will install Linux, learn to navigate the terminal, manage packages, and configure user permissions. Every topic connects back to security: understanding how Linux works at a fundamental level is what separates someone who can operate security tools from someone who can investigate, harden, and defend the systems those tools run on.