Getting Started with Linux · Foundation

L3. Terminal Essentials: Navigation, Files and Pipes

Video generating

Check back soon for the video lesson on Terminal Essentials: Navigation, Files and Pipes

The terminal is your primary interface to Linux systems. This lesson covers shell basics, navigating the filesystem, creating and managing files, reading file contents, and combining commands with pipes and redirection.

The Shell: Your Interface to Linux

When you open a terminal on a Linux system, you are interacting with a shell: a program that reads your commands, interprets them, and passes them to the operating system for execution. The most common shell is Bash (Bourne Again Shell), though many modern systems also include Zsh.

For security work, the shell is indispensable. You will use it to investigate incidents, parse logs, automate tasks, and configure systems. GUIs exist on some Linux installations, but servers almost never have them. Everything happens in the terminal.

Your Prompt

When you log in, you see a prompt like this:

user@hostname:~$

This tells you: your username, the machine name, your current directory (~ means your home directory), and whether you are a regular user ($) or root (#).

Navigating the Filesystem

Linux organizes everything in a single directory tree starting from / (the root directory). There are no drive letters like on Windows.

Key Directories

Directory	Purpose
`/`	Root of the entire filesystem
`/home`	User home directories
`/etc`	System configuration files
`/var/log`	Log files
`/tmp`	Temporary files (cleared on reboot)
`/usr/bin`	User programs and utilities
`/sbin`	System administration binaries
`/root`	Home directory of the root user

As a security professional, you will spend significant time in /etc (configuration), /var/log (logs), and /home (user data).

pwd                  # Print Working Directory: shows where you are
ls                   # List files in the current directory
ls -la               # List all files (including hidden) with details
cd /var/log          # Change Directory to /var/log
cd ..                # Go up one level
cd ~                 # Go to your home directory
cd -                 # Go back to the previous directory

The ls -la command is one you will use constantly. The output looks like this:

drwxr-xr-x 2 user group 4096 Jun 20 10:00 documents
-rw-r--r-- 1 user group  512 Jun 20 09:30 notes.txt

The first column shows file permissions (covered in detail in Lesson 6). The d at the start means directory. The rest shows owner, group, size, date, and filename.

Working with Files and Directories

Creating Files and Directories

touch newfile.txt          # Create an empty file (or update its timestamp)
mkdir reports              # Create a directory
mkdir -p logs/2026/june    # Create nested directories in one command

Copying, Moving, and Deleting

cp file.txt backup.txt           # Copy a file
cp -r reports/ backup-reports/   # Copy a directory recursively
mv file.txt archive/             # Move a file into a directory
mv oldname.txt newname.txt       # Rename a file
rm unwanted.txt                  # Delete a file (no recycle bin!)
rm -r old-directory/             # Delete a directory and its contents

Security note: rm does not ask for confirmation by default, and deleted files do not go to a trash folder. On a production system, a careless rm -rf / command can destroy everything. Always double-check your path before pressing Enter.

Reading File Contents

Different commands serve different purposes when examining files:

cat file.txt             # Print the entire file to the terminal
less file.txt            # View a file page by page (press q to quit)
head -n 20 file.txt      # Show the first 20 lines
tail -n 20 file.txt      # Show the last 20 lines
tail -f /var/log/syslog  # Follow a log file in real time (Ctrl+C to stop)

The tail -f command is essential for monitoring. During an incident, you might tail a log file while reproducing suspicious activity to see events as they happen.

Pipes and Redirection

One of Linux's most powerful features is the ability to pipe the output of one command into another and to redirect output to files.

Pipes (`|`)

A pipe takes the standard output (stdout) of one command and sends it as input to the next command:

# Count how many lines are in a file cat /var/log/auth.log | wc -l # Find failed SSH login attempts cat /var/log/auth.log | grep "Failed password" # Find failed logins and count them grep "Failed password" /var/log/auth.log | wc -l

# Sort unique IP addresses from failed logins grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn

That last command is a real-world example of the pipe philosophy in action. Each command does one thing: grep filters lines, awk extracts a field, sort orders them, uniq -c counts duplicates, and the final sort -rn orders by count descending.

Redirection

echo "scan started" > scan.log       # Write to file (overwrites existing content)
echo "host found" >> scan.log        # Append to file
grep "error" app.log 2> errors.txt   # Redirect stderr (error messages) to a file
command > output.txt 2>&1            # Redirect both stdout and stderr to a file

Security note: Be careful with > vs >>. A single > overwrites the file completely. During forensic investigation, accidentally overwriting a log file with > could destroy evidence.

Searching with grep

grep is the go-to command for searching text. You will use it daily.

grep "error" /var/log/syslog              # Find lines containing "error"
grep -i "error" /var/log/syslog           # Case-insensitive search
grep -r "password" /etc/                  # Search recursively in a directory
grep -n "root" /etc/passwd                # Show line numbers in results
grep -v "info" /var/log/syslog            # Show lines that do NOT match
grep -c "Failed" /var/log/auth.log        # Count matching lines

Combining grep with pipes is a core skill for log analysis, incident investigation, and configuration auditing.

Getting Help: man Pages

Almost every Linux command has a manual page:

man ls          # Read the manual for the ls command
man grep        # Read the manual for grep
man -k "file"   # Search all man pages for a keyword

Inside a man page, press / to search, n for next match, and q to quit. When you encounter an unfamiliar command or flag in a security tool, man is your first stop.

Putting It Together: A Security Example

Imagine you suspect brute-force SSH attempts against your server. Here is how you would investigate using only the commands from this lesson:

# Check the auth log for failed password attempts
grep "Failed password" /var/log/auth.log | tail -n 20
# Count total failed attempts
grep -c "Failed password" /var/log/auth.log
# Extract and rank the source IP addresses
grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn | head -n 10# Save the results to a file for reporting
grep "Failed password" /var/log/auth.log > /tmp/failed-ssh-report.txt

This workflow: filter, extract, aggregate, and save, is the foundation of command-line security analysis.

Exam Focus Points

✓The shell (Bash/Zsh) interprets commands and passes them to the OS; the prompt shows your user, hostname, directory, and privilege level.
✓Pipes (|) chain commands together: the output of one becomes the input of the next, enabling powerful one-line analysis.
✓Redirection with > overwrites a file while >> appends; using the wrong one during forensics can destroy evidence.
✓grep is the primary tool for searching logs and config files: combine with -i, -r, -n, -v, and -c for flexible filtering.
✓tail -f follows a log file in real time, which is critical for live incident monitoring.

Knowledge Check

1. What does the pipe operator (|) do in a Linux command?

2. Which command would you use to watch a log file in real time during an incident?

3. What is the risk of using > instead of >> when redirecting output during a forensic investigation?

Choosing a Distribution: Ubuntu, RHEL, Kali and Beyond

Installing Software: apt, dnf and Package Managers