The filesystem hierarchy
What lives where, and why it matters.
Linux directories are not arbitrary — the Filesystem Hierarchy Standard gives each a defined purpose, and knowing the map means you can find things on any distribution. The essentials: /etc holds system configuration (text files you edit to configure services), /var holds variable data that changes at runtime (logs in /var/log, spools, caches), /home holds users’ personal directories, and /root is the root user’s home. These four are where you will spend most of your time.
/proc and /sys: the system as files
A distinctive Linux idea: /proc and /sys are not real files on disk but live views of the kernel and running processes, presented as a filesystem you can read with normal tools. /proc/<pid>/ shows everything about a process; /proc/cpuinfo shows the CPU; /sys exposes kernel and device settings. This "everything is a file" design is why the same cat and grep you use on configs also let you inspect the live kernel — and it is central to how the security tooling later works.
$ cat /proc/loadavg # current system load$ cat /proc/$(pgrep -n sshd)/status | head # live info about a process$ ls /proc/1/ # PID 1 (init/systemd) — a directory of live state
Why the layout is a security concern
The hierarchy is not just tidiness — it tells you where to look and what to protect. Secrets and credentials tend to live in /etc and users’ home directories; evidence of what happened lives in /var/log; /tmp is world-writable and a classic place attackers drop tools. Knowing the map means you know where to hunt during an incident and which directories deserve the tightest permissions.