Critical Linux System Files¶
Table of Contents¶
- System Configuration and User Management
- Logs and Auditing
- System Boot and Initialization Files
- Networking Files
- Services and Processes
- Storage and Filesystem Files
- Performance and Monitoring Files
- Package Management Files
System Configuration and User Management¶
/etc/profile and ~/.bash_logout (system-wide .bashrc)¶
The /etc/profile file is loaded on every single instance of bash, whether it's a
login/interactive shell or not.
It's basically a system-wide .bashrc file.
If /etc/profile exists, it will read/execute this first, before any other config files.
Then bash will look for ~/.bash_profile, ~/.bash_login, and ~/.profile.
The first one of these found will be read/executed, and the rest will be ignored.
The ~/.bash_logout file will be read/executed every time a shell exits (with the
exit builtin), whether it's a login/interactive shell or non-interactive shell.
So the order in which bash loads config files:
-
Non-interactive
/etc/profile(always)- First one found (in this order):
~/.bash_profile~/.bash_login~/.profile
~/.bash_logoutwhen the shellexits.
-
Interactive shell
/etc/profile(always)/etc/bash.bashrc(always)- First one found (in this order):
~/.bash_profile~/.bash_login~/.profile
~/.bashrc~/.bash_logoutwhen the shellexits.
/etc/passwd¶
Each line in the /etc/passwd file represents a user account.
The format of each line in /etc/passwd is as follows:
username:password:UID:GID:GECOS:home_directory:shell
username: The username for the new user.password: The encrypted password for the user.- This is set to
xif a password exists. - You can leave this field empty to disable password login.
- This is set to
UID: The user ID for the new user.GID: The primary group ID for the new user.GECOS: Additional information about the user (such as full name or description).home_directory: The home directory for the new user.shell: The login shell for the new user.
/etc/group¶
Groups are stored in this file as:
group_name:password:group_id:group_members
- Just like
/etc/passwd, thepasswordfield usually has anx(if a password exists).
/etc/shadow¶
Stores encrypted password hashes and password aging information.
Accessible only by privileged users (e.g., root).
/etc/gshadow¶
Stores secure group information, such as group passwords and group administrators.
/etc/login.defs¶
Contains system-wide settings for user and group creation, password policies, and other login-related configurations.
/etc/skel¶
Contains default files that are copied to a new user's home directory when it's created.
/etc/sudoers and /etc/sudoers.d/¶
Config files for managing sudo permissions.
Each line in this file is a rule specifying who is allowed to do sudo stuff on the system.
Add a rule for a user in this file in the format:
# username host=(user:group) commands
username ALL=(ALL:ALL) ALL
username: The username of the user that the rule will apply to.ALL=: Defines where the rule applies.ALLmeans it applies to any host (for multi-host environments).
(ALL:ALL) ALL:- The first
ALLrefers to the user list.- This means the user can run commands as any user.
- The second
ALLrefers to the group list.- This means the user can run commands as any group.
- The third
ALLrepresents the commands the user can run with sudo.ALLmeans they can run any command with sudo.- This can be a comma separated list of specific commands.
- The first
Add a rule for a group the same way, except prepend a % to the name (without a space).
%groupname ALL=(ALL:ALL) ALL
Logs and Auditing¶
/var/log/auth.log (or /var/log/secure on RedHat systems)¶
This file logs authentication attemps, including successful and failed logins and sudo usage.
/var/log/auth.logon Debian/var/log/secureon RedHat
/etc/audit/auditd.conf¶
Configuration file for the audit daemon (auditd), which tracks system events for security purposes.
/var/log/audit/audit.log¶
This logs all events monitored by the audit framework, like file access and user activity.
System Boot and Initialization Files¶
/etc/fstab¶
The /etc/fstab (file system tables) file contains info about the file systems and their mount points.
It configures filesystems to mount at boot time.
This can be edited to add a new filesystem mount.
Every time you mount a file system and want it to be permanently mounted, you need
to add an entry here.
/dev/mapper/VolGroup-my_lv /space ext4 defaults 0 0
/etc/fstab Fields¶
There are six fields in /etc/fstab entries.
/dev/mapper/VolGroup-my_lv /space ext4 defaults 0 0
- Device: The name of the block device file (e.g.,
/dev/sda1)/dev/mapper/VolGroup-my_lvin the example.
- Mountpoint: The directory where the device is attached to the filesystem tree
/spacein the example.
- Filesystem type: The type of filesystem (e.g.,
ext4,ntfs,cifs, etc.)ext4in the example.
- Options: The options to mount the device with (e.g.,
defaults,ro,rw, etc.)defaultsin the example.
- Frequency: A number that specifies uf and when a filesystem should be backed up
with the
dumpcommand.0(never) in the example.
- Order: A nubmer that specifies win what order filesystems hsould be checked with
the
fsckcommand.0(never) in the example.
/boot/grub2/grub.cfg (or /boot/grub/grub.cfg)¶
GRUB bootloader config file.
Contains kernel and boot options.
- Do not edit this firle directly. Use something like
grub-mkconfiginstead.
/etc/default/grub¶
This defines the defaule GRUB bootloader settings. E.g., timeout and kernel parameters.
/etc/systemd/system/default.target¶
This specifies the default systemd target (e.g., multi-user or graphical) that the system boots into.
Networking Files¶
/etc/hosts¶
Maps hostnames to IP addresses for local IP resolution.
127.0.0.1 localhost
192.168.1.10 server1.example.com server1
/etc/resolv.conf¶
This configures DNS servers for resolving domain names.
/etc/hostname¶
This specifies the system's hostname.
/etc/network/interfaces (Debian) or /etc/sysconfig/network-scripts/ifcfg-* (RedHat)¶
Configuration files for network interfaces.
/etc/nsswitch.conf¶
Nameswitch. Defines the order of name resolution (e.g., local files, DNS, NIS).
Services and Processes¶
/etc/ssh/sshd_config¶
Configures the SSH server, including allowed auth methods and security settings.
~/.ssh/authorized_keys¶
Lists public keys allowed to log in via SSH for a specific user
/etc/pam.d/¶
Contains Pluggable Authentication Module (PAM) config files for various services.
/etc/security/limits.conf¶
Defines resource limites for users, like maximum open files or CPU usage.
/etc/selinux/config (RedHat)¶
Configures SELinux enforcement mode (enforcing, permissive, disabled).
/var/log/faillog¶
Tracks failed login attemps.
/var/log/btmp¶
Records failed login attempts.
Access with lastb
lastb
/var/log/wtmp¶
Records login and logout events.
Access with last
last
Storage and Filesystem Files¶
/etc/mtab¶
Lists currently mounted filesystems
/proc/mounts¶
Similar to /etc/mtab, but dynamically generated by the kernel.
/etc/mdadm.conf¶
Config file for software RAID (mdadm).
/etc/lvm/lvm.conf¶
Config file for Logical Volume Management (LVM).
/etc/exports¶
Config file for NFS shared directories.
Performance and Monitoring Files¶
/proc/cpuinfo¶
Provides info about the CPU.
/proc/meminfo¶
Provides memory usage statistics.
/proc/loadavg¶
Shows system load averages.
/var/log/dmesg¶
This is the Kernel ring buffer log file.
Logs kernel messages.
This is useful for debugging hardware and boot issues.
dmesg -l
Package Management Files¶
/etc/apt/sources.list (Debian)¶
Package repos for apt.
/etc/yum.repos.d/*.repo (RedHat)¶
Configuration files for yum/dnf repositories.
Specific packages can be excluded in/etc/yum.conf or /etc/dnf/dnf.conf.
/var/log/dnf.log (or /var/log/yum.log) (RedHat)¶
Logs package installation and updates.
Files in /proc¶
The purpose of each of these Files in /proc:
# System Hardware and Memory
/proc/fb # Framebuffer device (graphics display)
/proc/dma # Active Direct Memory access (DMA) channels used by device
/proc/iomem # Memory map of devices and system memory regions. Use for debugging memory-mapped devices
/proc/ioports # List of I/O ports used by system devices (serial ports, PCI devices, etc)
/proc/meminfo # Detailed info on memory usage (incl. free, total, cached memory)
/proc/mtrr # Memory Type Range Registers (MTRRs) used for CPU cache optimizations
/proc/vmallocinfo # Details about memory allocated via `vmalloc()`. Helps with debugging memory usage.
/proc/pagetypeinfo # Memory allocation and fragmentation details at the page level
/proc/buddyinfo # Memory fragmentation and allocation by the buddy system allocator
/proc/zoneinfo # Detailed memory stats for each NUMA zone (RAM region)
/proc/kpagecount # Number of references (users) for each physical memory page
/proc/kpageflags # Flags associated with each memory page (e.g., free, allocated, swap)
/proc/kpagecgroup # Cgroup related memory usage stats for each apge
# CPU and Performance Monitoring
/proc/cpuinfo # Detailed CPU information, including model, cores, cache size, and flags.
/proc/loadavg # System load averages over 1, 5, and 15 minutes, plus running processes.
/proc/stat # Overall system statistics, including CPU usage, interrupts, and context switches.
/proc/vmstat # Virtual memory statistics (page faults, swap usage, I/O operations).
/proc/schedstat # Scheduler statistics for CPU task scheduling performance.
# Storage & Swap
/proc/swaps # Information about active swap spaces.
/proc/diskstats # Statistics for each disk device (reads, writes, I/O time, etc.).
/proc/partitions # Information about detected partitions.
# Kernel & System Information
/proc/modules # List of currently loaded kernel modules (drivers).
/proc/version # Kernel version, build date, and compiler used.
/proc/version_signature # More detailed kernel version information (used by some distros).
/proc/cmdline # Kernel boot parameters (passed by bootloader).
/proc/kcore # A virtual file representing the entire system memory (use with gdb for kernel debugging).
/proc/filesystems # List of supported filesystems in the kernel.
/proc/execdomains # Execution domain support (for different binary formats).
/proc/sysrq-trigger # Allows manually triggering a SysRq key function (e.g., force kernel panic, reboot).
/proc/bootconfig # Kernel boot configuration settings.
# Security & Encryption
/proc/crypto # List of available cryptographic ciphers supported by the kernel.
/proc/keys # Shows currently loaded kernel keys (used in authentication, encryption).
/proc/key-users # Statistics about kernel key usage per user.
# Process & Locking Mechanisms
/proc/locks # Active file locks on the system (used by flock and advisory locking).
/proc/softirqs # Soft interrupt statistics (used in networking, disk I/O).
/proc/interrupts # Statistics on hardware interrupts, including CPU usage per IRQ.
/proc/timer_list # List of active kernel timers (for debugging time-based operations).
# System Services & Containers
/proc/cgroups # Lists active cgroups (control groups for resource management).
/proc/mdstat # Status of RAID arrays managed by mdadm.
# Logging & Debugging
/proc/kmsg # Kernel log messages (similar to dmesg).
/proc/consoles # Active console devices (e.g., tty, serial console).
/proc/kallsyms # Kernel symbols table (used for debugging, similar to System.map).
# Miscellaneous
/proc/misc # Miscellaneous character devices.
/proc/uptime # System uptime (first value) and idle time (second value).
Other¶
/etc/services: Shows all the default ports for different services./etc/protocols: Shows the different types of internet protocols.