LAPORAN PRAKTIKUM KEAMANAN SIBER

TUGAS 3

Mata Kuliah :
TIK3072C Praktikum Keamanan Siber
Sherwin Reinaldo U Aldo Sompie ST, MT
Xaverius B.N. Najoan ST, MT
Dibuat oleh :

I Gede Arie Yogantara Subrata 19021106005

Ruth L. Watimena 19021106014
Tesalonika Kondoy 19021106016

Program Studi Teknik Informatika Jurusan

Teknik Elektro
Fakultas Teknik
Universitas Sam Ratulangi
Manado
2022

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 73
Lab – Working with Text Files in the CLI

Lab – Working with Text Files in the CLI

Introduction
In this lab, you will get familiar with Linux command line text editors and configuration files.

Required Resources
• CyberOps Workstation Virtual Machine

Part 1: Graphical Text Editors

Before you can work with text files in Linux, you must get familiar with text editors.
Text editors are one of the oldest categories of applications created for computers. Linux, like many other
operating systems, has many different text editors, with various features and functions. Some text editors
include graphical interfaces, while others are only usable via the command line. Each text editor includes a
feature set designed to support a specific work scenario. Some text editors focus on the programmer and
include features such as syntax highlighting, bracket matching, find and replace, multi-line Regex support, spell
check, and other programming-focused features.
To save space and keep the virtual machine lean, the Cisco CyberOps VM only includes SciTE as graphical
text editor application. SciTE is a simple, small and fast text editor. It does not have many advanced features
but it fully supports the work done in this course.
Note: The choice of text editor is a personal one. There is no such thing as a best text editor. The best text
editor is the one that you feel most comfortable with and works best for you.

Step 1: Open SciTE from the GUI

a. Log on to the CyberOps VM as the user analyst using the password cyberops. The account analyst is
used as the example user account throughout this lab.
b. On the top bar, navigate to Applications > CyberOPS > SciTE to launch the SciTE text editor.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 73
Lab – Working with Text Files in the CLI

c. SciTE is simple but includes a few important features: tabbed environment, syntax highlighting and more.
Spend a few minutes with SciTE. In the main work area, type or copy and paste the text below:
“Space, is big. Really big. You just won't believe how vastly, hugely, mindbogglingly big it is. I mean, you
may think it's a long way down the road to the chemist, but that's just peanuts to space.”
― Douglas Adams, The Hitchhiker’s Guide to the Galaxy
d. Click File > Save to save the file. Notice that SciTE attempts to save the file to the current user’s home
directory, which is analyst, by default. Name the file space.txt and click Save.

e. Close SciTE by clicking the X icon on the upper right side of the window and then reopen SciTE.
f. Click File > Open… and search for the newly saved file, space.txt.
Could you immediately find space.txt? Tidak
g. Even though SciTE is looking at the correct directory (/home/analyst), space.txt is not displayed. This is
because SciTE is looking for known extensions and .txt is not one of them. To display all files, click the
dropdown menu at the bottom of the Open File window and select All Files (*).
h. Select space.txt to open it.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 73
Lab – Working with Text Files in the CLI

Note: While the Linux file systems do not rely on extensions, some applications such as SciTE may attempt
to use them to identify file types.
i. Close space.txt when finished.

Step 2: Open SciTE from the Terminal.

a. Alternatively, you can also open SciTE from the command line. Click the terminal icon located in the Dock
at the bottom. The terminal emulator opens.
b. Type ls to see the contents of the current directory. Notice space.txt is listed. This means you do not have
to provide path information to open the file.
c. Type scite space.txt to open SciTE. Note that this will not only launch SciTE in the GUI, but it will also
automatically load the space.txt text file that was previously created.
[analyst@secOps ~]$ scite space.txt

d. Notice that while SciTE is open on the foreground, the terminal window used to launch it is still open in the
background. In addition, notice that the terminal window used to launch SciTE no longer displays the
prompt.
Why the prompt is not shown?
Karena jendela menjalankan SciTE, dan karena itu, tidak dapat menerima perintah.
e. Close this instance of SciTE by either clicking the X icon as before, or by switching the focus back to the
terminal window that launched SciTE and stopping the process. You can stop the process by pressing
CTRL+C.
Note: Starting SciTE from the command line is helpful when you want to run SciTE as root. Simply precede
scite with the sudo command, sudo scite.
f. Close SciTE and move on to the next section.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 73
Lab – Working with Text Files in the CLI

Part 2: Command Line Text Editors

While graphical text editors are convenient and easy to use, command line-based text editors are very important
in Linux computers. The main benefit of command line-based text editors is that they allow for text file editing
from a remote shell on a remote computer.
Consider the following scenario: a user must perform administrative tasks on a Linux computer but is not sitting
in front of that computer. Using SSH, the user starts a remote shell to the aforementioned computer. Under the
text-based remote shell, the graphical interface may not be available which makes it impossible to rely on
graphical text editors. In this type of situation, text-based text editors are crucial.
Note: This is mainly true when connecting to remote, headless servers that lack a GUI interface.
The Cisco CyberOps VM includes a few command line-based text editors. This course focuses on nano.
Note: Another extremely popular text editor is called vi. While the learning curve for vi is considered steep, vi
is a very powerful command line-based text editor. It is included by default in almost all Linux distributions and
its original code was first created in 1976. An updated version of vi is named vim which stands for vi-improved.
Today most vi users are actually using the updated version, vim.
Due to the lack of graphical support, nano (or GNU nano) can be controlled solely through the keyboard.
CTRL+O saves the current file; CTRL+W opens the search menu. GNU nano uses a two-line shortcut bar at
the bottom of the screen, where a number of commands for the current context are listed. After nano is open,
press CTRL+G for the help screen and a complete list.
a. In the terminal window, type nano space.txt to open the text file created in Part 1.
[analyst@secOps ~]$ nano space.txt

b. nano will launch and automatically load the space.txt text file. While the text may seem to be truncated or
incomplete, it is not. Because the text was created with no return characters and line wrapping is not
enabled by default, nano is displaying one long line of text.

Use the Home and End keyboard keys to quickly navigate to the beginning and to the end of a line,
respectively.
What character does nano use to represent that a line continues beyond the boundaries of the screen?
Tanda dolar ($).
c. As shown on the bottom shortcut lines, CTRL+X can be used to exit nano. nano will ask if you want to
save the file before exiting (‘Y’ for Yes, or N for ‘No’). If ‘Y’ is chosen, you will be prompted to press enter
to accept the given file name, or change the file name, or provide a file name if it is a new unnamed
document.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 73
Lab – Working with Text Files in the CLI

d. To control nano, you can use CTRL, ALT, ESCAPE or the META keys. The META key is the key on the
keyboard with a Windows or Mac logo, depending on your keyboard configuration.
e. Navigation in nano is very user friendly. Use the arrows to move around the files. Page Up and Page Down
can also be used to skip forward or backwards entire pages. Spend some time with nano and its help
screen. To enter the help screen, press CTRL+G.

Part 3: Working with Configuration Files

In Linux, everything is treated as a file. The memory, the disks, the monitor output, the files, the directories;
from the operating system standpoint, everything is a file. It should be no surprise that system itself is configured
through files. Known as configuration files, they are usually text files and are used by various applications and
services to store adjustments and settings for that specific application or service. Practically everything in Linux
relies on configuration files to work. Some services have not one but several configuration files.
Users with proper permission levels use text editors to change the contents of such configuration files. After the
changes are made, the file is saved and can be used by the related service or application. Users are able to
specify exactly how they want any given application or service to behave. When launched, services and
applications check the contents of specific configuration files and adjust their behavior accordingly.

Step 1: Locating Configuration Files

The program author defines the location of configuration for a given program (service or application). Because
of that, the documentation should be consulted when assessing the location of the configuration file.
Conventionally however, in Linux, configuration files that are used to configure user applications are often
placed in the user’s home directory while configuration files used to control system-wide services are placed in
the /etc directory. Users always have permission to write to their own home directories and are able to configure
the behavior of applications they use.

a. Use the ls command to list all the files in the analyst home directory:
[analyst@secOps ~]$ ls –l
total 20
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:32 space.txt

While a few files are displayed, none of them seem to be configuration files. This is because it is convention
to hide home-directory-hosted configuration files by preceding their names with a “.” (dot) character.
b. Use the ls command again but this time add the –a option to also include hidden files in the output:
[analyst@secOps ~]$ ls –la
total 268
drwxr-xr-x 19 analyst analyst 4096 Aug 2 15:43 .
drwxr-xr-x 3 root root 4096 Sep 26 2014 ..
-rw------- 1 analyst analyst 250 May 4 11:42 .atftp_history

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 73
Lab – Working with Text Files in the CLI

-rw------- 1 analyst analyst 13191 Aug 1 09:48 .bash_history

-rw-r--r-- 1 analyst analyst 97 Mar 21 15:31 .bashrc
drwxr-xr-x 4 analyst analyst 4096 Jul 6 10:26 broken_down
drwxr-xr-x 10 analyst analyst 4096 Nov 7 2016 .cache
drwxr-xr-x 12 analyst analyst 4096 Jun 5 11:45 .config
-rw-r--r-- 1 analyst analyst 16384 Apr 12 10:06 .cyberops_topo.py.swp
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
-rw-r--r-- 1 analyst analyst 43 Sep 27 2014 .dmrc
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
-rw-r--r-- 1 analyst analyst 72 Sep 26 2014 .fehbg
drwxr-xr-x 5 analyst analyst 4096 Sep 26 2014 .fluxbox
drwx------ 3 analyst analyst 4096 Sep 7 2016 .gnupg
-rw------- 1 analyst analyst 28920 Aug 2 15:01 .ICEauthority
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 .idlerc
drwxr-xr-x 3 analyst analyst 4096 Sep 27 2014 .java
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
-rw------- 1 analyst analyst 290 Jul 6 15:15 .lesshst
drwxr-xr-x 3 analyst analyst 4096 Sep 26 2014 .local
<Some output omitted>

c. Use cat command to display the contents of the .bashrc file. This file is used to configure user-specific
terminal behavior and customization.
[analyst@secOps ~]$ cat .bashrc
export EDITOR=vim

PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] '

alias ls="ls --color"
alias vi="vim"

Do not worry too much about the syntax of .bashrc at this point. The important thing to notice is that .bashrc
contains configuration for the terminal. For example, the line PS1='\[\e[1;32m\][\u@\h \W]\$\[\e[0m\] '
defines the prompt structure of the prompt displayed by the terminal: [username@hostname current_dir]
followed by a dollar sign, all in green. A few other configurations include shortcuts to commands such as ls
and vi. In this case, every time the user types ls, the shell automatically converts that to ls –color to display
a color-coded output for ls (directories in blue, regular files in grey, executable files in green, etc.)
The specific syntax is out of the scope of this course. What is important is understanding that user
configurations are conventionally stored as hidden files in the user’s home directory.
d. While configuration files related to user applications are conventionally placed under the user’s home
directory, configuration files relating to system-wide services are place in the /etc directory, by convention.
Web services, print services, ftp services, email services are examples of services that affect the entire
system and of which configuration files are stored under /etc. Notice that regular users do not have writing
access to /etc. This is important as it restricts the ability to change the system-wide service configuration
to the root user only.
Use the ls command to list the contents of the /etc directory:
[analyst@secOps ~]$ ls /etc

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 73
Lab – Working with Text Files in the CLI

adjtime host.conf mke2fs.conf rc_maps.cfg

apache-ant hostname mkinitcpio.conf request-key.conf
apparmor.d hosts mkinitcpio.d request-key.d
arch-release ifplugd modprobe.d resolv.conf
avahi initcpio modules-load.d resolvconf.conf
bash.bash_logout inputrc motd rpc
bash.bashrc iproute2 mtab rsyslog.conf
binfmt.d iptables nanorc securetty
ca-certificates issue netconfig security
crypttab java-7-openjdk netctl services
dbus-1 java-8-openjdk netsniff-ng shadow
default kernel nginx shadow-
depmod.d krb5.conf nscd.conf shells
dhcpcd.conf ld.so.cache nsswitch.conf skel
dhcpcd.duid ld.so.conf ntp.conf ssh
dkms ld.so.conf.d openldap ssl
drirc libnl openvswitch sudoers
elasticsearch libpaper.d os-release sudoers.d
environment lightdm pacman.conf sudoers.pacnew
ethertypes locale.conf pacman.conf.pacnew sysctl.d
filebeat locale.gen pacman.d systemd
fonts locale.gen.pacnew pam.d tmpfiles.d
fstab localtime pango trusted-key.key
gai.conf login.defs papersize udev
gemrc logrotate.conf passwd UPower
group logrotate.d passwd- vdpau_wrapper.cfg
group- logstash pcmcia vimrc
group.pacnew lvm pkcs11 webapps
grub.d machine-id polkit-1 wgetrc
gshadow mail.rc profile X11
gshadow- makepkg.conf profile.d xdg
gshadow.pacnew man_db.conf protocols xinetd.d
gtk-2.0 mdadm.conf pulse yaourtrc
gtk-3.0 mime.types rc_keymaps

e. Use the cat command to display the contents of the bash_bashrc file:
[analyst@secOps ~]$ cat /etc/bash.bashrc
#
# /etc/bash.bashrc
#

# If not running interactively, don't do anything

[[ $- != *i* ]] && return

PS1='[\u@\h \W]\$ '

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 8 of 73
Lab – Working with Text Files in the CLI

case ${TERM} in
xterm*|rxvt*|Eterm|aterm|kterm|gnome*)
PROMPT_COMMAND=${PROMPT_COMMAND:+$PROMPT_COMMAND; }'printf "\033]0;%s@%s:%s\007"
"${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"'

;;
screen)
PROMPT_COMMAND=${PROMPT_COMMAND:+$PROMPT_COMMAND; }'printf "\033_%s@%s:%s\033\\"
"${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/\~}"'
;;
esac

[ -r /usr/share/bash-completion/bash_completion ] && . /usr/share/bash-

completion/bash_completion
[analyst@secOps ~]$

The syntax of bash_bashrc is out of scope of this course. This file defines the default behavior of the shell
for all users. If a user wants to customize his/her own shell behavior, the default behavior can be overridden
by editing the .bashrc file located in the user’s home directory. Because this is a system-wide configuration,
the configuration file is placed under /etc, making it editable only by the root user. Therefore, the user will
have to log in as root to modify .bashrc.
Why are user application configuration files saved in the user’s home directory and not under /etc with all
the other system-wide configuration files?
Pengguna biasa tidak memiliki izin untuk menulis ke /etc. Karena Linux adalah sistem operasi multi-
pengguna, menempatkan file konfigurasi aplikasi pengguna di bawah /etc akan membuat pengguna
tidak dapat menyesuaikan aplikasi mereka.

Step 2: Editing and Saving Configuration files

As mentioned before, configuration files can be edited with text editors.
Let’s edit .bashrc to change the color of the shell prompt from green to red for the analyst user.
a. First, open SciTE by selecting Applications > CyberOPS > SciTE from the tool bar located in the upper
portion of the Cisco CyberOPS VM screen.
b. Select File > Open to launch SciTE’s Open File window.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 9 of 73
Lab – Working with Text Files in the CLI

c. Because .bashrc is a hidden file with no extension, SciTE does not display it in the file list. If the Location
feature is not visible in the dialog box, Change the type of file shown by selecting All Files (*) from the type
drop box, as shown below. All the files in the analyst’s home directory are shown.
d. Select .bashrc and click Open.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 10 of 73
Lab – Working with Text Files in the CLI

e. Locate 32 and replace it with 31. 32 is the color code for green, while 31 represents red.

f. Save the file by selecting File > Save and close SciTE by clicking the X icon.
g. Click the Terminal application icon located on the Dock, at the bottom center of the Cisco CyberOPS VM
screen. The prompt should appear in red instead of green.
Did the terminal window which was already open also change color from green to red? Explain.
Tidak. File .bashrc dijalankan dan diterapkan saat terminal pertama kali dibuka, jadi terminal yang
dibuka sebelumnya tidak akan terpengaruh oleh perubahan pada file .bashrc.
h. The same change could have been made from the command line with a text editor such as nano. From a
new terminal window, type nano .bashrc to launch nano and automatically load the .bashrc file in it:
[analyst@secOps ~]$ nano .bashrc

GNU nano 2.8.1 File: .bashrc

export EDITOR=vim

PS1='\[\e[1;31m\][\u@\h \W]\$\[\e[0m\] '

alias ls="ls --color"
alias vi="vim"

[ Read 5 lines ]
^G Get Help ^O Write Out ^W Where Is ^K Cut Text ^J Justify ^C Cur Pos
^X Exit ^R Read File ^\ Replace ^U Uncut Text^T To Spell ^_ Go To Line

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 11 of 73
Lab – Working with Text Files in the CLI

i. Change 31 to 33. 33 is the color code to yellow.

j. Press CTRL+X to save and then press Y to confirm. Nano will also offer you the chance to change the
filename. Simply press ENTER to use the same name, .bashrc.
k. Nano will end, and you will be back on the shell prompt. Again, click the Terminal application icon located
on the Dock, at the bottom center of the Cisco CyberOps VM screen. The prompt should now appear in
yellow instead of red.

Step 3: Editing Configuration Files for Services

System-wide configuration files are not very different from the user-application files. nginx is a lightweight web
server that is installed in the Cisco CyberOPS VM. nginx can be customized by changing its configuration file,
which is located in under /etc/nginx.
a. First, open nginx’s configuration file in a nano. The configuration file name used here is
custom_server.conf. Notice below that the command is preceded by the sudo command. After typing
nano include a space and the -l switch to turn on line-numbering.
[analyst@secOps ~]$ sudo nano -l /etc/nginx/custom_server.conf
[sudo] password for analyst:

Use the arrow keys to navigate through the file.

GNU nano 2.9.5 /etc/nginx/custom_server.conf

1
2 #user html;
3 worker_processes 1;
4
5 #error_log logs/error.log;
6 #error_log logs/error.log notice;
7 #error_log logs/error.log info;
8
9 #pid logs/nginx.pid;
10
11
12 events {
13 worker_connections 1024;
14 }
15
16
17 http {
18 include mime.types;
19 default_type application/octet-stream;
20
21 #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
22 # '$status $body_bytes_sent "$http_referer" '
23 # '"$http_user_agent" "$http_x_forwarded_for"';

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 12 of 73
Lab – Working with Text Files in the CLI

24
25 #access_log logs/access.log main;
26
27 sendfile on;
28 #tcp_nopush on;
29
30 #keepalive_timeout 0;
31 keepalive_timeout 65;
32
33 #gzip on;
34
35 types_hash_max_size 4096;
36 server_names_hash_bucket_size 128;
37
38 server {
39 listen 81;
40 server_name localhost;
41
42 #charset koi8-r;
43
44 #access_log logs/host.access.log main;
45
46 location / {
47 root /usr/share/nginx/html;
48 index index.html index.htm;
49 }

^G Get Help ^O Write Out ^W Where Is ^K Cut Text ^J Justify ^C Cur Pos
^X Exit ^R Read File ^\ Replace ^U Uncut Text ^T To Spell ^_ Go To Line

Note: Conventionally, .conf extensions are used to identify configuration files.

b. While the configuration file has many parameters, we will configure only two: the port nginx listens on for
incoming connections, and the directory it will serve web pages from, including the index HTML homepage
file.
c. Notice that at the bottom of the window, above the nano commands, the line number is highlighted and
listed. On line 39, change the port number from 81 to 8080. This will tell nginx to listen to HTTP requests
on port TCP 8080.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 13 of 73
Lab – Working with Text Files in the CLI

d. Next, move to line 47 and change the path from /usr/share/nginx/html/ to

/usr/share/nginx/html/text_ed_lab/
Note: Be careful not to remove the semi-colon at the end of the line or nginx will throw an error on startup.
e. Press CTRL+X to save the file. Press Y and then ENTER to confirm and use the custom_server.conf as
the filename.
f. Type the command below to execute nginx using the modified configuration file:
[analyst@secOps ~]$ sudo nginx -c custom_server.conf "pid
/var/run/nginx_v.pid;"

Note: The "pid /var/run/nginx_v.pid;" is needed to tell nginx what file to use when storing the process ID
that identifies this instance of nginx.

Setelah diteliti, ternyata "pid /var/run/nginx_v.pid;" tidak bisa diikutsertakan dalam

command line, jadi harus dihapus.
g. Click the web browser icon on the Dock to launch Firefox.
h. On the address bar, type 127.0.0.1:8080 to connect to a web server hosted on the local machine on port
8080. A page related to this lab should appear.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 14 of 73
Lab – Working with Text Files in the CLI

i. After successfully opening the nginx homepage, look at the connection message in the terminal window.

What is the error message referring to?

Pesan kesalahan dihasilkan oleh koneksi halaman web yang berhasil dan tampaknya disebabkan
oleh file favicon.ico yang hilang di direktori lab.support.files.
j. To shut down the nginx webserver, press ENTER to get a command prompt and type the following
command in the terminal window:
[analyst@secOps ~]$ sudo pkill nginx

k. You can test whether the nginx server is indeed shut down by first clearing the recent history in the web
browser, then close and re-open the web browser, then go to the nginx homepage at 127.0.0.1:8080. Does
the web page appear? Tidak
Challenge: Can you edit the /etc/nginx/custom_configuration.conf file with SciTE? Describe the process
below.
Remember, because the file is stored under /etc, you will need root permissions to edit it.
Dari jendela terminal, keluarkan sudo scite /etc/nginx/custom_configuration.conf untuk meluncurkan
scite sebagai root.
Reflection
Depending on the service, more options may be available for configuration.
Configuration file location, syntax, and available parameters will vary from service to service. Always consult
the documentation for information.
Permissions are a very common cause of problems. Make sure you have the correct permissions before trying
to edit configuration files.
More often than not, services must be restarted before the changes take effect.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 15 of 73
Lab – Working with Text Files in the CLI

Lab – Getting Familiar with the Linux Shell

Introduction
In this lab, you will use the Linux command line to manage files and folders, and perform some basic
administrative tasks.

Recommended Equipment
• CyberOps Workstation Virtual Machine

Part 4: Shell Basics

The shell is the term used to refer to the command interpreter in Linux. Also known as Terminal, Command
Line and Command Prompt, the shell is very powerful way to interact with a Linux computer.

Step 1: Access the Command Line

a. Log on to the CyberOps Workstation VM as the analyst using the password cyberops. The account
analyst is used as the example user account throughout this lab.
b. To access the command line, click the terminal icon located in the Dock, at the bottom of VM screen. The
terminal emulator opens.

Step 2: Display Manual Pages from the command line.

You can display command line help using the man command. A man page, short for manual page, is an built-
in documentation of the Linux commands. A man page provides detailed information about a given command
and all its available options.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 16 of 73
Lab – Working with Text Files in the CLI

a. To learn more about the man page, type:

[analyst@secOps ~]$ man man

Name a few sections that are included in a man page.

Beberapa bagian dalam halaman manual adalah: Nama, Sinopsis, Konfigurasi, Deskripsi, Opsi,
Status keluar, Nilai kembali, Kesalahan, Lingkungan, File, Versi, Sesuai dengan, Catatan, Bug,
Contoh, Penulis, dan Lihat juga.
b. Type q to exit the man page.
c. Use the man command to learn more about the cp command:
[analyst@secOps ~]$ man cp

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 17 of 73
Lab – Working with Text Files in the CLI

What is the function of the cp command?

Salin file dari satu lokasi ke lokasi lain di sistem file lokal.

What command would you use to find out more information about the pwd command? What is the function
of the pwd command?

Perintah man pwd digunakan untuk mengakses halaman manual tentang pwd. Perintah pwd
mencetak nama direktori saat ini atau yang berfungsi.

Step 3: Create and change directories.

In this step, you will use the change directory (cd), make directory (mkdir), and list directory (ls) commands.
Note: A directory is another word for folder. The terms directory and folder are used interchangeably throughout
this lab.
a. Type pwd at the prompt.
[analyst@secOps ~]$ pwd
/home/analyst

What is the current directory?

Direktori saat ini adalah /home/analyst dalam contoh ini
b. Navigate to the /home/analyst directory if it is not your current directory. Type cd /home/analyst
[analyst@secOps ~]$ cd /home/analyst

c. Type ls -l at the command prompt to list the files and folders that are in the current folder. Standing for list,
the -l option displays file size, permissions, ownership, date of creation and more.
[analyst@secOps ~]$ ls -l

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 18 of 73
Lab – Working with Text Files in the CLI

total 20
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:38 space.txt

d. In the current directory, use the mkdir command to create three new folders: cyops_folder1,
cyops_folder2, and cyops_folder3. Type mkdir cyops_folder1 and press Enter. Repeat these steps to
create cyops_folder2 and cyops_folder3.
[analyst@secOps ~]$ mkdir cyops_folder1
[analyst@secOps ~]$ mkdir cyops_folder2
[analyst@secOps ~]$ mkdir cyops_folder3
[analyst@secOps ~]$

e. Type ls -l to verify that the folders have been created:

[analyst@secOps ~]$ ls -l

total 32
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:01 cyops_folder1
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:02 cyops_folder2
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:02 cyops_folder3
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:38 space.txt

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 19 of 73
Lab – Working with Text Files in the CLI

f. Type cd /home/analyst/cyops_folder3 at the command prompt and press Enter.

[analyst@secOps ~]$ cd /home/analyst/cyops_folder3
[analyst@secOps cyops_folder3]$

Which folder are you in now?

Dalam contoh ini, direktori saat ini adalah /home/analyst/cyops_folder3 seperti yang ditunjukkan
oleh cyops_folder3 pada prompt.
Note: In the [analyst@secOps ~]$ prompt above: The tilde symbol ~ represents the current user’s home
directory. In this example, the current user’s home directory is /home/analyst. After the cd
/home/analyst/cyops_folder3 command, the current user’s home directory is now
/home/analyst/cyops_folder3.
Note: $ (dollar sign) indicates regular user privilege. If a ‘#’ (hashtag or pound sign) is displayed at the
prompt, it indicates elevated privilege (root user).
Note: While these symbols, conventions and main concepts remain the same, the prompt of a terminal
window is highly customizable in Linux. Therefore, the prompt structure seen in the CyberOps Worstation
VM will likely differ from the prompt in other Linux installations.

Challenge: Type the command cd ~ and describe what happens. Why did this happen?

Direktori diubah menjadi direktori home. Karena shell menginterpretasikan ~ sebagai jalan pintas
untuk direktori home pengguna saat ini, cd ~ berubah ke home pengguna saat ini.
g. Use the mkdir command to create a new folder named cyops_folder4 inside the cyops_folder3 folder:
[analyst@secOps ~]$ mkdir /home/analyst/cyops_folder3/cyops_folder4
[analyst@secOps ~]$
h. Use the ls -l command to verify the folder creation.
analyst@secOps ~]$ ls –l /home/analyst/cyops_folder3

total 4
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:04 cyops_folder4

i. Up to this point, we have been using full paths. Full path is the term used when referring to paths that
always start at the root (/) directory. It is also possible to work with relative paths. Relative paths reduce the

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 20 of 73
Lab – Working with Text Files in the CLI

amount of text to be typed. To understand relative paths, we must understand the . and .. (dot and double)
directories. From the cyops_folder3 directory, issue a ls –la:
analyst@secOps ~]$ ls –la /home/analyst/cyops_folder3

total 12
drwxr-xr-x 3 analyst analyst 4096 Aug 16 15:04 .
drwxr-xr-x 20 analyst analyst 4096 Aug 16 15:02 ..
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:04 cyops_folder4

The -a option tells ls to show all files. Notice the . and .. listings shown by ls. These listings are used by the
operating system to track the current directory (.) and the parent directory (..) You can see the use of the .
and .. when using the cd command to change directories. Using the cd command to change the directory
to the . directory incurs no visible directory change as the . points to the current directory itself.

j. Change the current directory to /home/analyst/cyops_folder3:

[analyst@secOps ~]$ cd /home/analyst/cyops_folder3

[analyst@secOps cyops_folder3]$

k. Type cd .
[analyst@secOps cyops_folder3]$ cd .

[analyst@secOps cyops_folder3]$

What happens?
Rupanya tidak ada apa pun selain penerjemah perintah yang telah mengubah direktori ke direktori
saat ini itu sendiri.
l. Changing the directory to the .. directory, will change to the directory that is one level up. This directory is
also known as parent directory. Type cd ..
[analyst@secOps cyops_folder3]$ cd ..

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 21 of 73
Lab – Working with Text Files in the CLI

[analyst@secOps ~]$

What happens?
Direktori diubah menjadi /home/analyst, yang merupakan direktori tepat di atas cyops_folder3, juga
dikenal sebagai direktori induk.
What would be the current directory if you issued the cd .. command at [analyst@secOps ~]$?

/home
What would be the current directory if you issued the cd .. command at [analyst@secOps home]$?

/ (backslash), akar dari sistem file

What would be the current directory if you issued the cd .. command at [analyst@secOps /]$?

/ (backslash), akar dari sistem file. Karena ini adalah level tertinggi, tidak ada perubahan ke atas
yang dilakukan karena direktori root tidak memiliki direktori induk.

Step 4: Redirect Outputs.

Another powerful command line operator in Linux is known as redirect. Represented by the > symbol, this
operator allows the output of a command to be redirected to some location other the current terminal window
(the default).
a. Use the cd command to change to the /home/analyst/ (~) directory:
[analyst@secOps /]$ cd /home/analyst/

[analyst@secOps ~]$

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 22 of 73
Lab – Working with Text Files in the CLI

b. Use the echo command to echo a message. Because no output was defined, echo will output to the current
terminal window:
analyst@secOps ~]$ echo This is a message echoed to the terminal by echo.

This is a message echoed to the terminal by echo.

c. Use the > operator to redirect the output of echo to a text file instead of to the screen:
analyst@secOps ~]$ echo This is a message echoed to the terminal by echo. >
some_text_file.txt
No output was shown. Is that expected?

Ya. Output dialihkan ke file some_text_file.txt.

d. Notice that even though the some_text_file.txt file did not exist, it was automatically created to receive the
output generated by echo. Use the ls -l command to verify if the file was really created:
[analyst@secOps ~]$ ls –l some_text_file.txt

-rw-r--r-- 1 analyst analyst 50 Feb 24 16:11 some_text_file.txt

e. Use the cat command to display the contents of the some_text_file.txt text file:

[analyst@secOps ~]$ cat some_text_file.txt

This is a message echoed to the terminal by echo.

f. Use the > operator again to redirect a different echo output of echo to the some_text_file.txt text file:
analyst@secOps ~]$ echo This is a DIFFERENT message, once again echoed to the
terminal by echo. > some_text_file.txt

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 23 of 73
Lab – Working with Text Files in the CLI

g. Once again, use the cat command to display the contents of the some_text_file.txt text file:
[analyst@secOps ~]$ cat some_text_file.txt

This is a DIFFERENT message, once again echoed to the terminal by echo.

What happened to the text file? Explain.
File teks sepenuhnya digantikan oleh pesan baru. Operator > menghancurkan konten file txt
sebelum menulis pesan yang digaungkan oleh echo.

Step 5: Redirect and Append to a Text File.

h. Similar to the > operator, the >> operator also allows for redirecting data to files. The difference is that >>
appends data to the end of the referred file, keeping the current contents intact. To append a message to
the some_text_file.txt, issue command below:
[analyst@secOps ~]$ echo This is another line of text. It will be APPENDED to
the output file. >> some_text_file.txt

i. Use the cat command to display the contents of the some_text_file.txt text file yet again:
[analyst@secOps ~]$ cat some_text_file.txt

This is a DIFFERENT message, once again echoed to the terminal by echo.

This is another line of text. It will be APPENDED to the output file.
What happened to the text file? Explain.
Pesan baru telah ditambahkan ke akhir file, menjaga konten asli tetap utuh.

Step 6: Work with hidden files in Linux.

j. In Linux, files with names that begin with a ‘.’ (single dot) are not shown by default. While dot-files have
nothing else special about them, they are called hidden files because of this feature. Examples of hidden
files are .file5, .file6, .file7.
Note: Do not confuse dot-files with the current directory indicator “.” symbol. Hidden file names begin with
a dot (period), followed by more characters while the dot directory is a hidden directory comprised of only
a single dot.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 24 of 73
Lab – Working with Text Files in the CLI

k. Use ls -l to display the files stored in the analyst home directory.

[analyst@secOps ~]$ ls –l

How many files are displayed?

berdasarkan aktivitas dan interaksi lab pengguna sebelumnya di VM CyberOps Worstation.
Pastikan juga menghitung direktori (ditampilkan oleh ls dengan warna biru)

l. Use the ls -la command to display all files in the home directory of analyst, including the hidden files.
[analyst@secOps ~]$ ls –la

How many files are displayed now, more than before? Explain.
Masih banyak lagi yang ditampilkan ls -la, selain file biasa, semua file tersembunyi di dalam folder.
Is it possible to hide entire directories by adding a dot before its name as well? Are there any directories in
the output of ls -la above?

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 25 of 73
Lab – Working with Text Files in the CLI

Ya, ada banyak direktori tersembunyi di output

Give three examples of hidden files shown in the output of ls -la above.
.config, .bash_history, .xinitrc
m. Type the man ls command at the prompt to learn more about the ls command.
[analyst@secOps ~]$ man ls

n. Use the down arrow key (one line at a time) or the space bar (one page at a time) to scroll down the page
and locate the -a used above and read its description to familiarize yourself with the ls -a command.

Part 5: Copying, Deleting, and Moving Files

Step 1: Copying Files
a. The cp command is used to copy files around the local file system. When using cp, a new copy of the file
is created and placed in the specified location, leaving the original file intact. The first parameter is the
source file and the second is the destination. Issue the command below to copy some_text_file.txt from
the home directory to the cyops_folder2 folder:
[analyst@secOps ~]$ cp some_text_file.txt cyops_folder2/

Identify the parameters in the cp command above. What are the source and destination files? (use full
paths to represent the parameters)
Sumber: /home/analyst/some_text_file.txt.
Tujuan: /home/analyst/cyops_folder2/some_text_file.txt
b. Use the ls command to verify that some_text_file.txt is now in cyops_folder2:
[analyst@secOps ~]$ ls cyops_folder2/

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 26 of 73
Lab – Working with Text Files in the CLI

some_text_file.txt

c. Use the ls command to verify that some_text_file.txt is also in the home directory:
[analyst@secOps ~]$ ls -l

total 36
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:01 cyops_folder1
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:11 cyops_folder2
drwxr-xr-x 3 analyst analyst 4096 Aug 16 15:04 cyops_folder3
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 analyst analyst 142 Aug 16 15:09 some_text_file.txt
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:38 space.txt

Step 2: Deleting Files and Directories

a. Use the rm command to remove files. Issue the command below to remove the file some_text_file.txt from
the home directory. The ls command is then used to show that the file some_text_file.txt has been
removed from the home directory:
[analyst@secOps ~]$ rm some_text_file.txt
[analyst@secOps ~]$ ls -l

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 27 of 73
Lab – Working with Text Files in the CLI

total 32
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:01 cyops_folder1
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:11 cyops_folder2
drwxr-xr-x 3 analyst analyst 4096 Aug 16 15:04 cyops_folder3
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:38 space.txt

b. In Linux, directories are seen as a type of file. As such, the rm command is also used to delete directories
but the -r (recursive) option must be used. Notice that all files and other directories inside a given directory
are also deleted when deleting a parent directory. Issue the command below to delete the cyops_folder1
folder and its contents:
[analyst@secOps ~]$ rm –r cyops_folder1
[analyst@secOps ~]$ ls -l

total 28
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:11 cyops_folder2
drwxr-xr-x 3 analyst analyst 4096 Aug 16 15:04 cyops_folder3
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:38 space.txt

Step 3: Moving Files and Directories

a. Moving files works similarly to copying files. The difference is that moving a file removes it from its original
location. Use the mv commands to move files around the local filesystem. Like the cp commands, the mv
command also requires source and destination parameters. Issue the command below to move the
some_text_file.txt from /home/analyst/cyops_folder2 back to the home directory:

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 28 of 73
Lab – Working with Text Files in the CLI

[analyst@secOps ~]$ mv cyops_folder2/some_text_file.txt .

[analyst@secOps ~]$ ls –l cyops_folder2/
total 0
[analyst@secOps ~]$ ls –l /home/analyst/

total 32
drwxr-xr-x 2 analyst analyst 4096 Aug 16 15:13 cyops_folder2
drwxr-xr-x 3 analyst analyst 4096 Aug 16 15:04 cyops_folder3
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 analyst analyst 142 Aug 16 15:11 some_text_file.txt
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:38 space.txt

Why was the dot (“.”) used as the destination parameter for mv?
Titik (“.") berarti mv harus memindahkan file ke direktori saat ini. Karena direktori saat ini sudah
/home/analyst/ (direktori tempat file harus dipindahkan), gunakan titik “.” mewakili hanya itu.
b. The mv command can also be used to move entire directories and the files they contain. To move the
cyops_folder3 (and all the files and directories it contains) into cyops_folder2, use the command below:
[analyst@secOps ~]$ mv cyops_folder3/ cyops_folder2/
[analyst@secOps ~]$ ls –l /home/analyst/
total 28
drwxr-xr-x 3 analyst analyst 4096 Aug 16 15:15 cyops_folder2
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 analyst analyst 142 Aug 16 15:11 some_text_file.txt
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:38 space.txt

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 29 of 73
Lab – Working with Text Files in the CLI

c. Use the ls command to verify that the cyops_folder3 directory was correctly moved to cyops_folder2.
[analyst@secOps ~]$ ls –l cyops_folder2/
total 4
drwxr-xr-x 3 analyst analyst 4096 Feb 27 11:47 cyops_folder3

Reflection
What are the advantages of using the Linux command line?
Baris perintah memungkinkan pengguna lebih banyak pilihan dan kontrol atas antarmuka grafis. Saat
pengguna menjadi lebih berpengalaman dengan baris perintah, pengguna dapat menggabungkan
perintah ini dalam skrip untuk melakukan tugas rutin. Antarmuka baris perintah menggunakan lebih
sedikit sumber daya saat pengguna mengelola komputer dari jarak jauh.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 30 of 73
Lab – Working with Text Files in the CLI

Lab – Linux Servers

Introduction
In this lab, you will use the Linux command line to identify servers running on a given computer.

Recommended Equipment
• CyberOps Workstation Virtual Machine

Part 6: Servers
Servers are essentially programs written to provide specific information upon request. Clients, which are also
programs, reach out to the server, place the request and wait for the server response. Many different client-
server communication technologies can be used, with the most common being IP networks. This lab focuses
on IP network-based servers and clients.

Step 1: Access the command line.

a. Log on to the CyberOps Workstation VM as the analyst, using the password cyberops. The account
analyst is used as the example user account throughout this lab.
b. To access the command line, click the terminal icon located in the Dock, at the bottom of VM screen. The
terminal emulator opens.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 31 of 73
Lab – Working with Text Files in the CLI

Step 2: Display the services currently running.

Many different programs can be running on a given computer, especially a computer running a Linux
operating system. Many programs run in the background so users may not immediately detect what programs
are running on a given computer. In Linux, running programs are also called processes.
Note: The output of your ps command will differ because it will be based on the state of your CyberOps
Workstation VM.
a. Use the ps command to display all the programs running in the background:
[analyst@secOps ~]$ sudo ps –elf
[sudo] password for analyst:
F S UID PID PPID C PRI NI ADDR SZ WCHAN STIME TTY TIME CMD
4 S root 1 0 0 80 0 - 2250 SyS_ep Feb27 ? 00:00:00 /sbin/init
1 S root 2 0 0 80 0 - 0 kthrea Feb27 ? 00:00:00 [kthreadd]
1 S root 3 2 0 80 0 - 0 smpboo Feb27 ? 00:00:00
[ksoftirqd/0]
1 S root 5 2 0 60 -20 - 0 worker Feb27 ? 00:00:00
[kworker/0:0H]
1 S root 7 2 0 80 0 - 0 rcu_gp Feb27 ? 00:00:00
[rcu_preempt]
1 S root 8 2 0 80 0 - 0 rcu_gp Feb27 ? 00:00:00 [rcu_sched]
1 S root 9 2 0 80 0 - 0 rcu_gp Feb27 ? 00:00:00 [rcu_bh]
1 S root 10 2 0 -40 - - 0 smpboo Feb27 ? 00:00:00
[migration/0]
1 S root 11 2 0 60 -20 - 0 rescue Feb27 ? 00:00:00 [lru-add-
drain]
5 S root 12 2 0 -40 - - 0 smpboo Feb27 ? 00:00:00
[watchdog/0]
1 S root 13 2 0 80 0 - 0 smpboo Feb27 ? 00:00:00 [cpuhp/0]
5 S root 14 2 0 80 0 - 0 devtmp Feb27 ? 00:00:00 [kdevtmpfs]
1 S root 15 2 0 60 -20 - 0 rescue Feb27 ? 00:00:00 [netns]
1 S root 16 2 0 80 0 - 0 watchd Feb27 ? 00:00:00
[khungtaskd]
1 S root 17 2 0 80 0 - 0 oom_re Feb27 ? 00:00:00
[oom_reaper]
<some output omitted>

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 32 of 73
Lab – Working with Text Files in the CLI

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 33 of 73
Lab – Working with Text Files in the CLI

Why was it necessary to run ps as root (prefacing the command with sudo)?
Beberapa proses bukan milik pengguna analis dan mungkin tidak ditampilkan jika ps dijalankan
sebagai analis, yang merupakan akun pengguna biasa.
b. In Linux, programs can also call other programs. The ps command can also be used to display such
process hierarchy. Use –ejH options to display the currently running process tree.
Note: The process information for the nginx service is highlighted. Your PID values will be different.
Note: If nginx is not running, enter the sudo /usr/sbin/nginx command at the command prompt to start
the nginx service.
[analyst@secOps ~]$ sudo ps –ejH
[sudo] password for analyst:
PID PGID SID TTY TIME CMD
1 1 1 ? 00:00:00 systemd
167 167 167 ? 00:00:01 systemd-journal
193 193 193 ? 00:00:00 systemd-udevd
209 209 209 ? 00:00:00 rsyslogd
210 210 210 ? 00:01:41 java
212 212 212 ? 00:00:01 ovsdb-server
213 213 213 ? 00:00:00 start_pox.sh
224 213 213 ? 00:01:18 python2.7
214 214 214 ? 00:00:00 systemd-logind
216 216 216 ? 00:00:01 dbus-daemon
221 221 221 ? 00:00:05 filebeat
239 239 239 ? 00:00:05 VBoxService
287 287 287 ? 00:00:00 ovs-vswitchd
382 382 382 ? 00:00:00 dhcpcd
387 387 387 ? 00:00:00 lightdm
410 410 410 tty7 00:00:10 Xorg
460 387 387 ? 00:00:00 lightdm
492 492 492 ? 00:00:00 sh
503 492 492 ? 00:00:00 xfce4-session
513 492 492 ? 00:00:00 xfwm4
517 492 492 ? 00:00:00 Thunar
1592 492 492 ? 00:00:00 thunar-volman
519 492 492 ? 00:00:00 xfce4-panel
554 492 492 ? 00:00:00 panel-6-systray
559 492 492 ? 00:00:00 panel-2-actions
523 492 492 ? 00:00:01 xfdesktop
530 492 492 ? 00:00:00 polkit-gnome-au
395 395 395 ? 00:00:00 nginx
396 395 395 ? 00:00:00 nginx
408 384 384 ? 00:01:58 java
414 414 414 ? 00:00:00 accounts-daemon
418 418 418 ? 00:00:00 polkitd

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 34 of 73
Lab – Working with Text Files in the CLI

<some output omitted>

How is the process hierarchy represented by ps?

Melalui lekukan.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 35 of 73
Lab – Working with Text Files in the CLI

c. As mentioned before, servers are essentially programs, often started by the system itself at boot time.
The task performed by a server is called service. In such fashion, a web server provides web services.
The netstat command is a great tool to help identify the network servers running on a computer. The
power of netstat lies on its ability to display network connections.
Note: Your output maybe different depending on the number of open network connections on your VM.
In the terminal window, type netstat.
[analyst@secOps ~]$ netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost.localdo:48746 localhost.local:wap-wsp ESTABLISHED
tcp 0 0 localhost.localdo:48748 localhost.local:wap-wsp ESTABLISHED
tcp6 0 0 localhost.local:wap-wsp localhost.localdo:48748 ESTABLISHED
tcp6 0 0 localhost.local:wap-wsp localhost.localdo:48746 ESTABLISHED
tcp6 0 0 localhost.local:wap-wsp localhost.localdo:48744 ESTABLISHED
tcp6 0 0 localhost.localdo:48744 localhost.local:wap-wsp ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 3 [ ] DGRAM 8472 /run/systemd/notify
unix 2 [ ] DGRAM 8474 /run/systemd/cgroups-
agent<some output omitted>

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 36 of 73
Lab – Working with Text Files in the CLI

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 37 of 73
Lab – Working with Text Files in the CLI

As seen above, netstat returns lots of information when used without options. Many options can be used
to filter and format the output of netstat, making it more useful.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 38 of 73
Lab – Working with Text Files in the CLI

d. Use netstat with the –tunap options to adjust the output of netstat. Notice that netstat allows multiple
options to be grouped together under the same “-“ sign.
The information for the nginx server is highlighted.
[analyst@secOps ~]$ sudo netstat -tunap
[sudo] password for analyst:

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
395/nginx: master p
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
279/vsftpd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
277/sshd
tcp 0 0 0.0.0.0:6633 0.0.0.0:* LISTEN
257/python2.7
tcp6 0 0 :::22 :::* LISTEN
277/sshd
tcp6 0 0 :::23 :::* LISTEN
1/init
udp 0 0 192.168.1.15:68 0.0.0.0:*
237/systemd-network

What is the meaning of the –t, -u, –n, –a and –p options in netstat? (use man netstat to answer)
-a: menunjukkan soket yang mendengarkan dan tidak mendengarkan.
-n: gunakan output numerik (tanpa DNS, port layanan, atau resolusi nama pengguna),
-p: tunjukkan PID dari proses pemilik koneksi. -t: menunjukkan koneksi TCP.
–u: menunjukkan koneksi UDP
Is the order of the options important to netstat?
Tidak, urutan opsi tidak relevan.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 39 of 73
Lab – Working with Text Files in the CLI

Clients will connect to a port and, using the correct protocol, request information from a server. The
netstat output above displays a number of services that are currently listening on specific ports.
Interesting columns are:
- The first column shows the Layer 4 protocol in use (UDP or TCP, in this case).
- The third column uses the <ADDRESS:PORT> format to display the local IP address and port on
which a specific server is reachable. The IP address 0.0.0.0 signifies that the server is currently
listening on all IP addresses configured in the computer.
- The fourth column uses the same socket format <ADDRESS:PORT> to display the address and port
of the device on the remote end of the connection. 0.0.0.0:* means that no remote device is currently
utilizing the connection.
- The fifth column displays the state of the connection.
- The sixth column displays the process ID (PID) of the process responsible for the connection. It also
displays a short name associated to the process.
Based on the netstat output shown in item (d), what is the Layer 4 protocol, connection status, and PID
of the process running on port 80?
While port numbers are just a convention, can you guess what kind of service is running on port 80 TCP?
TCP, LISTEN and 395.
e. Sometimes it is useful to cross the information provided by netstat with ps. Based on the output of item
(d), it is known that a process with PID 395 is bound to TCP port 80. Port 395 is used in this example.
Use ps and grep to list all lines of the ps output that contain PID 395:
[analyst@secOps ~]$ sudo ps -elf | grep 395
[sudo] password for analyst:

1 S root 395 1 0 80 0 - 1829 sigsus Feb27 ? 00:00:00 nginx:

master process /usr/bin/nginx -g pid /run/nginx.pid; error_log stderr;
5 S http 396 395 0 80 0 - 1866 SyS_ep Feb27 ? 00:00:00 nginx:
worker process
0 S analyst 3789 1872 0 80 0 - 1190 pipe_w 14:05 pts/1 00:00:00 grep 395

In the output above, the ps command is piped through the grep command to filter out only the lines
containing the number 395. The result is three lines with text wrapping.
The first line shows a process owned by the root user (third column), started by another process with PID
1 (fifth column), on Feb27 (twelfth column) with command /usr/bin/nginx -g pid /run/nginx.pid;
error_log stderr;
The second line shows a process with PID 396, owned by the http user, started by process 395, on
Feb27.
The third line shows a process owned by the analyst user, with PID 3789, started by a process with PID
1872, as the grep 395 command.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 40 of 73
Lab – Working with Text Files in the CLI

The process PID 395 is nginx. How could that be concluded from the output above?
Berdasarkan kolom terakhir dari baris 1, output menunjukkan baris perintah nginx.
What is nginx? What is its function? (Use google to learn about nginx)
nginx adalah server web yang ringan. Pencarian google cepat sangat membantu dalam
menemukan informasi tentang proses tak dikenal.
The second line shows that process 396 is owned by a user named http and has process number 395 as
its parent process. What does that mean? Is this common behavior?
Itu berarti nginx memulai proses 396 dengan nama pengguna http. Ini normal karena nginx
berjalan sendiri untuk setiap klien yang terhubung ke port 80 TCP.
Why is the last line showing grep 395?
Karena grep 395 digunakan untuk menyaring keluaran ps, ketika keluaran dikompilasi, grep 395
masih berjalan dan karena itu, muncul dalam daftar.

Part 7: Using Telnet to Test TCP Services

Telnet is a simple remote shell application. Telnet is considered insecure because it does not provide
encryption. Administrators who choose to use Telnet to remotely manage network devices and servers will
expose login credentials to that server, as Telnet will transmit session data in clear text. While Telnet is not
recommended as a remote shell application, it can be very useful for quickly testing or gathering information
about TCP services.
The Telnet protocol operates on port 23 using TCP by default. The telnet client however, allows for a different
port to be specified. By changing the port and connecting to a server, the telnet client allows for a network
analyst to quickly assess the nature of a specific server by communicating directly to it.
Note: It is strongly recommended that ssh be used as remote shell application instead of telnet.
a. In Part 1, nginx was found to be running and assigned to port 8080 TCP. Although a quick Google
search revealed that nginx is a lightweight web server, how would an analyst be sure of that? What if an
attacker changed the name of a malware program to nginx, just to make it look like the popular
webserver? Use telnet to connect to the local host on port 8080 TCP:
[analyst@secOps ~]$ telnet 127.0.0.1 8080

Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.

b. Press a few letters on the keyboard. Any key will work. After a few keys are pressed, press ENTER.
Below is the full output, including the Telnet connection establishment and the random keys pressed
(rhusdhuhrue, this case):
rhusdhuhrue

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 41 of 73
Lab – Working with Text Files in the CLI

HTTP/1.1 400 Bad Request

Server: nginx/1.10.2
Date: Tue, 28 Feb 2017 20:09:37 GMT
Content-Type: text/html
Content-Length: 173
Connection: close

<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.10.2</center>
</body>
</html>
Connection closed by foreign host.

Thanks to the Telnet protocol, a clear text TCP connection was established, by the Telnet client, directly
to the nginx server, listening on 127.0.0.1 port 80 TCP. This connection allows us to send data directly to
the server. Because nginx is a web server, it does not understand the sequence of random letters sent to
it and returns an error in the format of a web page.
Why was the error sent as a web page?
Nginx adalah server web dan karena itu, hanya berbicara tentang protokol HTTP.
While the server reported an error and terminated the connection, we were able to learn a lot. We learned
that:
1) The nginx with PID 395 is in fact a web server.
2) The version of nginx is 1.10.2.
3) The network stack of our CyberOps Workstation VM is fully functional all the way to Layer 7.
Not all services are equal. Some services are designed to accept unformatted data and will not terminate
if garbage is entered via keyboard. Below is an example of such a service:

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 42 of 73
Lab – Working with Text Files in the CLI

c. Looking at the netstat output presented earlier, it is possible to see a process attached to port 22. Use
Telnet to connect to it.
Port 22 TCP is assigned to SSH service. SSH allows an administrator to connect to a remote computer
securely.
Below is the output:
[analyst@secOps ~]$ telnet 127.0.0.1 22

Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.4
sdfjlskj
Protocol mismatch.
Connection closed by foreign host.

Use Telnet to connect to port 68. What happens? Explain.

Tidak dapat terhubung karena koneksi ditolak. Telnet adalah protokol berbasis TCP dan tidak
akan dapat terhubung ke port UDP.

Reflection
What are the advantages of using netstat?
Netstat memungkinkan analis untuk menampilkan semua koneksi yang saat ini ada di komputer. Alamat
sumber dan tujuan, port, dan ID proses juga dapat ditampilkan, memberikan gambaran umum singkat
tentang semua koneksi yang ada di komputer.
What are the advantages of using Telnet? Is it safe?
Ya, asalkan tidak digunakan sebagai remote shell. Sangat aman untuk menguji atau mengumpulkan
informasi dengan cepat tentang layanan jaringan tertentu.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 43 of 73
Lab – Working with Text Files in the CLI

Lab – Locating Log Files

Introduction
In this lab, you will get familiar with locating and manipulating Linux log files.

Required Resources
• CyberOps Workstation Virtual Machine

Part 8: Log File Overview

Log files (also spelled logfiles), are files used by computers to log events. Software programs, background
processes, services, or transactions between services, including the operating system itself, may generate
such events. Log files are dependent on the application that generates them. It is up to the application
developer to conform to log file convention. Software documentation should include information on its log
files.

Step 1: Web server log file example

Because log files are essentially a way to track specific events, the type of information stored varies
depending of the application or services generating the events.
a. Consider the single log entry below. It was generated by Apache, a popular web server.
[Wed Mar 22 11:23:12.207022 2017] [core:error] [pid 3548:tid 4682351596] [client
209.165.200.230] File does not exist: /var/www/apache/htdocs/favicon.ico

The single log entry above represents a web event recorder by Apache. A few pieces of information are
important in web transactions, including client IP address, time and details of the transaction. The entry
above can be broken down into five main parts:
Timestamp: This part records when the event took place. It is very important that the server clock is
correctly synchronized as it allows for accurately cross-referencing and tracing back events.
Type: This is the type of event. In this case, it was an error.
PID: This contains information about the process ID used by Apache at the moment.
Client: This records the IP address of the requesting client.
Description: This contains a description of the event.
Based on the log entry above, describe what happened.
Pada hari Rabu, 22 Maret, 11:23:12.207022 pagi tahun 2017, klien dengan alamat IP 209.165.200.230
meminta file yang tidak ada bernama favicon.ico. File seharusnya berada di jalur berikut
/var/www/Apache/htdocs/favicon.ico, tetapi karena tidak dapat ditemukan, itu memicu kesalahan.
Use the cat command below to list a web server sample log file. The sample file is located at /var/log:
[analyst@secOps ~]$ cat /var/log/logstash-tutorial.log
83.149.9.216 - - [04/Jan/2015:05:13:42 +0000] "GET /presentations/logstash-monitorama-
2013/images/kibana-search.png HTTP/1.1" 200 203023
"http://semicomplete.com/presentations/logstash-monitorama-2013/" "Mozilla/5.0
(Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/32.0.1700.77 Safari/537.36"

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 44 of 73
Lab – Working with Text Files in the CLI

83.149.9.216 - - [04/Jan/2015:05:13:42 +0000] "GET /presentations/logstash-monitorama-

2013/images/kibana-dashboard3.png HTTP/1.1" 200 171717
"http://semicomplete.com/presentations/logstash-monitorama-2013/" "Mozilla/5.0
(Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/32.0.1700.77 Safari/537.36"
83.149.9.216 - - [04/Jan/2015:05:13:44 +0000] "GET /presentations/logstash-monitorama-
2013/plugin/highlight/highlight.js HTTP/1.1" 200 26185
"http://semicomplete.com/presentations/logstash-monitorama-2013/" "Mozilla/5.0
(Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/32.0.1700.77 Safari/537.36”
<some output omitted>

Is the output above still considered a web transaction? Explain why the output of the cat command is in a
different format than the single entry shown in item (a).
Ya, ini adalah acara web. Bidang berada dalam urutan yang berbeda, tetapi pesan GET, keberadaan
alamat IP klien, referensi ke berbagai browser web dan HTTPv1.1, menegaskan bahwa ini adalah
file log server web. Formatnya berbeda karena layanan dikonfigurasi untuk merekam bidang yang
berbeda dalam urutan yang berbeda.

Step 2: Operating system log file example

Any software can keep log files, including the operating system itself. Conventionally, Linux uses the /var/log
directory to stores various log files, including operating system logs. Modern operating systems are complex
pieces of software and therefore, use several different files to log events. This section takes a quick look at
the /var/log/messages file.
a. Stored under /var/log, the messages file stores various system events. The connection of new USB drive,
a network card becoming available, and too many missed root login attempts, are a few examples of
events logged to the /var/log/messages file. Use the more command to display the contents of the
/var/log/messages file. Unlike the cat command, more allows for a paced navigation through the file.
Press ENTER to advance line-by-line or SPACE to advance an entire page. Press q or CTRL + C to
abort and exit more.
Note: the sudo command is required because the messages file belongs to the root user.
[analyst@secOps ~]$ sudo more /var/log/messages
[sudo] password for analyst:
Mar 20 08:34:38 secOps kernel: [6.149910] random: crng init done
Mar 20 08:34:40 secOps kernel: [8.280667] floppy0: no floppy controllers found
Mar 20 08:34:40 secOps kernel: [8.280724] work still pending
Mar 20 08:35:16 secOps kernel: [ 44.414695] hrtimer: interrupt took 5346452 ns
Mar 20 14:28:29 secOps kernel: [21239.566409] pcnet32 0000:00:03.0 enp0s3: link down
Mar 20 14:28:33 secOps kernel: [21243.404646] pcnet32 0000:00:03.0 enp0s3: link up,
100Mbps, full-duplex
Mar 20 14:28:35 secOps kernel: [21245.536961] pcnet32 0000:00:03.0 enp0s3: link down
Mar 20 14:28:43 secOps kernel: [21253.427459] pcnet32 0000:00:03.0 enp0s3: link up,
100Mbps, full-duplex
Mar 20 14:28:53 secOps kernel: [21263.449480] pcnet32 0000:00:03.0 enp0s3: link down
Mar 20 14:28:57 secOps kernel: [21267.500152] pcnet32 0000:00:03.0 enp0s3: link up,
100Mbps, full-duplex
Mar 20 14:29:01 secOps kernel: [21271.551499] pcnet32 0000:00:03.0 enp0s3: link down

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 45 of 73
Lab – Working with Text Files in the CLI

Mar 20 14:29:05 secOps kernel: [21275.389707] pcnet32 0000:00:03.0 enp0s3: link up,
100Mbps, full-duplex
Mar 22 06:01:40 secOps kernel: [0.000000] Linux version 4.8.12-2-ARCH
(builduser@andyrtr) (gcc version 6.2.1 20160830 (GCC) ) #1 SMP PREEMPT Fri Dec 2
20:41:47 CET 2016
Mar 22 06:01:40 secOps kernel: [0.000000] x86/fpu: Supporting XSAVE feature 0x001:
'x87 floating point registers'
Mar 22 06:01:40 secOps kernel: [0.000000] x86/fpu: Supporting XSAVE feature 0x002:
'SSE registers'
Mar 22 06:01:40 secOps kernel: [0.000000] x86/fpu: Supporting XSAVE feature 0x004:
'AVX registers'
Mar 22 06:01:40 secOps kernel: [0.000000] x86/fpu: xstate_offset[2]: 576,
xstate_sizes[2]: 256
Mar 22 06:01:40 secOps kernel: [0.000000] x86/fpu: Enabled xstate features 0x7,
context size is 832 bytes, using 'standard' format.
Mar 22 06:01:40 secOps kernel: [0.000000] x86/fpu: Using 'eager' FPU context switches.
<some output omitted>
Notice that the events listed above are very different from the web server events. Because the operating
system itself is generating this log, all recorded events are in relation to the OS itself.
b. If necessary, enter Ctrl + C to exit out of the previous command.
c. Log files are very important for troubleshooting. Assume that a user of that specific system reported that
all network operations were slow around 2:30pm. Can you find evidence of that in the log entries shown
above? If so in what lines? Explain.
Pada 19 Mei, 04:19:53 hingga 04:21:27, kartu jaringan mengepak (beralih dari atas ke bawah dengan
cepat). Entri log dengan jelas mengkonfirmasi laporan pengguna.

Part 9: Locating Log Files in Unknown Systems

The CyberOps Workstation VM includes nginx, a lightweight web server. This section will show how to
find and display nginx logs using the CyberOps Workstation VM.
Note: nginx was installed on the CyberOps Workstation VM with its default settings. With default settings,
its global configuration file is located under /etc/nginx/nginx.conf, its access log file is at
/var/log/nginx/access.log, and errors are redirected to the terminal window. However, it is common for a
security analyst to work on computers in which the installation details for tool and services are unknown.
This section describes the process of locating such files described for nginx but is by no means complete.
Nevertheless, it should be a good exercise about locating and displaying log files on unfamiliar systems.
a. When working with new software, the first step is to look at the documentation. It provides important
information about the software, including information about its log files. Use the man command to display
the nginx manual page:
[analyst@secOps ~]$ man nginx
NGINX(8) BSD System Manager's Manual
NGINX(8)

NAME
nginx — HTTP and reverse proxy server, mail proxy server

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 46 of 73
Lab – Working with Text Files in the CLI

SYNOPSIS
nginx [-?hqTtVv] [-c file] [-g directives] [-p prefix] [-s signal]

DESCRIPTION
nginx (pronounced “engine x”) is an HTTP and reverse proxy server, as well as a
mail proxy
server. It is known for its high performance, stability, rich feature set,
simple configura‐
tion, and low resource consumption.
<some output omitted>

b. Scroll down the page to locate the nginx logging section. The documentation makes it clear that nginx
supports logging, with the location of its log files defined at compilation time.
[PARTIAL OUTPUT EXTRACTED FROM NGINX MANUAL PAGE]

DEBUGGING LOG
To enable a debugging log, reconfigure nginx to build with debugging:

./configure --with-debug ...

and then set the debug level of the error_log:

error_log /path/to/log debug;

It is also possible to enable the debugging for a particular IP address:

events {
debug_connection 127.0.0.1;
}

c. The manual page also contains information on the files used by nginx. Scroll down further to display the
nginx operating files under the Files section:
FILES
%%PID_PATH%%
Contains the process ID of nginx. The contents of this file are
not sensitive, so it can be world-readable.

%%CONF_PATH%%
The main configuration file.

%%ERROR_LOG_PATH%%
Error log file.

The outputs above help you to conclude that nginx supports logging and that it can save to log files. The
output also hints at the existence of a configuration file for nginx.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 47 of 73
Lab – Working with Text Files in the CLI

d. Before looking for nginx files, use the ps and the grep commands to ensure nginx is running in the VM.
Note: Use man to learn more about ps and grep commands.
[analyst@secOps ~]$ ps ax | grep nginx
415 ? Ss 0:00 nginx: master process /usr/bin/nginx -g pid
/run/nginx.pid; error_log stderr;
416 ? S 0:00 nginx: worker process
1207 pts/0 S+ 0:00 grep nginx

The output above confirms that nginx is running. In addition, the output also displays the parameters used
when nginx was started. nginx process ID is being stored in /run/nginx.pid and error messages are being
redirected to the terminal.
Note: If nginx is not running, enter the sudo /usr/sbin/nginx at the prompt to start the service using the
default configuration.
Note: If you need to restart nginx, you can kill the service by using the sudo pkill nginx command. To
start nginx with the custom configuration from a previous lab, run the following command: sudo nginx -c
custom_server.conf, and test the server by opening a web browser and going to URL: 127.0.0.1:8080. If
you wish to start nginx with a default configuration you can start it with the command: sudo
/usr/sbin/nginx, and open a web browser and go to URL: 127.0.0.1.
Because the location to the log files was not specified, the global nginx configuration file should be
checked for the location of the log files.
e. By design, the CyberOps Workstation VM utilizes default locations and definitions as much as possible.
Conventionally, the /var/log directory holds various log files for various applications and services while
configuration files are stored under the /etc directory. While the nginx manual page did not provide an
exact location for its log files, it not only confirmed that nginx supports logging but also hinted at the
location of a configuration file. Because the log file locations can often be customized in configuration
files, a logical next step is to use the ls command to look under /etc and look for a nginx configuration file:
[analyst@secOps ~]$ ls /etc/
adjtime host.conf mke2fs.conf rc_maps.cfg
apache-ant hostname mkinitcpio.conf request-key.conf
apparmor.d hosts mkinitcpio.d request-key.d
arch-release ifplugd modprobe.d resolv.conf
avahi initcpio modules-load.d resolvconf.conf
bash.bash_logout inputrc motd rpc
bash.bashrc iproute2 mtab rsyslog.conf
binfmt.d iptables nanorc securetty
ca-certificates issue netconfig security
crypttab java-7-openjdk netctl services
dbus-1 java-8-openjdk netsniff-ng shadow
default kernel nginx shadow-
depmod.d krb5.conf nscd.conf shells
dhcpcd.conf ld.so.cache nsswitch.conf skel
dhcpcd.duid ld.so.conf ntp.conf ssh
dkms ld.so.conf.d openldap ssl
drirc libnl openvswitch sudoers

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 48 of 73
Lab – Working with Text Files in the CLI

elasticsearch libpaper.d os-release sudoers.d

environment lightdm pacman.conf sudoers.pacnew
ethertypes locale.conf pacman.conf.pacnew sysctl.d
<output omitted>

f. Notice the nginx folder under /etc in the output above. Using ls again, we find a number of files, including
one named nginx.conf.
[analyst@secOps ~]$ ls -l /etc/nginx/
total 48
-rw-r--r-- 1 root root 2730 Mar 21 16:02 custom_server.conf
-rw-r--r-- 1 root root 1077 Nov 18 15:14 fastcgi.conf
-rw-r--r-- 1 root root 1007 Nov 18 15:14 fastcgi_params
-rw-r--r-- 1 root root 2837 Nov 18 15:14 koi-utf
-rw-r--r-- 1 root root 2223 Nov 18 15:14 koi-win
-rw-r--r-- 1 root root 2743 Jan 6 15:41 mal_server.conf
-rw-r--r-- 1 root root 3957 Nov 18 15:14 mime.types
-rw-r--r-- 1 root root 3264 Mar 22 13:34 nginx.conf
-rw-r--r-- 1 root root 3261 Oct 19 16:42 nginx.conf.working
-rw-r--r-- 1 root root 636 Nov 18 15:14 scgi_params
-rw-r--r-- 1 root root 664 Nov 18 15:14 uwsgi_params
-rw-r--r-- 1 root root 3610 Nov 18 15:14 win-utf

g. Use the cat command to list the contents of /etc/nginx/nginx.conf. You can also use more or less to view
the file and nano or SciTE to edit it. These tools make it easier to navigate through long text files (only
the output of cat is displayed below).
[analyst@secOps ~]$ cat /etc/nginx/nginx.conf
#user html;
worker_processes 1;

#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;

events {
worker_connections 1024;
}

<some output omitted>

Note: Lines that start with ‘#’ are comments and are ignored by nginx.
h. A quick look at the configuration file reveals that it is an nginx configuration file. Because there is no direct
mention to the location of nginx log files, it is very likely that nginx is using default values for it. Following
the convention of storing log files under /var/log, use the ls command to list its contents:
[analyst@secOps ~]$ ls -l /var/log/

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 49 of 73
Lab – Working with Text Files in the CLI

total 5708
-rw-r----- 1 root log 188962 Apr 19 10:35 auth.log
-rw-rw---- 1 root utmp 384 Apr 19 10:05 btmp
-rw-rw---- 1 root utmp 1536 Mar 22 08:50 btmp.1
-rw-r----- 1 root log 849038 Apr 19 10:05 daemon.log
-rw-r----- 1 root log 4416 Apr 19 09:45 errors.log
-rw-r----- 1 root log 1819814 Apr 19 10:05 everything.log
-rw------- 1 root root 32032 Apr 19 10:05 faillog
drwxr-sr-x+ 4 root systemd-journal 4096 Mar 20 15:28 journal
-rw-r----- 1 root log 927701 Apr 19 09:45 kernel.log
-rw-rw-r-- 1 root utmp 292292 Mar 26 11:03 lastlog
drwx--x--x 2 root lightdm 4096 Apr 19 09:45 lightdm
-rw-r--r-- 1 analyst analyst 24464 Apr 19 10:05 logstash-tutorial.log
-rw-r----- 1 root log 1673153 Apr 19 10:05 messages
drwxr-xr-x 2 root root 4096 Apr 19 10:28 nginx
-rw-r--r-- 1 http root 989 Apr 19 10:05 nginx-logstash.log
drwxr-xr-x 2 root root 4096 Jan 5 14:17 old
-rw-r--r-- 1 root root 97655 Apr 17 12:52 pacman.log
drwxr-xr-x 2 snort snort 4096 Mar 26 11:03 snort
-rw-r----- 1 root log 563 Apr 19 09:45 syslog.log
-rw------- 1 root root 64064 Mar 26 11:03 tallylog
-rw-r----- 1 root log 216 Apr 17 13:04 user.log
-rw-rw-r-- 1 root utmp 70272 Apr 19 09:45 wtmp
-rw-r--r-- 1 root root 24756 Apr 19 09:45 Xorg.0.log
-rw-r--r-- 1 root root 25585 Apr 17 14:43 Xorg.0.log.old

i. As shown above, the /var/log directory has a subdirectory named nginx. Use the ls command again to
list the contents of /var/log/nginx.
Note: Because the /var/log/nginx belongs to the http user, you must execute ls as root by preceding it
with the sudo command.
[analyst@secOps ~]$ sudo ls -l /var/log/nginx
[sudo] password for analyst:
total 20
-rw-r----- 1 http log 2990 Mar 22 11:20 access.log
-rw-r----- 1 http log 141 Feb 28 15:57 access.log.1.gz

These are very likely to be the log files in use by nginx. Move on to the next section to monitor these files
and get confirmation that they are indeed nginx log files.
Note: Your output may be different. The .GZ log files above were generated by a log rotation service.
Linux systems often implement a service to rotate logs, ensuring that individual log files do not become
too large. The log rotate service takes the latest log file, compresses it and saves it under a different
name (access.log.1.gz, access.log.2.gz, etc). A new empty main log file is then created and used to store
the latest log entries.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 50 of 73
Lab – Working with Text Files in the CLI

Part 10: Monitoring Log files in Real Time

As seen in the previous sections, log files can be displayed with many text-presentation tools. While cat,
more, less, and nano can be used to work with log files, they are not suitable for log file real-time monitoring.
Developers designed various tools that allow for log file real-time monitoring. Some tools are text-based while
others have a graphical interface. This lab focuses on tail, a simple but efficient tool, available in practically
every Unix-based system.
VM CyberOps Workstation menggunakan sistem rotasi log untuk memastikan bahwa log lama
diarsipkan. Pada saat lab ini digunakan di kelas, beberapa waktu akan berlalu dan file log kemungkinan
telah dirotasi. Hasilnya adalah beberapa file log, termasuk file access.log, mungkin tampak kosong.
Untuk mengatasi masalah ini dan membuat beberapa entri di access.log, cukup buka Firefox di VM,
arahkan ke 127.0.0.1 dan muat ulang halaman beberapa kali.

Step 1: Using the tail command

The tail command displays the end of a text file. By default, tail will display the last ten (10) lines of a text file.
a. Use the tail command to display the end of the /var/log/nginx/access.log.
[analyst@secOps ~]$ sudo tail /var/log/nginx/access.log
[sudo] password for analyst:
127.0.0.1 - - [21/May/2017:15:32:32 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [21/May/2017:15:32:34 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [21/May/2017:15:32:41 -0400] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [21/May/2017:15:32:41 -0400] "GET /favicon.ico HTTP/1.1" 404 169 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [21/May/2017:15:32:44 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:11:20:27 -0400] "GET /favicon.ico HTTP/1.1" 404 169 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:12:49:26 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:12:49:50 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:12:49:53 -0400] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:13:01:55 -0400] "GET /favicon.ico HTTP/1.1" 404 169 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
[analyst@secOps ~]$

b. Use the –n option to specify how many lines from the end of a file, tail should display.
[analyst@secOps ~]$ sudo tail -n 5 /var/log/nginx/access.log
127.0.0.1 - - [22/May/2017:11:20:27 -0400] "GET /favicon.ico HTTP/1.1" 404
169 "-" "Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:12:49:26 -0400] "GET / HTTP/1.1" 304 0 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 51 of 73
Lab – Working with Text Files in the CLI

127.0.0.1 - - [22/May/2017:12:49:50 -0400] "GET / HTTP/1.1" 304 0 "-"

"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:12:49:53 -0400] "GET / HTTP/1.1" 200 612 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/May/2017:13:01:55 -0400] "GET /favicon.ico HTTP/1.1" 404
169 "-" "Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
[analyst@secOps ~]$

c. You can use the tail command with the -f option to monitor the nginx access.log in real-time. Short for
follow, -f tells tail to continuously display the end of a given text file. In a terminal window, issue tail with
the –f option:
[analyst@secOps log]$ sudo tail -f /var/log/nginx/access.log
[sudo] password for analyst:
127.0.0.1 - - [21/Mar/2017:15:32:32 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [21/Mar/2017:15:32:34 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [21/Mar/2017:15:32:41 -0400] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [21/Mar/2017:15:32:41 -0400] "GET /favicon.ico HTTP/1.1" 404 169 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [21/Mar/2017:15:32:44 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/Mar/2017:11:20:27 -0400] "GET /favicon.ico HTTP/1.1" 404 169 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/Mar/2017:12:49:26 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/Mar/2017:12:49:50 -0400] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/Mar/2017:12:49:53 -0400] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"
127.0.0.1 - - [22/Mar/2017:13:01:55 -0400] "GET /favicon.ico HTTP/1.1" 404 169 "-"
"Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"

As before, tail displays the last 10 lines of the file. However, notice that tail does not exit after displaying
the lines; the command prompt is not visible, indicating that tail is still running.
Note: Your /var/log/access.log file may be empty due to log rotation. Continue following the lab as an
empty /var/log/access.log file will not impact the lab.
d. With tail still running on the terminal window, click the web browser icon on the Dock to open a web
browser window. Re-size the web browser window in a way that it allows you to see the bottom of the
terminal window where tail is still running.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 52 of 73
Lab – Working with Text Files in the CLI

Note: In the screenshot below, the Enter key was pressed a few times in the terminal window running tail.
This is for visualization only as tail does not process any input while running with –f. The extra empty
lines make it easier to detect new entries, as they are displayed at the bottom of the terminal window.

e. In the web browser address bar, enter 127.0.0.1 and press Enter. This is the address of the VM itself,
which tells the browser to connect to a web server running on the local computer. A new entry should be
recorded in the /var/log/nginx/access.log file. Refresh the webpage to see new entries added to the log.
127.0.0.1 - - [23/Mar/2017:09:48:36 -0400] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0
(X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0"

Because tail is still running, it should display the new entry at the bottom of the terminal window. Aside
from the timestamp, your entry should look like the one above.
Note: Firefox stores pages in cache for future use. If a page is already in cache, force Firefox to ignore
the cache and place web requests, reload the page by pressing <CTRL+SHIFT+R>.
f. Because the log file is being updated by nginx, we can state with certainty that /var/log/acess.log is in fact
the log file in use by nginx.
g. Enter Ctrl + C to end the tail monitoring session.

Step 2: BONUS TOOL: Journalctl

The CyberOps Workstation VM is based on Arch Linux. Categorized as a Linux distribution, Arch Linux is
designed to be lightweight, minimalist and simple. As part of this design philosophy, Arch Linux uses systemd
as its init system. In Linux, the init process is the first process loaded when the computer boots. Init is directly
or indirectly, the parent of all processes running on the system. It is started by the kernel at boot time and
continues to run until the computer shuts down. Typically, init has the process ID 1.
An init system is a set of rules and conventions governing the way the user space in a given Linux system is
created and made available to the user. Init systems also specify system-wide parameters such as global
configuration files, logging structure and service management.
Systemd is a modern init system designed to unify Linux configuration and service behavior across all Linux
distributions and has been increasingly adopted by major Linux distributions. Arch Linux relies on systemd for
init functionality. The CyberOps Workstation VM also uses systemd.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 53 of 73
Lab – Working with Text Files in the CLI

system-journald (or simpy journald) is systemd’s event logging service and uses append-only binary files
serving as its log files. Notice that journald does not impede the use of other logging systems such as syslog
and rsyslog.
This section provides a brief overview of journalctl, a journald utility used for log viewing and real-time
monitoring.
a. In a terminal window in the CyberOps Workstation VM, issue the journalctl command with no options to
display all journal log entries (it can be quite long):
[analyst@secOps ~]$ journalctl
Hint: You are currently not seeing messages from other users and the system.
Users in groups 'adm', 'systemd-journal', 'wheel' can see all messages.
Pass -q to turn off this notice.
-- Logs begin at Fri 2014-09-26 14:13:12 EDT, end at Fri 2017-03-31 09:54:58 EDT
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Starting Paths.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Reached target Paths.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Starting Timers.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Reached target Timers.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Starting Sockets.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Reached target Sockets.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Starting Basic System.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Reached target Basic System.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Starting Default.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Reached target Default.
Sep 26 14:13:12 dataAnalyzer systemd[1087]: Startup finished in 18ms.
Sep 26 14:14:24 dataAnalyzer systemd[1087]: Stopping Default.
<some output omitted>

The output begins with a line similar to the one below, marking the timestamp where the system started
logging. Notice that the timestamps will vary from system to system.
-- Logs begin at Fri 2014-09-26 13:22:51 EDT, end at Fri 2017-03-31 10:12:19
EDT. –-
journalctl includes a number of functionalities such as page scrolling, color-coded messages and more.
Use the keyboard up/down arrow keys to scroll up/down the output, one line at a time. Use the left/right
keyboard arrow keys to scroll sideways and display log entries that span beyond the boundaries of the
terminal window. The <ENTER> key displays the next line while the space bar displays the next page in
the output. Press the q key to exit journalctl.
Notice the hint message provided by journalctl:
Hint: You are currently not seeing messages from other users and the system.
Users in groups 'adm', 'systemd-journal', 'wheel' can see all messages.
Pass -q to turn off this notice.

This message reminds you that, because analyst is a regular user and not a member of either the adm,
systemd-journal or wheel groups, not all log entries will be displayed by journalctl. It also states that
running journalctl with the –q option suppresses the hint message.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 54 of 73
Lab – Working with Text Files in the CLI

How can you run journalctl and see all log entries?
Menjalankan journalctl sebagai pengguna root akan menampilkan semua entri. Untuk menjalankan
journalctl sebagai root, tambahkan perintah sudo ke journalctl: sudo journalctl.

b. journalctl includes options to help in filtering the output. Use the –b option to display boot-related log
entries:
[analyst@secOps ~]$ sudo journalctl -b
-- Logs begin at Fri 2014-09-26 13:22:51 EDT, end at Fri 2017-03-31 10:18:04 EDT. --
Mar 31 05:54:43 secOps systemd-journald[169]: Time spent on flushing to /var is 849us
for 0 entries.
Mar 31 05:54:43 secOps kernel: Linux version 4.8.12-2-ARCH (builduser@andyrtr) (gcc
version 6.2.1 20160830 (GCC) ) #1 SMP PREEM
Mar 31 05:54:43 secOps kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating
point registers'
Mar 31 05:54:43 secOps kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE
registers'
Mar 31 05:54:43 secOps kernel: x86/fpu: Supporting XSAVE feature 0x004: 'AVX
registers'
Mar 31 05:54:43 secOps kernel: x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256
Mar 31 05:54:43 secOps kernel: x86/fpu: Enabled xstate features 0x7, context size is
832 bytes, using 'standard' format.
Mar 31 05:54:43 secOps kernel: x86/fpu: Using 'eager' FPU context switches.
Mar 31 05:54:43 secOps kernel: e820: BIOS-provided physical RAM map:
Mar 31 05:54:43 secOps kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff]
usable
Mar 31 05:54:43 secOps kernel: BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff]
reserved
Mar 31 05:54:43 secOps kernel: BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff]
reserved
Mar 31 05:54:43 secOps kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007ffeffff]
usable
<some output omitted>

c. To see entries related to the last boot, add the -1 to the command above. To see entries related to the
two last boots, add the -2 option.
[analyst@secOps ~]$ sudo journalctl –b -2
-- Logs begin at Fri 2014-09-26 13:22:51 EDT, end at Fri 2017-03-31 10:21:03 EDT. --
Mar 22 09:35:11 secOps systemd-journald[181]: Time spent on flushing to /var is
4.204ms for 0 entries.
Mar 22 09:35:11 secOps kernel: Linux version 4.8.12-2-ARCH (builduser@andyrtr) (gcc
version 6.2.1 20160830 (GCC) ) #1 SMP PREEM
Mar 22 09:35:11 secOps kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating
point registers'
Mar 22 09:35:11 secOps kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE
registers'
Mar 22 09:35:11 secOps kernel: x86/fpu: Supporting XSAVE feature 0x004: 'AVX
registers'

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 55 of 73
Lab – Working with Text Files in the CLI

Mar 22 09:35:11 secOps kernel: x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256

Mar 22 09:35:11 secOps kernel: x86/fpu: Enabled xstate features 0x7, context size is
832 bytes, using 'standard' format.
Mar 22 09:35:11 secOps kernel: x86/fpu: Using 'eager' FPU context switches.
Mar 22 09:35:11 secOps kernel: e820: BIOS-provided physical RAM map:
Mar 22 09:35:11 secOps kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff]
usable
Mar 22 09:35:11 secOps kernel: BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff]
reserved
Mar 22 09:35:11 secOps kernel: BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff]
reserved
Mar 22 09:35:11 secOps kernel: BIOS-e820: [mem 0x0000000000100000-0x000000007ffeffff]
usable
Mar 22 09:35:11 secOps kernel: BIOS-e820: [mem 0x000000007fff0000-0x000000007fffffff]
ACPI data
Mar 22 09:35:11 secOps kernel: BIOS-e820: [mem 0x00000000fec00000-0x00000000fec00fff]
reserved
Mar 22 09:35:11 secOps kernel: BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff]
reserved
<some output omitted>

d. Use the --list-boots option to list previous boots:

[analyst@secOps ~]$ sudo journalctl –-list-boots
-144 fbef03a1b59c40429f3e083613ab775a Fri 2014-09-26 13:22:51 EDT—Fri 2014-09-26
14:05:00 EDT
-143 69ebae646d6b41f0b3de9401cb3aa591 Fri 2014-09-26 14:05:07 EDT—Fri 2014-09-26
20:35:29 EDT
-142 73a305f65dea41e787b164411dfc6750 Fri 2014-09-26 20:35:34 EDT—Fri 2014-09-26
20:52:22 EDT
-141 48a113d5d2f44979a849c9c0d9ecdfa2 Fri 2014-09-26 20:52:33 EDT—Fri 2014-09-26
21:08:35 EDT
-140 002af74c3fc44008a882384f546c438d Fri 2014-09-26 21:08:45 EDT—Fri 2014-09-26
21:16:39 EDT
-139 f3ca1d06495c4e26b367e6867f03374c Fri 2014-09-26 21:16:47 EDT—Fri 2014-09-26
21:50:19 EDT
-138 bd232f288e544a79aa3bc444e02185a8 Fri 2014-09-26 21:50:28 EDT—Fri 2014-09-26
22:33:13 EDT
-137 2097c11f249c431aa8ad8da31a5b26d1 Fri 2014-09-26 22:40:39 EDT—Fri 2014-09-26
23:55:46 EDT
-136 b24d5e718a724b18b352e9b2daed3db6 Sat 2014-09-27 10:57:32 EDT—Sat 2014-09-27
14:26:43 EDT
-135 5a189fc68352484a8b40cd719ff7dd41 Sat 2014-09-27 19:44:23 EDT—Sat 2014-09-27
22:50:24 EDT
-134 d0be08c1f26642a1a20bb70bfc7b722c Mon 2014-09-29 09:17:14 EDT—Mon 2014-09-29
12:12:10 EDT
-133 b00b0d4c07464071b0d3cac4eb79dda3 Mon 2014-09-29 12:39:12 EDT—Mon 2014-09-29
13:24:38 EDT
<some output omitted>

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 56 of 73
Lab – Working with Text Files in the CLI

e. Use the --since “<time range>” to specify the time range of which log entries should be displayed. The
two commands below display all log entries generated in the last two hours and in the last day,
respectively:
[analyst@secOps ~]$ sudo journalctl –-since "2 hours ago"
-- Logs begin at Fri 2014-09-26 13:22:51 EDT, end at Fri 2017-03-31 10:28:29 EDT. --
Mar 31 09:54:45 secOps kernel: 00:00:00.008577 main 5.1.10 r112026 started.
Verbose level = 0
Mar 31 09:54:45 secOps systemd[1]: Time has been changed
Mar 31 09:54:45 secOps systemd[1]: Started Rotate log files.
Mar 31 09:54:45 secOps ovsdb-server[263]: 2017-03-
31T13:54:45Z|00001|ovsdb_server|INFO|ovsdb-server (Open vSwitch) 2.6.1
Mar 31 09:54:45 secOps ovsdb-server[263]: ovs|00001|ovsdb_server|INFO|ovsdb-server
(Open vSwitch) 2.6.1
Mar 31 09:54:45 secOps kernel: openvswitch: Open vSwitch switching datapath
Mar 31 09:54:45 secOps systemd[1]: Started Open vSwitch Daemon.
Mar 31 09:54:45 secOps dhcpcd[279]: enp0s3: soliciting an IPv6 router
Mar 31 09:54:45 secOps ovs-vswitchd[319]: 2017-03-
31T13:54:45Z|00001|ovs_numa|INFO|Discovered 1 CPU cores on NUMA node 0
Mar 31 09:54:45 secOps ovs-vswitchd[319]: 2017-03-
31T13:54:45Z|00002|ovs_numa|INFO|Discovered 1 NUMA nodes and 1 CPU cores
Mar 31 09:54:45 secOps ovs-vswitchd[319]: ovs|00001|ovs_numa|INFO|Discovered 1 CPU
cores on NUMA node 0
Mar 31 09:54:45 secOps ovs-vswitchd[319]: ovs|00002|ovs_numa|INFO|Discovered 1 NUMA
nodes and 1 CPU cores
Mar 31 09:54:45 secOps ovs-vswitchd[319]: 2017-03-
31T13:54:45Z|00003|reconnect|INFO|unix:/run/openvswitch/db.sock: connecting..
Mar 31 09:54:45 secOps ovs-vswitchd[319]: 2017-03-
31T13:54:45Z|00004|reconnect|INFO|unix:/run/openvswitch/db.sock: connected
Mar 31 09:54:45 secOps ovs-vswitchd[319]:
ovs|00003|reconnect|INFO|unix:/run/openvswitch/db.sock: connecting...
Mar 31 09:54:45 secOps ovs-vswitchd[319]:
ovs|00004|reconnect|INFO|unix:/run/openvswitch/db.sock: connected
Mar 31 09:54:45 secOps ovs-vswitchd[319]: 2017-03-
31T13:54:45Z|00005|ovsdb_idl|WARN|Interface table in Open_vSwitch database la
Mar 31 09:54:45 secOps ovs-vswitchd[319]: 2017-03-
31T13:54:45Z|00006|ovsdb_idl|WARN|Mirror table in Open_vSwitch database lacks
<some output omitted>

[analyst@secOps ~]$ sudo journalctl –-since "1 day ago"

-- Logs begin at Fri 2014-09-26 13:22:51 EDT, end at Fri 2017-03-31 10:26:48 EDT. --
Mar 30 05:54:43 secOps systemd-journald[169]: Time spent on flushing to /var is 849us
for 0 entries.
Mar 30 05:54:43 secOps kernel: Linux version 4.8.12-2-ARCH (builduser@andyrtr) (gcc
version 6.2.1 20160830 (GCC) ) #1 SMP PREEM
Mar 30 05:54:43 secOps kernel: x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating
point registers'

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 57 of 73
Lab – Working with Text Files in the CLI

Mar 30 05:54:43 secOps kernel: x86/fpu: Supporting XSAVE feature 0x002: 'SSE
registers'
Mar 30 05:54:43 secOps kernel: x86/fpu: Supporting XSAVE feature 0x004: 'AVX
registers'
Mar 30 05:54:43 secOps kernel: x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256
Mar 31 05:54:43 secOps kernel: x86/fpu: Enabled xstate features 0x7, context size is
832 bytes, using 'standard' format.
Mar 30 05:54:43 secOps kernel: x86/fpu: Using 'eager' FPU context switches.
Mar 30 05:54:43 secOps kernel: e820: BIOS-provided physical RAM map:
Mar 30 05:54:43 secOps kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff]
usable
Mar 30 05:54:43 secOps kernel: BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff]
reserved
Mar 30 05:54:43 secOps kernel: BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff]
reserved
<some output omitted>

f. journalctl also allows for displaying log entries related to a specific service with the –u option. The
command below displays logs entries related to nginx:
[analyst@secOps ~]$ sudo journalctl –u nginx.service
-- Logs begin at Fri 2014-09-26 13:22:51 EDT, end at Fri 2017-03-31 10:30:39 EDT. --
Oct 19 16:47:57 secOps systemd[1]: Starting A high performance web server and a
reverse proxy server...
Oct 19 16:47:57 secOps nginx[21058]: 2016/10/19 16:47:57 [warn] 21058#21058:
conflicting server name "localhost" on 0.0.0.0:80,
Oct 19 16:47:57 secOps systemd[1]: nginx.service: PID file /run/nginx.pid not readable
(yet?) after start: No such file or dire
Oct 19 16:47:57 secOps systemd[1]: Started A high performance web server and a reverse
proxy server.
Oct 19 17:40:09 secOps nginx[21058]: 2016/10/19 17:40:09 [error] 21060#21060: *1
open() "/usr/share/nginx/html/favicon.ico" fai
Oct 19 17:40:09 secOps nginx[21058]: 2016/10/19 17:40:09 [error] 21060#21060: *1
open() "/usr/share/nginx/html/favicon.ico" fai
Oct 19 17:41:21 secOps nginx[21058]: 2016/10/19 17:41:21 [error] 21060#21060: *2
open() "/usr/share/nginx/html/favicon.ico" fai
Oct 19 17:41:21 secOps nginx[21058]: 2016/10/19 17:41:21 [error] 21060#21060: *2
open() "/usr/share/nginx/html/favicon.ico" fai
Oct 19 18:36:33 secOps systemd[1]: Stopping A high performance web server and a
reverse proxy server...
Oct 19 18:36:33 secOps systemd[1]: Stopped A high performance web server and a reverse
proxy server.
-- Reboot --
Oct 19 18:36:49 secOps systemd[1]: Starting A high performance web server and a
reverse proxy server...
Oct 19 18:36:49 secOps nginx[399]: 2016/10/19 18:36:49 [warn] 399#399: conflicting
server name "localhost" on 0.0.0.0:80, ignor
Oct 19 18:36:49 secOps systemd[1]: nginx.service: PID file /run/nginx.pid not readable
(yet?) after start: No such file or dire

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 58 of 73
Lab – Working with Text Files in the CLI

Oct 19 18:36:49 secOps systemd[1]: Started A high performance web server and a reverse
proxy server.
<some output omitted>

Note: As part of systemd, services are described as units. Most service installation packages create units
and enable units during the installation process.
g. Similar to tail –f, journalctl also supports real-time monitoring. Use the –f option to instruct journalctl to
follow a specific log. Press Ctrl + C to exit.
[analyst@secOps ~]$ sudo journalctl -f
[sudo] password for analyst:
-- Logs begin at Fri 2014-09-26 13:22:51 EDT. --
Mar 31 10:34:15 secOps filebeat[222]: 2017/03/31 14:34:15.077058 logp.go:232: INFO No
non-zero metrics in the last 30s
Mar 31 10:34:40 secOps sudo[821]: pam_unix(sudo:session): session closed for user root
Mar 31 10:34:45 secOps filebeat[222]: 2017/03/31 14:34:45.076057 logp.go:232: INFO No
non-zero metrics in the last 30s
Mar 31 10:35:15 secOps filebeat[222]: 2017/03/31 14:35:15.076118 logp.go:232: INFO No
non-zero metrics in the last 30s
Mar 31 10:35:45 secOps filebeat[222]: 2017/03/31 14:35:45.076924 logp.go:232: INFO No
non-zero metrics in the last 30s
Mar 31 10:36:15 secOps filebeat[222]: 2017/03/31 14:36:15.076060 logp.go:232: INFO No
non-zero metrics in the last 30s
Mar 31 10:36:45 secOps filebeat[222]: 2017/03/31 14:36:45.076122 logp.go:232: INFO No
non-zero metrics in the last 30s
Mar 31 10:37:15 secOps filebeat[222]: 2017/03/31 14:37:15.076801 logp.go:232: INFO No
non-zero metrics in the last 30s
Mar 31 10:37:30 secOps sudo[842]: analyst : TTY=pts/0 ; PWD=/home/analyst ; USER=root
; COMMAND=/usr/bin/journalctl -f
Mar 31 10:37:31 secOps sudo[842]: pam_unix(sudo:session): session opened for user root
by (uid=0)
<some output omitted>

h. journalctl also supports mixing options to achieve the desired filter set. The command below monitors
nginx system events in real time.
[analyst@secOps ~]$ sudo journalctl -u nginx.service -f
-- Logs begin at Fri 2014-09-26 13:22:51 EDT. --
Mar 23 10:08:41 secOps systemd[1]: Stopping A high performance web server and a
reverse proxy server...
Mar 23 10:08:41 secOps systemd[1]: Stopped A high performance web server and a reverse
proxy server.
-- Reboot --
Mar 29 11:28:06 secOps systemd[1]: Starting A high performance web server and a
reverse proxy server...
Mar 29 11:28:06 secOps systemd[1]: nginx.service: PID file /run/nginx.pid not readable
(yet?) after start: No such file or directory
Mar 29 11:28:06 secOps systemd[1]: Started A high performance web server and a reverse
proxy server.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 59 of 73
Lab – Working with Text Files in the CLI

Mar 29 11:31:45 secOps systemd[1]: Stopping A high performance web server and a
reverse proxy server...
Mar 29 11:31:45 secOps systemd[1]: Stopped A high performance web server and a reverse
proxy server.
-- Reboot --
Mar 31 09:54:51 secOps systemd[1]: Starting A high performance web server and a
reverse proxy server...
Mar 31 09:54:51 secOps systemd[1]: nginx.service: PID file /run/nginx.pid not readable
(yet?) after start: No such file or directory
Mar 31 09:54:51 secOps systemd[1]: Started A high performance web server and a reverse
proxy server.

i. Keep the command above running, open a new web browser window and type 127.0.0.1 (default
configuration) or 127.0.0.1:8080 (custom_server.conf) in the address bar. journalctl should display an
error related to a missing favicon.ico file in real-time:

Reflection
Log files are extremely important for troubleshooting.
Log file location follows convention but ultimately, it is a choice of the developer.
More often than not, log file information (location, file names, etc.) is included in the documentation. If the
documentation does not provide useful information on log files, a combination of web research, and system
investigation should be used.
Clocks should always be synchronized to ensure all systems have the correct time. If clocks are not correctly
set, it is very difficult to trace back events.
It is important to understand when specific events took place. In addition to that, events from different sources
are often analyzed at the same time.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 60 of 73
Lab – Working with Text Files in the CLI

Lab - Navigating the Linux Filesystem and Permission Settings

Objectives
In this lab, you will use familiarize yourself with Linux filesystems.

Required Resources
• CyberOps Workstation VM

Part 11: Exploring Filesystems in Linux

The Linux filesystem is one of its most popular features. While Linux supports many different types of
filesystems, this lab focuses on the ext family, one the most common filesystems found on Linux.

Step 1: Access the command line.

Launch the CyberOps Workstation VM and open a terminal window.

Step 2: Display the filesystems currently mounted.

Filesystems must be mounted before they can be accessed and used. In computing, mounting a filesystem
means to make it accessible to the operating system. Mounting a filesystem is the process of linking the
physical partition on the block device (hard drive, SSD drive, pen drive, etc.) to a directory, through which the
entire filesystem can be accessed. Because the aforementioned directory becomes the root of the newly
mounted filesystem, it is also known as mounting point.
a. Use the lsblk command to display all block devices:
[analyst@secOps ~]$ lsblk

NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT

sda 8:0 0 5.9G 0 disk
└─sda1 8:1 0 5.9G 0 part /
sdb 8:16 0 1G 0 disk
└─sdb1 8:17 0 1023M 0 part
sr0 11:0 1 1024M 0 rom

The output above shows that the CyberOps Workstation VM has three block devices installed: sr0, sda
and sdb. The tree-like output also shows partitions under sda and sdb. Conventionally, /dev/sdX is used
by Linux to represent hard drives, with the trailing number representing the partition number inside that
device. Computers with multiple hard drives would likely display more /dev/sdX devices. If Linux was
running on a computer with four hard drives for example, it would show them as /dev/sda, /dev/sdb,

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 61 of 73
Lab – Working with Text Files in the CLI

/dev/sdc and /dev/sdd, by default. The output implies that sda and sdb are hard drives, each one
containing a single partition. The output also shows that sda is a 5.9GB disk while sdb has 1GB.
Note: Linux often displays USB flash drives as /dev/sdX as well, depending on their firmware type.
b. Use the mount command to display more detailed information on the currently mounted filesystems in the
CyberOps Workstation VM.
[analyst@secOps ~]$ mount

proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)

sys on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
dev on /dev type devtmpfs (rw,nosuid,relatime,size=1030408k,nr_inodes=218258,mode=755)
run on /run type tmpfs (rw,nosuid,nodev,relatime,mode=755)
/dev/sda1 on / type ext4 (rw,relatime,data=ordered)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
<output omitted>

Many of the filesystems above are out of scope of this course and irrelevant to the lab. Let’s focus on the
root filesystem, the filesystem stored in /dev/sda1. The root filesystem is where the Linux operating
system itself is stored; all the programs, tools, configuration files are stored in root filesystem by default.
c. Run the mount command again, but this time, use the pipe | to send the output of mount to grep to filter
the output and display only the root filesystem:
[analyst@secOps ~]$ mount | grep sda1

/dev/sda1 on / type ext4 (rw,relatime,data=ordered)

In the filtered output above, mount shows us that the root filesystem is located in the first partition of the
sda block device (/dev/sda1). We know this is the root filesystem because of the mounting point used: “/”
(the slash symbol). The output also tells us the type of formatting used in the partition, ext4 in this case.
The information in between parentheses relates to the partition mounting options.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 62 of 73
Lab – Working with Text Files in the CLI

d. Issue the following two commands below on the CyberOps Workstation VM:
[analyst@secOps ~]$ cd /
[analyst@secOps /]$ ls -l

What is the meaning of the output? Where are the listed files physically stored?
Perintah pertama mengubah direktori ke direktori root. Direktori root adalah level tertinggi dari
sistem file. Karena /dev/sda1 dipasang pada direktori root (“/”), dengan membuat daftar file di
direktori root, pengguna sebenarnya membuat daftar file yang disimpan secara fisik di root sistem
file /dev/sda1.
Why is /dev/sdb1 not shown in the output above?
Karena /dev/sdb1 saat ini tidak dipasang.

Step 3: Manually mounting and unmounting filesystems

The mount command can also be used to mount and unmount filesystems. As seen in Step 1, the CyberOps
Workstation VM has two hard drives installed. The first one was recognized by the kernel as /dev/sda while
the second was recognized as /dev/sdb. Before a block device can be mounted, it must have a mounting
point.
a. Use the ls -l command to verify that the directory second_drive is in the analyst's home directory.
[analyst@secOps /]$ cd ~
[analyst@secOps ~]$ ls –l

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 63 of 73
Lab – Working with Text Files in the CLI

total 28
drwxr-xr-x 3 analyst analyst 4096 Aug 16 15:15 cyops_folder2
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 2 analyst analyst 4096 Mar 3 15:56 second_drive
-rw-r--r-- 1 analyst analyst 142 Aug 16 15:11 some_text_file.txt
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:38 space.txt

Note: If the directory second_drive does not exist, use the mkdir second_drive command to create it.
[analyst@secOps ~]$ mkdir second_drive

Note: Depending on the state of your VM, your listing will most likely have different files and directories.
b. Use ls -l again to list the contents of the newly created second_drive directory.
[analyst@secOps ~]$ ls -l second_drive/

total 0

Notice that the directory is empty.

c. Use the mount command to mount /dev/sdb1 on the newly created second_drive directory. The syntax
of mount is: mount [options] <device to be mounted> <mounting point>.
[analyst@secOps ~]$ sudo mount /dev/sdb1 ~/second_drive/

[sudo] password for analyst:

No output is provided which means the mounting process was successful.

d. Now that the /dev/sdb1 has been mounted on /home/analyst/second_drive, use ls -l to list the contents
of the directory again.
[analyst@secOps ~]$ ls -l second_drive/

total 20
drwx------ 2 root root 16384 Mar 3 10:59 lost+found
-rw-r--r-- 1 root root 183 Mar 3 15:42 myFile.txt

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 64 of 73
Lab – Working with Text Files in the CLI

Why is the directory no longer empty? Where are the listed files physically stored?
Setelah pemasangan, /home/analyst/second_drive menjadi titik masuk ke sistem file yang
disimpan secara fisik di /dev/sdb1.
e. Issue the mount command with no options again to display detailed information about the /dev/sdb1
partition. As before, use the grep command to display only the /dev/sdX filesystems:
[analyst@secOps ~]$ mount | grep sd

/dev/sda1 on / type ext4 (rw,relatime,data=ordered)

cgroup2 on /sys/fs/cgroup/unified type cgroup2
(rw,nosuid,nodev,noexec,relatime,nsdelegate)
/dev/sdb1 on /home/analyst/second_drive type ext4 (rw,relatime,data=ordered)

f. Unmounting filesystems is just as simple. Make sure you change the directory to something outside of the
mounting point and use the umount command as shown below:
[analyst@secOps ~]$ sudo umount /dev/sdb1

[sudo] password for analyst:

[analyst@secOps ~]$
[analyst@secOps ~]$ ls -l second_drive/
total 0

Part 12: File Permissions

Linux filesystems have built-in features to control the ability of the users to view, change, navigate, and
execute the contents of the filesystem. Essentially, each file in filesystems carries its own set of permissions,
always carrying a set of definitions about what users and groups can do with the file.

Step 1: Visualize and Change the File Permissions.

a. Navigate to /home/analyst/lab.support.files/scripts/.
[analyst@secOps ~]$ cd lab.support.files/scripts/

b. Use the ls -l command to display file permissions.

[analyst@secOps scripts]$ ls -l

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 65 of 73
Lab – Working with Text Files in the CLI

total 60
-rwxr-xr-x 1 analyst analyst 190 Jun 13 09:45 configure_as_dhcp.sh
-rwxr-xr-x 1 analyst analyst 192 Jun 13 09:45 configure_as_static.sh
-rwxr-xr-x 1 analyst analyst 3459 Jul 18 10:09 cyberops_extended_topo_no_fw.py
-rwxr-xr-x 1 analyst analyst 4062 Jul 18 10:09 cyberops_extended_topo.py
-rwxr-xr-x 1 analyst analyst 3669 Jul 18 10:10 cyberops_topo.py
-rw-r--r-- 1 analyst analyst 2871 Apr 28 11:27 cyops.mn
-rwxr-xr-x 1 analyst analyst 458 May 1 13:50 fw_rules
-rwxr-xr-x 1 analyst analyst 70 Apr 28 11:27 mal_server_start.sh
drwxr-xr-x 2 analyst analyst 4096 Jun 13 09:55 net_configuration_files
-rwxr-xr-x 1 analyst analyst 65 Apr 28 11:27 reg_server_start.sh
-rwxr-xr-x 1 analyst analyst 189 Dec 15 2016 start_ELK.sh
-rwxr-xr-x 1 analyst analyst 85 Dec 22 2016 start_miniedit.sh
-rwxr-xr-x 1 analyst analyst 76 Jun 22 11:38 start_pox.sh
-rwxr-xr-x 1 analyst analyst 106 Jun 27 09:47 start_snort.sh
-rwxr-xr-x 1 analyst analyst 61 May 4 11:45 start_tftpd.sh

Consider the cyops.mn file as an example. Who is the owner of the file? How about the group?
Pemilik: analis; Grup: analis
The permission for cyops.mn are –rw-r--r--. What does that mean?
Pemilik file (pengguna analis) dapat membaca dan menulis ke file tetapi tidak menjalankannya (-
rw). Anggota kelompok analis selain pemilik hanya dapat membaca file (-r-), tidak ada eksekusi atau
penulisan yang diperbolehkan. Semua pengguna lain tidak diizinkan untuk menulis atau
mengeksekusi file itu.
c. The touch command is very simple and useful. It allows for the quick creation of an empty text file. Use
the command below to create an empty file in the /mnt directory:
[analyst@secOps scripts]$ touch /mnt/myNewFile.txt
touch: cannot touch '/mnt/myNewFile.txt': Permission denied

Why was the file not created? List the permissions, ownership and content of the /mnt directory and
explain what happened. With the addition of -d option, it lists the permission of the parent directory.
Record the answer in the lines below.
[analyst@secOps ~]$ ls -ld /mnt

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 66 of 73
Lab – Working with Text Files in the CLI

drwxr-xr-x 2 root root 4096 Mar 3 15:43 /mnt

Izin direktori /mnt dimiliki oleh pengguna root, dengan izin drwxr-xr-x. Dengan cara ini, hanya
pengguna root yang diizinkan untuk menulis ke folder /mnt.
What can be done for the touch command shown above to be successful?
Perintah dapat dijalankan sebagai root (menambahkan sudo sebelum itu) atau izin direktori /mnt
dapat dimodifikasi.
d. The chmod command is used to change the permissions of a file or directory. As before, mount the
/dev/sdb1 partition on the /home/analyst/second_drive directory created earlier in this lab:
[analyst@secOps ~]$ sudo mount /dev/sdb1 ~/second_drive/

e. Change to the second_drive directory and list the contents of it:

[analyst@secOps ~]$ cd ~/second_drive
[analyst@secOps second_drive]$ ls -l

total 20
drwx------ 2 root root 16384 Mar 3 10:59 lost+found
-rw-r--r-- 1 root root 183 Mar 3 15:42 myFile.txt

What are the permissions of the myFile.txt file?

-rw-r–r–
f. Use the chmod command to change the permissions of myFile.txt.
[analyst@secOps second_drive]$ sudo chmod 665 myFile.txt
[analyst@secOps second_drive]$ ls -l

total 20
drwx------ 2 root root 16384 Mar 3 10:59 lost+found
-rw-rw-r-x 1 root root 183 Mar 3 15:42 myFile.txt

Did the permissions change? What are the permissions of myFile.txt?

-rw-rw-r-x
The chmod command takes permissions in the octal format. In that way, a breakdown of the 665 is as
follows:
6 in octal is 110 in binary. Assuming each position of the permissions of a file can be 1 or 0, 110 means
rw- (read=1, write=1 and execute=0).
Therefore, the chmod 665 myFile.txt command changes the permissions to:

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 67 of 73
Lab – Working with Text Files in the CLI

Owner: rw- (6 or 110 in octal)

Group: rw- (6 or 110 in octal)
Other: r-x (5 or 101 in octal)
What command would change the permissions of myFile.txt to rwxrwxrwx, granting any user in the
system full access to the file?
sudo chmod 777 myFile.txt
g. The chown command is used to change ownership of a file or directory. Issue the command below to
make the analyst user the owner of the myFile.txt:
[analyst@secOps second_drive]$ sudo chown analyst myFile.txt
[sudo] password for analyst:
[analyst@secOps second_drive]$ ls -l

total 20
drwx------ 2 root root 16384 Mar 3 10:59 lost+found
-rw-rw-r-x 1 analyst root 183 Mar 3 15:42 myFile.txt
[analyst@secOps second_drive]$

Note: To change the owner and group to analyst at the same time, use the sudo chown analyst:analyst
myFile.txt format.
h. Now that analyst is the file owner, try appending the word ‘test’ to the end of myFile.txt.
[analyst@secOps second_drive]$ echo test >> myFile.txt
[analyst@secOps second_drive]$ cat myFile.txt

Was the operation successful? Explain.

Ya. analis adalah pemilik file dan izinnya masih diatur ke 665 seperti sebelumnya. Izin sebagaimana
adanya, memungkinkan pemilik dan pengguna di grup root untuk membuat perubahan pada file.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 68 of 73
Lab – Working with Text Files in the CLI

Step 2: Directory and Permissions

Similar to regular files, directories also carry permissions. Directories, however, have an extra bit in the
permissions.
a. Change back to the /home/analyst/lab.support.files directory and issue the ls -l command to list all the
files with details:
[analyst@secOps second_drive]$ cd ~/lab.support.files/
[analyst@secOps lab.support.files]$ ls -l

total 580
-rw-r--r-- 1 analyst analyst 649 Jun 28 18:34 apache_in_epoch.log
-rw-r--r-- 1 analyst analyst 126 Jun 28 11:13 applicationX_in_epoch.log
drwxr-xr-x 4 analyst analyst 4096 Aug 7 15:29 attack_scripts
-rw-r--r-- 1 analyst analyst 102 Jul 20 09:37 confidential.txt
-rw-r--r-- 1 analyst analyst 2871 Dec 15 2016 cyops.mn
-rw-r--r-- 1 analyst analyst 75 May 24 11:07 elk_services
-rw-r--r-- 1 analyst analyst 373 Feb 16 16:04 h2_dropbear.banner
-rw-r--r-- 1 analyst analyst 147 Mar 21 15:30 index.html
-rw-r--r-- 1 analyst analyst 255 May 2 13:11 letter_to_grandma.txt
-rw-r--r-- 1 analyst analyst 24464 Feb 7 2017 logstash-tutorial.log
drwxr-xr-x 2 analyst analyst 4096 May 25 13:01 malware
-rwxr-xr-x 1 analyst analyst 172 Jul 25 16:27 mininet_services
drwxr-xr-x 2 analyst analyst 4096 Feb 14 2017 openssl_lab
drwxr-xr-x 2 analyst analyst 4096 Aug 7 15:25 pcaps
drwxr-xr-x 7 analyst analyst 4096 Sep 20 2016 pox
-rw-r--r-- 1 analyst analyst 473363 Feb 16 15:32 sample.img
-rw-r--r-- 1 analyst analyst 65 Feb 16 15:45 sample.img_SHA256.sig
drwxr-xr-x 3 analyst analyst 4096 Jul 18 10:10 scripts
-rw-r--r-- 1 analyst analyst 25553 Feb 13 2017 SQL_Lab.pcap

Compare the permissions of the malware directory with the mininet_services file. What is the difference
between their permissions?
Ada huruf d di awal sebelum izin untuk direktori malware.

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 69 of 73
Lab – Working with Text Files in the CLI

The letter ‘d’ indicates that that specific entry is a directory and not a file. Another difference between file
and directory permissions is the execution bit. If a file has its execution bit turned on, it means it can be
executed by the system. Directories are different than files with the execution bit set (a file with the
execution bit set is an executable script or program). A directory with the execution bit set specifies
whether a user can enter that directory.
The chmod and chown commands work for directories in the same way they work for files.

Part 13: Symbolic Links and other Special File Types

You have now seen some of the different file types in Linux. The first character in each file listing in an ls –l
command shows the file type. The three different types of files in Linux including their sub-types and
characters are:
• Regular files (-) including:
- Readable files – text files
- Binary files - programs
- Image files
- Compressed files
• Directory files (d)
- Folders
• Special Files including:
- Block files (b) – Files used to access physical hardware like mount points to access hard drives.
- Character device files (c) – Files that provide a serial stream of input and output. tty terminals are
examples of this type of file.
- Pipe files (p) – A file used to pass information where the first bytes in are the first bytes. This is also
known as FIFO (first in first out).
- Symbolic Link files (l) – Files used to link to other files or directories. There are two types: symbolic
links and hard links.
- Socket files (s) – These are used to pass information from application to application in order to
communicate over a network.

Step 1: Examine file types.

a. Use the ls -l command to display the files. Notice the first characters of each line are either a “–“
indicating a file or a “d” indicating a directory
[analyst@secOps ~]$ ls -l

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 70 of 73
Lab – Working with Text Files in the CLI

total 28
drwxr-xr-x 3 analyst analyst 4096 Aug 16 15:15 cyops_folder2
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 3 analyst analyst 4096 Mar 3 18:23 second_drive
-rw-r--r-- 1 analyst analyst 142 Aug 16 15:11 some_text_file.txt
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:38 space.txt

b. Produce a listing of the /dev directory. Scroll to the middle of the output and notice how the block files
begin with a “b”, the character device files begin with a “c” and the symbolic link files begin with an “l”:
[analyst@secOps ~]$ ls -l /dev/
<output omitted>
crw-rw-rw- 1 root tty 5, 2 May 29 18:32 ptmx
drwxr-xr-x 2 root root 0 May 23 06:40 pts
crw-rw-rw- 1 root root 1, 8 May 23 06:41 random
crw-rw-r-- 1 root root 10, 56 May 23 06:41 rfkill
lrwxrwxrwx 1 root root 4 May 23 06:41 rtc -> rtc0
crw-rw---- 1 root audio 253, 0 May 23 06:41 rtc0
brw-rw---- 1 root disk 8, 0 May 23 06:41 sda
brw-rw---- 1 root disk 8, 1 May 23 06:41 sda1
brw-rw---- 1 root disk 8, 16 May 23 06:41 sdb
brw-rw---- 1 root disk 8, 17 May 23 06:41 sdb1
drwxrwxrwt 2 root root 40 May 28 13:47 shm
crw------- 1 root root 10, 231 May 23 06:41 snapshot
drwxr-xr-x 2 root root 80 May 23 06:41 snd
brw-rw----+ 1 root optical 11, 0 May 23 06:41 sr0
lrwxrwxrwx 1 root root 15 May 23 06:40 stderr -> /proc/self/fd/2
lrwxrwxrwx 1 root root 15 May 23 06:40 stdin -> /proc/self/fd/0
lrwxrwxrwx 1 root root 15 May 23 06:40 stdout -> /proc/self/fd/1
crw-rw-rw- 1 root tty 5, 0 May 29 17:36 tty
crw--w---- 1 root tty 4, 0 May 23 06:41 tty0
<output omitted>

c. Symbolic links in Linux are like shortcuts in Windows. There are two types of links in Linux: symbolic links
and hard links. The difference between symbolic links and a hard links is that a symbolic link file points to
the name of another file and a hard link file points to the contents of another file. Create two files by using
echo:
[analyst@secOps ~]$ echo "symbolic" > file1.txt
[analyst@secOps ~]$ cat file1.txt
symbolic
[analyst@secOps ~]$ echo "hard" > file2.txt
[analyst@secOps ~]$ cat file2.txt
Hard

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 71 of 73
Lab – Working with Text Files in the CLI

d. Use ln –s to create a symbolic link to file1.txt, and ln to create a hard link to file2.txt:
[analyst@secOps ~]$ ln –s file1.txt file1symbolic
[analyst@secOps ~]$ ln file2.txt file2hard

e. Use the ls –l command and examine the directory listing:

[analyst@secOps ~]$ ls -l

total 40
drwxr-xr-x 3 analyst analyst 4096 Aug 16 15:15 cyops_folder2
drwxr-xr-x 2 analyst analyst 4096 Sep 26 2014 Desktop
drwx------ 3 analyst analyst 4096 Jul 14 11:28 Downloads
lrwxrwxrwx 1 analyst analyst 9 Aug 17 16:43 file1symbolic -> file1.txt
-rw-r--r-- 1 analyst analyst 9 Aug 17 16:41 file1.txt
-rw-r--r-- 2 analyst analyst 5 Aug 17 16:42 file2hard
-rw-r--r-- 2 analyst analyst 5 Aug 17 16:42 file2.txt
drwxr-xr-x 8 analyst analyst 4096 Jul 25 16:27 lab.support.files
drwxr-xr-x 3 analyst analyst 4096 Mar 3 18:23 second_drive
-rw-r--r-- 1 analyst analyst 142 Aug 16 15:11 some_text_file.txt
-rw-r--r-- 1 analyst analyst 254 Aug 16 13:38 space.txt

Notice how the file file1symbolic is a symbolic link with an l at the beginning of the line and a pointer ->
to file1.txt. The file2hard appears to be a regular file, because in fact it is a regular file that happens to
point to the same inode on the hard disk drive as file2.txt. In other words, file2hard points to the same
attributes and disk block location as file2.txt.
f. Change the names of the original files: file1.txt and file2.txt, and notice how it effects the linked files.
[analyst@secOps ~]$ mv file1.txt file1new.txt

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 72 of 73
Lab – Working with Text Files in the CLI

[analyst@secOps ~]$ mv file2.txt file2new.txt

[analyst@secOps ~]$ cat file1symbolic

cat: file1symbolic: no such file or directory

[analyst@secOps ~]$ cat file2hard

Hard

Notice how file1symbolic is now a broken symbolic link because the name of the file that it pointed to
file1.txt has changed, but the hard link file file2hard still works correctly because it points to the inode of
file2.txt and not its name which is now file2new.txt.
What do you think would happen to file2hard if you opened a text editor and changed the text in
file2new.txt?
Mengubah isi dari satu file akan mengubah isi yang lain karena keduanya menunjuk ke inode yang
sama pada hard disk drive.

Reflection
File permissions and ownership are two of the most important aspects of Linux. They are also a common
cause of problems. A file that has the wrong permissions or ownership set will not be available to the
programs that need to access it. In this scenario, the program will usually break and errors will be
encountered.

Link Video Presentasi :

https://drive.google.com/file/d/1OyqG_hFIppV05RLKjE7kRTIKEaIEKE9L/view?usp=drivesdk

© Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 73 of 73