"Every cell runs the same directory skeleton. An operator who does not know the filesystem hierarchy before touching a live cell is a liability. This module re-establishes that foundation. Read it fast if it feels familiar. Read it carefully if anything is unclear."
The FHS defines where everything lives on a Linux system. Every Ubuntu 22.04 cell uses the same top-level structure. Operators who internalize this navigate incident response without hesitation.
Key directories to know: /bin and /sbin (user/system binaries, now symlinks to /usr/bin on Ubuntu 22.04), /etc (configuration), /var (variable data including logs), /proc and /sys (virtual kernel interfaces), /home (user home directories), /tmp (ephemeral), /opt (third-party software).
Every cell runs the same directory skeleton. Knowing the FHS is knowing the cell's anatomy before you touch anything.
Efficient navigation is a speed multiplier in every operational scenario. These commands build the habits that make directory movement automatic.
On modern Ubuntu, ls -la /bin shows a symlink pointing to /usr/bin. Absolute paths start with / and never depend on your current position. Relative paths do. Always prefer absolute paths in scripts to avoid context-dependent failures.
In an incident response scenario, speed of navigation is speed of recovery. Operators who hesitate on paths cost the grid downtime.
find performs a real-time walk of the filesystem. It is the primary sweep tool for locating files by name, age, size, permission, or ownership. Learn its flags before you need them under pressure.
Core flags: -name / -iname (case-insensitive), -type f (file) / d (directory), -mtime (modification days), -size, -perm, -user, -exec. The 2>/dev/null suffix suppresses "Permission denied" noise on system directories.
When an anomaly is reported, find is your first sweep tool. Learn its flags before you need them under pressure.
locate queries a pre-built index rather than walking the live filesystem. It is fast but potentially stale. which and whereis find executable locations in $PATH and standard system directories respectively.
find is authoritative: it reads the live filesystem. locate is fast but reads an index that was last built when updatedb ran (typically via cron). On a compromised cell, locate may report a file that has already been deleted or miss a file that was just planted.
On a compromised cell, the locate index may lie. Know when to trust it and when to use find instead.
Linux files are not identified by extension. The file command reads the file's actual content (magic bytes) and reports its true type. This is critical when investigating suspicious files on a tampered cell.
Special file types you will encounter: block devices (b), character devices (c), named pipes (p), sockets (s), and symbolic links (l). All are visible in the first character of ls -la output. A regular file shows -.
Not every file is what its extension claims. On a cell that has been tampered with, file tells the truth when names do not.
Every process inherits three standard file descriptors: stdin (0), stdout (1), stderr (2). Redirection operators control where each stream goes. Understanding this is prerequisite to writing bash scripts and understanding pipes.
The operator &> is shorthand for redirecting both stdout and stderr to the same destination. Piping to tee writes to a file while still printing to the terminal, which is essential when you need a live view and a saved record simultaneously.
Understanding file descriptors is prerequisite to understanding pipes and process communication, which underpin everything in Week 1.
If you are comfortable with all of these, proceed to ALA-R2: Access Control.