Chapter 2 - Operating Systems & Cyber Security Fundamentals

2.1 Chapter Overview

Operating systems are the foundation of cyber security. Every endpoint, server, laptop, virtual machine and cloud workload runs on an operating system. A cyber security analyst must understand how operating systems manage files, users, processes, services, permissions, logs and security controls.

Windows and Linux are the most important operating systems in enterprise cyber security. Windows is common in business environments, while Linux is widely used for servers, cloud systems, security tools and network infrastructure.

Learning Outcome: By the end of this chapter, learners should be able to explain Windows and Linux fundamentals, understand file systems, processes, services, permissions and apply basic security concepts to operating system analysis.

Users

→

Operating System

→

Files & Processes

→

Permissions

→

Security Logs

2.2 Learning Objectives

Explain the role of operating systems in cyber security.
Identify key Windows and Linux components.
Understand file systems and important system directories.
Explain processes, services and startup programs.
Understand user accounts, groups and permissions.
Use basic Windows and Linux commands for investigation.
Recognize common operating system security controls.
Apply the CIA triad, least privilege and defense-in-depth concepts.

2.3 What is an Operating System?

An operating system is system software that manages hardware, applications, users, files, memory, processes and security controls. It acts as the bridge between users, applications and computer hardware.

OS Function	Description	Cyber Security Relevance
User Management	Creates and manages user accounts.	Controls who can access the system.
File Management	Stores, organizes and protects files.	Protects sensitive data from unauthorized access.
Process Management	Runs and monitors applications.	Helps detect suspicious or malicious processes.
Service Management	Runs background services.	Misconfigured services may expose risk.
Logging	Records system and security events.	Supports investigation and incident response.
Access Control	Applies permissions and privileges.	Prevents unauthorized activity.

2.4 Why Operating Systems Matter in Cyber Security

Attack Surface

Operating systems expose services, ports, files and accounts that attackers may target.

Evidence Source

Logs, file timestamps, running processes and user activity provide evidence during investigation.

Access Control

Permissions and privileges determine what users and malware can do.

Hardening

Security teams configure OS settings to reduce risk.

Operating System Security = Accounts + Permissions + Patching + Logs + Services + Monitoring

2.5 Windows Fundamentals for Cyber Security

Windows is widely used in corporate environments. Security analysts must understand Windows users, groups, services, registry, event logs and PowerShell basics.

Windows Component	Purpose	Security Use
Local Users and Groups	Manages accounts and group membership.	Check unauthorized admin accounts.
Event Viewer	Shows system and security logs.	Investigate logon attempts and errors.
Services	Background programs.	Detect suspicious or unnecessary services.
Task Manager	Shows running processes.	Identify abnormal CPU, memory or process names.
Registry	Stores system and application settings.	Malware may create persistence entries.
Windows Defender	Built-in security protection.	Detect and respond to threats.

Windows Command: Show Current User

whoami

Windows Command: Show Network Configuration

ipconfig /all

PowerShell: List Running Processes

Get-Process

PowerShell: List Services

Get-Service

2.6 Windows Event Logs

Windows Event Logs are critical for investigation. They record logins, system changes, application errors and security events.

Log Type	Description	Example Security Use
Security Log	Authentication, logon and audit events.	Detect failed login attempts.
System Log	Operating system and driver events.	Identify service failures.
Application Log	Application errors and events.	Investigate application crashes.
PowerShell Log	PowerShell execution records.	Detect suspicious scripts.

PowerShell: Search Failed Logons

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 10

Note: Event ID 4625 commonly represents a failed logon attempt in Windows security logs.

2.7 Linux Fundamentals for Cyber Security

Linux is widely used for servers, cloud environments and cyber security tools. Analysts must understand users, permissions, directories, processes, services and logs.

Linux Component	Purpose	Security Use
/etc/passwd	Stores user account information.	Review system accounts.
/etc/shadow	Stores password hashes.	Protected file requiring root access.
/var/log	Stores logs.	Analyze authentication and system events.
systemd	Manages services.	Check service status.
ps/top	Shows processes.	Identify suspicious activity.
sudo	Runs commands with elevated privileges.	Control administrator access.

Linux Command: Show Current User

whoami

Linux Command: Show System Information

uname -a

Linux Command: Show IP Address

ip addr

Linux Command: List Running Processes

ps aux

2.8 Linux Logs

Linux logs are commonly stored in the /var/log directory. Logs help analysts detect authentication problems, service failures and suspicious activity.

Log File	Purpose	Security Use
/var/log/auth.log	Authentication logs on Debian/Ubuntu.	Review SSH logins and sudo usage.
/var/log/secure	Authentication logs on Red Hat/CentOS.	Review failed logins and privilege use.
/var/log/syslog	General system logs.	Investigate system events.
/var/log/kern.log	Kernel logs.	Investigate hardware or kernel activity.

Linux: Search Failed Logins

grep "Failed password" /var/log/auth.log

Linux: View Recent Log Entries

tail -n 50 /var/log/auth.log

2.9 File Systems and Important Directories

A file system organizes how files are stored and accessed. Security analysts must understand where critical files are located and how file permissions protect them.

Windows Location	Purpose	Security Interest
C:\Windows\System32	Core Windows system files.	Malware may imitate system file names.
C:\Users	User profiles.	Contains user files and application data.
C:\Program Files	Installed applications.	Check suspicious installed software.
Startup Folders	Programs that run on login.	Common persistence location.

Linux Directory	Purpose	Security Interest
/etc	Configuration files.	Review system and service settings.
/home	User home directories.	Contains user data and scripts.
/var/log	Log files.	Important for investigations.
/bin and /usr/bin	Command binaries.	Check trusted commands.
/tmp	Temporary files.	Attackers may place scripts here.

2.10 Processes and Services

A process is a running program. A service is a background process that provides system or application functionality. Malware often runs as a process or attempts to install itself as a service.

Process

A running program such as browser.exe, python.exe or sshd.

Service

A background program such as web server, antivirus or update service.

PID

Process ID used to identify a running process.

Parent Process

The process that launched another process.

Windows: List Processes

tasklist

Windows: Find Network Connections

netstat -ano

Linux: List Processes

ps aux

Linux: Show Listening Ports

ss -tulnp

2.11 Users, Groups and Permissions

Permissions control who can read, write, execute, modify or delete resources. Weak permissions can expose sensitive files or allow attackers to escalate privileges.

Windows Permissions

Permission	Meaning
Read	View file or folder content.
Write	Create or modify files.
Modify	Read, write and delete.
Full Control	Complete control including permission changes.

Linux Permissions

Linux uses read, write and execute permissions for owner, group and others.

-rwxr-xr--
 |  |  |
 |  |  Others: read only
 |  Group: read and execute
 Owner: read, write and execute

Linux chmod Example

chmod 640 security_report.txt

Meaning:
Owner can read/write, group can read, others have no access.

2.12 Core Cyber Security Concepts

Concept	Meaning	OS Example
Confidentiality	Protect information from unauthorized access.	File permissions and encryption.
Integrity	Prevent unauthorized modification.	Hash checking and access control.
Availability	Ensure systems and data remain accessible.	Service monitoring and backups.
Least Privilege	Give minimum access needed.	User should not be local administrator unnecessarily.
Defense in Depth	Use multiple layers of security.	Firewall, antivirus, patching, logging and access control.

2.13 Operating System Hardening

Hardening means reducing security weaknesses by configuring the operating system securely.

1Remove Unused Services

2Apply Updates

3Use Strong Passwords

4Enable Firewall

5Enable Logging

6Review Permissions

Hardening Checklist

Disable unnecessary services and startup programs.
Apply latest security updates and patches.
Use strong passwords and multi-factor authentication where available.
Remove unused accounts.
Restrict administrator/root access.
Enable system and security logging.
Enable endpoint protection and firewall.
Review file and folder permissions.

2.14 Practical Python OS Checks

Python can collect basic OS information for security inventory and automation.

Python: Detect Operating System

import platform

print("Operating System:", platform.system())
print("OS Version:", platform.version())
print("Machine:", platform.machine())
print("Processor:", platform.processor())

Python: List Files in a Folder

from pathlib import Path

folder = Path(".")

for file in folder.iterdir():
    print(file.name)

Python: Check File Exists

from pathlib import Path

log_file = Path("security_log.txt")

if log_file.exists():
    print("Log file found")
else:
    print("Log file missing")

2.15 Interactive Permission Simulator

This simple simulator explains Linux permission numbers.

Owner Permission Number Group Permission Number Others Permission Number

Click Explain Permission.

2.16 Practical Activities

Activity 1: Windows Investigation

Run whoami, ipconfig /all and tasklist on a Windows machine. Record what each command shows.

Activity 2: Linux Investigation

Run whoami, uname -a, ip addr and ps aux on a Linux machine or virtual lab.

Activity 3: Permission Analysis

Explain the meaning of Linux permission 750 and 640.

Activity 4: Log Review

Open Windows Event Viewer or Linux /var/log and identify one security-related event.

Mini Project

Create an OS security checklist for a training lab computer including accounts, services, updates, firewall, logs and permissions.

2.17 Interactive Final Assessment Quiz

Each correct answer gives +1 mark. Each wrong answer gives -0.5 mark.

1. An operating system manages files, processes, users and hardware resources.

True False

2. Which operating system is widely used for servers and security tools?

Linux Paint Calculator Notepad only

3. Windows Event Viewer can help investigate system and security events.

True False

4. Which Linux directory commonly stores logs?

/var/log /music /paint /random

5. A process is a running program.

True False

6. Least privilege means giving users only the access they need.

True False

7. In Linux permissions, r means:

Read Runaway Random Replace

8. Hardening means reducing security weaknesses in a system.

True False

9. The CIA triad stands for Confidentiality, Integrity and Availability.

True False

10. Unnecessary services should always be enabled for better security.

True False

Your Score: 0

2.18 Chapter Summary

In this chapter, learners studied Windows and Linux fundamentals, file systems, important directories, processes, services, permissions, logs and core security concepts. These skills are essential for endpoint investigation, system hardening and cyber security operations.

Remember: A cyber security analyst must understand how operating systems work because most attacks leave evidence in files, processes, services, permissions and logs.