🎯 Goal

Move from memorizing commands to observing real system behavior.

Focus areas:

  • examining running processes
  • identifying normal vs unfamiliar services
  • reading Linux system logs
  • beginning to think about host activity from a security investigation perspective

Understanding how normal system activity appears is essential before trying to detect anomalies.

🛠️ What I Did

Process observation

I used several commands to inspect running processes:

ps aux --sort=-%cpu | head
ps aux --sort=-%mem | head
top

These commands helped identify which processes were currently consuming the most CPU and memory.

Processes I examined included:

  • gnome-shell
  • gnome-terminal-server
  • dbus-daemon
  • containerd

To inspect a specific process in detail I used:

ps -p <PID> -o pid,ppid,user,%cpu,%mem,stat,time,command

This reveals useful investigation data such as:

  • process ID
  • parent process ID
  • user account
  • resource usage
  • command path

Understanding process hierarchy

One process tree I observed looked like this:

systemd (PID 1)
 └── systemd --user
     └── gnome-shell

This showed how the graphical desktop session is launched by the user-level system manager.

Recognizing normal parent-child relationships is important when analyzing endpoint activity.

Investigating an unfamiliar process

One process that initially stood out was:

containerd

At first I did not recognize it.

Using:

systemctl status containerd

I learned that:

  • it is a legitimate container runtime service
  • it is managed by systemd
  • it starts automatically at boot

This exercise demonstrated a basic investigation workflow: observe → verify → confirm legitimacy.

Exploring system logs

Next I examined two important log files:

/var/log/syslog
/var/log/auth.log

To view recent entries I used:

sudo tail -n 20 /var/log/syslog
sudo tail -n 20 /var/log/auth.log

Observations from syslog

The system log contained events such as:

  • service startup messages
  • network events from NetworkManager
  • warnings from desktop services

This log acts as a general record of system activity.

Observations from auth.log

The authentication log contained entries related to:

  • cron job execution
  • sudo commands
  • login session activity

Example entry:

sudo: parallels : TTY=pts/0 ; PWD=/home/parallels ; USER=root ; COMMAND=/usr/bin/tail

This log entry records:

  • which user ran sudo
  • which command was executed
  • the working directory
  • the terminal session

Authentication logs are particularly important during security investigations.

🔐 Key Cybersecurity Connections

Process and log analysis are central to host-based investigations.

Security analysts often search for:

  • suspicious processes
  • unusual parent-child relationships
  • unexpected services
  • authentication anomalies
  • repeated login failures
  • privilege escalation activity

Understanding how normal activity appears is the first step toward identifying abnormal behavior.

⚠️ Challenges

Initially many processes looked unfamiliar.

Linux systems run numerous background services, and without context it is easy to misinterpret normal behavior as suspicious.

Another challenge was remembering that commands themselves are just tools — understanding the system behavior behind them matters more.

🧠 What I Learned

  • Linux systems run many background services that appear unusual at first but are normal.
  • systemd typically launches most system services.
  • Parent process relationships provide useful investigation context.
  • System logs provide a chronological record of system activity.
  • Authentication logs record privilege use and login events.

Learning how to interpret these logs is essential for host investigation.

⏭️ Next Steps

To continue building investigation skills I plan to:

  • intentionally generate log events and analyze them
  • search logs using tools like grep
  • investigate unusual processes more deeply
  • explore additional log sources

Examples:

grep sudo /var/log/auth.log
grep ssh /var/log/auth.log

Practicing with real system activity will make these investigation techniques more intuitive.

💭 Reflection

Working directly with processes and logs made the system feel much less abstract.

Reading explanations alone is slower than interacting with the system and observing behavior firsthand.

Hands-on experimentation makes the concepts clearer and easier to remember.

🧩 Lessons Learned

What worked

  • inspecting real processes on the system
  • reading actual log entries instead of theoretical examples

What broke

  • trying to understand every unfamiliar process immediately

Why it broke

  • many normal services simply require familiarity over time

Fix / takeaway

Focus first on recognizing patterns of normal behavior before attempting deeper analysis.

📈 Skill Progression Context

Process inspection and log analysis are foundational skills for SOC analysts and incident responders.

Understanding how normal system activity appears enables analysts to detect anomalies such as:

  • suspicious processes
  • abnormal login activity
  • unexpected service execution
  • privilege escalation events.

Building this baseline knowledge is a critical step toward effective endpoint investigation.