$ Linux One Liners
Back to commands

Cybersecurity Triage

Read-only

Find Password-Enabled Accounts

You need to identify accounts whose shadow field is not locked with ! or *.

Command

awk -F: '$2 !~ /^(!|\*)/ {print $1}' fixtures/user-access-audit/etc/shadow

Before you run this

System impact: Read-only. Low when scoped to the shown target.

When not to use it: Do not infer SSH password login policy from shadow alone; also check sshd configuration and PAM policy on real systems.

Expected output

Account names with non-locked password fields.

System impact

Read-only. Nothing changes. The command reads the fixture-local shadow stub and prints accounts whose password field is not locked.

May require elevated permissions on protected paths or service-owned files.

Recovery / rollback: no state is changed.

When to use it

Use during access audits when you need to distinguish locked accounts from accounts that may accept password authentication.

When not to use it

Do not infer SSH password login policy from shadow alone; also check sshd configuration and PAM policy on real systems.

Watch this command run

Command transcript

This sanitized transcript shows the commands and output shape without exposing host details.

demo@lab:~$

$ cut -d: -f1,2 sample-files/user-access-audit/etc/shadow

root:!
daemon:*
www-data:*
alex:$y$j9T$demoHashOnlyAlex
deploy:!
reports:!
breakglass:$y$j9T$demoHashOnlyBreakglass
backup:!

$ awk -F: '$2 !~ /^(!|\*)/ {print $1}' sample-files/user-access-audit/etc/shadow

alex
breakglass
View commands shown

These are the commands shown in the sanitized transcript.

Commands shown

  1. cut -d: -f1,2 fixtures/user-access-audit/etc/shadow
  2. awk -F: '$2 !~ /^(!|\*)/ {print $1}' fixtures/user-access-audit/etc/shadow

next steps

Related commands

Cybersecurity Triage Sensitive output

Find SSH Keys for nologin Users

A nologin shell does not automatically mean SSH keys are irrelevant.

comm -12 <(awk -F: '$7 !~ /(bash|sh|zsh)$/ {print $1}' fixtures/user-access-audit/etc/passwd | sort) <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort)
Cybersecurity Triage Sensitive output

Find SSH Key Users with sudo

The highest-priority access review starts where SSH keys and sudo overlap.

comm -12 <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' fixtures/user-access-audit/etc/group | sort)
Cybersecurity Triage Sensitive output

List Privileged Group Members

Group membership can grant more access than the username suggests.

awk -F: '$1 ~ /^(sudo|adm|docker)$/ && $4 != "" {print $1 ": " $4}' fixtures/user-access-audit/etc/group
Cybersecurity Triage Sensitive output

Review sudo Grants

Privilege paths should be visible before you remove or approve access.

awk -F: '$1=="sudo" {print "sudo group: " $4}' fixtures/user-access-audit/etc/group; grep -RhnE '^[^#].*ALL=' fixtures/user-access-audit/etc/sudoers fixtures/user-access-audit/etc/sudoers.d
Cybersecurity Triage Read-only

List Accounts with Login Shells

Login shells are the first account inventory to review.

awk -F: '$7 ~ /(bash|sh|zsh)$/ {printf "%s %s\n", $1, $7}' fixtures/user-access-audit/etc/passwd
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:103-gnu-unix-commands
  • lpic1:110-security
  • lfcs:essential-commands
  • lfcs:security-hygiene
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • risk:read-only

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.