Cybersecurity Triage
Read-onlyList Accounts with Login Shells
You need to separate human or interactive accounts from service accounts in a passwd-style file.
Command
awk -F: '$7 ~ /(bash|sh|zsh)$/ {printf "%s %s\n", $1, $7}' fixtures/user-access-audit/etc/passwdBefore you run this
System impact: Read-only. Low when scoped to the shown target.
When not to use it: Do not disable accounts from this list alone; confirm ownership, automation, and operational purpose first.
Expected output
Usernames and login shells for accounts that can start an interactive shell.
System impact
Read-only. Nothing changes. The command reads a fixture-local passwd stub and prints accounts with shell-like login programs.
May require elevated permissions on protected paths or service-owned files.
Recovery / rollback: no state is changed.
When to use it
Use during server handoff, user access reviews, and first-response checks before changing accounts.
When not to use it
Do not disable accounts from this list alone; confirm ownership, automation, and operational purpose first.
Explanation-only example
Illustrated output, not a live lab run
This example is intentionally illustrative. It shows the command shape without killing real processes or changing your machine.
$ sed -n '1,8p' sample-files/user-access-audit/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
alex:x:1000:1000:Alex Admin:/srv/example/users/alex:/bin/bash
deploy:x:1001:1001:Deploy Bot:/srv/example/users/deploy:/bin/bash
reports:x:1002:1002:Reports Service:/srv/example/users/reports:/usr/sbin/nologin
breakglass:x:1003:1003:Break Glass:/srv/example/users/breakglass:/bin/bash
backup:x:1004:1004:Backup Service:/srv/backup:/usr/sbin/nologin$ awk -F: '$7 ~ /(bash|sh|zsh)$/ {printf "%s %s\n", $1, $7}' sample-files/user-access-audit/etc/passwd
root /bin/bash
alex /bin/bash
deploy /bin/bash
breakglass /bin/bashView commands shown
These are the commands shown in the sanitized transcript.
Commands shown
sed -n '1,8p' fixtures/user-access-audit/etc/passwdawk -F: '$7 ~ /(bash|sh|zsh)$/ {printf "%s %s\n", $1, $7}' fixtures/user-access-audit/etc/passwd
next steps
Related commands
Find SSH Keys for nologin Users
A nologin shell does not automatically mean SSH keys are irrelevant.
comm -12 <(awk -F: '$7 !~ /(bash|sh|zsh)$/ {print $1}' fixtures/user-access-audit/etc/passwd | sort) <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort)
Find SSH Key Users with sudo
The highest-priority access review starts where SSH keys and sudo overlap.
comm -12 <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' fixtures/user-access-audit/etc/group | sort)
List Users with Login Shells
Not every local account should be able to log in.
awk -F: '$7 ~ /sh$/ {print $1, $7}' etc/passwd
List Privileged Group Members
Group membership can grant more access than the username suggests.
awk -F: '$1 ~ /^(sudo|adm|docker)$/ && $4 != "" {print $1 ": " $4}' fixtures/user-access-audit/etc/group
Find Password-Enabled Accounts
A shell account with an unlocked password hash deserves extra attention.
awk -F: '$2 !~ /^(!|\*)/ {print $1}' fixtures/user-access-audit/etc/shadow
Study mapping
Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.
Useful for
- LPIC-1 style command-line practice
- LFCS style performance tasks
- Linux+ style troubleshooting review
Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.