Cybersecurity Triage
Read-only, sensitive outputList Privileged Group Members
You need to review accounts listed in privileged groups such as sudo, adm, or docker.
Command
awk -F: '$1 ~ /^(sudo|adm|docker)$/ && $4 != "" {print $1 ": " $4}' fixtures/user-access-audit/etc/groupBefore you run this
System impact: Read-only. Output may expose users, paths, tokens, keys, IPs, process arguments, or log details.
When not to use it: Do not remove group members from this output alone; confirm role ownership, automation, and approval records first.
Expected output
Privileged group names followed by their listed members.
System impact
Read-only, sensitive output. Nothing changes. The command reads a fixture-local group stub and prints populated privileged groups.
May require elevated permissions on protected paths or service-owned files.
Recovery / rollback: no state is changed.
When to use it
Use during access reviews when group membership may grant root, log, or runtime control.
When not to use it
Do not remove group members from this output alone; confirm role ownership, automation, and approval records first.
Watch this command run
Command transcript
This sanitized transcript shows the commands and output shape without exposing host details.
$ cat sample-files/user-access-audit/etc/group
root:x:0:
daemon:x:1:
www-data:x:33:
alex:x:1000:
deploy:x:1001:
reports:x:1002:
breakglass:x:1003:
backup:x:1004:
sudo:x:27:alex,breakglass
docker:x:998:deploy
adm:x:4:alex$ awk -F: '$1 ~ /^(sudo|adm|docker)$/ && $4 != "" {print $1 ": " $4}' sample-files/user-access-audit/etc/group
sudo: alex,breakglass
docker: deploy
adm: alexView commands shown
These are the commands shown in the sanitized transcript.
Commands shown
cat fixtures/user-access-audit/etc/groupawk -F: '$1 ~ /^(sudo|adm|docker)$/ && $4 != "" {print $1 ": " $4}' fixtures/user-access-audit/etc/group
next steps
Related commands
Review sudo Grants
Privilege paths should be visible before you remove or approve access.
awk -F: '$1=="sudo" {print "sudo group: " $4}' fixtures/user-access-audit/etc/group; grep -RhnE '^[^#].*ALL=' fixtures/user-access-audit/etc/sudoers fixtures/user-access-audit/etc/sudoers.d
Find SSH Key Users with sudo
The highest-priority access review starts where SSH keys and sudo overlap.
comm -12 <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' fixtures/user-access-audit/etc/group | sort)
Find SSH Keys for nologin Users
A nologin shell does not automatically mean SSH keys are irrelevant.
comm -12 <(awk -F: '$7 !~ /(bash|sh|zsh)$/ {print $1}' fixtures/user-access-audit/etc/passwd | sort) <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort)
Find Password-Enabled Accounts
A shell account with an unlocked password hash deserves extra attention.
awk -F: '$2 !~ /^(!|\*)/ {print $1}' fixtures/user-access-audit/etc/shadow
List Accounts with Login Shells
Login shells are the first account inventory to review.
awk -F: '$7 ~ /(bash|sh|zsh)$/ {printf "%s %s\n", $1, $7}' fixtures/user-access-audit/etc/passwd
Study mapping
Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.
Useful for
- LPIC-1 style command-line practice
- LFCS style performance tasks
- Linux+ style troubleshooting review
Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.