$ Linux One Liners
Back to commands

Cybersecurity Triage

Read-only, can be slow

Review a Breakglass Account

You need to collect account, group, SSH key, and log evidence for a breakglass user from fixture-local files.

Command

grep -Rhn 'breakglass' fixtures/user-access-audit/etc fixtures/user-access-audit/home fixtures/user-access-audit/logs

Before you run this

System impact: Read-only. Can create load on large logs, directories, filesystems, or process tables.

When not to use it: Do not delete emergency access from search results alone; verify business continuity requirements and approval policy.

Expected output

Line-numbered matches showing breakglass records across account files, keys, and logs.

System impact

Read-only, can be slow. Nothing changes. The command searches fixture-local account, access, and log stubs for the breakglass username.

May require elevated permissions on protected paths or service-owned files.

Scope this to the smallest useful path or service on busy systems.

Recovery / rollback: no state is changed.

When to use it

Use when auditing emergency accounts or checking whether exceptional access was used recently.

When not to use it

Do not delete emergency access from search results alone; verify business continuity requirements and approval policy.

Watch this command run

Command transcript

This sanitized transcript shows the commands and output shape without exposing host details.

demo@lab:~$

$ grep -Rhn 'breakglass' sample-files/user-access-audit/etc sample-files/user-access-audit/users

7:breakglass:x:1003:1003:Break Glass:/srv/example/users/breakglass:/bin/bash
7:breakglass:x:1003:
9:sudo:x:27:alex,breakglass
7:breakglass:$y$j9T$demoHashOnlyBreakglass:20530:0:99999:7:::
1:ssh-ed25519 AAAAC3NzaDemoOnlyBreakglassVault breakglass@vault

$ grep -Rhn 'breakglass' sample-files/user-access-audit/etc sample-files/user-access-audit/users sample-files/user-access-audit/logs

7:breakglass:x:1003:1003:Break Glass:/srv/example/users/breakglass:/bin/bash
7:breakglass:x:1003:
9:sudo:x:27:alex,breakglass
7:breakglass:$y$j9T$demoHashOnlyBreakglass:20530:0:99999:7:::
1:ssh-ed25519 AAAAC3NzaDemoOnlyBreakglassVault breakglass@vault
2:Jun 25 10:15:14 host sshd[1722]: Accepted publickey for breakglass from 198.51.100.99 port 52001 ssh2
6:Jun 25 10:15:14 host sshd[1722]: Accepted publickey for breakglass from 198.51.100.99 port 52001 ssh2
7:Jun 25 10:16:02 host sudo: breakglass : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/passwd alex
View commands shown

These are the commands shown in the sanitized transcript.

Commands shown

  1. grep -Rhn 'breakglass' fixtures/user-access-audit/etc fixtures/user-access-audit/home
  2. grep -Rhn 'breakglass' fixtures/user-access-audit/etc fixtures/user-access-audit/home fixtures/user-access-audit/logs

next steps

Related commands

Cybersecurity Triage Sensitive output

Find SSH Key Users with sudo

The highest-priority access review starts where SSH keys and sudo overlap.

comm -12 <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' fixtures/user-access-audit/etc/group | sort)
Cybersecurity Triage Sensitive output

Count authorized_keys by User

authorized_keys is the practical SSH access list.

find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -exec sh -c 'for f do user=$(basename "$(dirname "$(dirname "$f")")"); keys=$(grep -vc "^[[:space:]]*#" "$f"); printf "%s %s %s\n" "$user" "$keys" "$f"; done' sh {} + | sort
Cybersecurity Triage Sensitive output

Find SSH Keys for nologin Users

A nologin shell does not automatically mean SSH keys are irrelevant.

comm -12 <(awk -F: '$7 !~ /(bash|sh|zsh)$/ {print $1}' fixtures/user-access-audit/etc/passwd | sort) <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort)
Cybersecurity Triage Sensitive output

Review sudo Grants

Privilege paths should be visible before you remove or approve access.

awk -F: '$1=="sudo" {print "sudo group: " $4}' fixtures/user-access-audit/etc/group; grep -RhnE '^[^#].*ALL=' fixtures/user-access-audit/etc/sudoers fixtures/user-access-audit/etc/sudoers.d
Cybersecurity Triage Sensitive output

Show Successful Logins and sudo Use

Access reviews need both who logged in and who elevated privileges.

grep -E 'Accepted publickey|sudo:' fixtures/user-access-audit/logs/auth.log
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:103-gnu-unix-commands
  • lpic1:110-security
  • lfcs:essential-commands
  • lfcs:security-hygiene
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • risk:read-only

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.