$ Linux One Liners
Back to commands

Cybersecurity Triage

Read-only, sensitive output

Review sudo Grants

You need a compact view of sudo group membership and sudoers rules from fixture-local stubs.

Command

awk -F: '$1=="sudo" {print "sudo group: " $4}' fixtures/user-access-audit/etc/group; grep -RhnE '^[^#].*ALL=' fixtures/user-access-audit/etc/sudoers fixtures/user-access-audit/etc/sudoers.d

Before you run this

System impact: Read-only. Output may expose users, paths, tokens, keys, IPs, process arguments, or log details.

When not to use it: Do not edit sudoers based only on this summary; validate syntax and account ownership on real systems.

Expected output

sudo group members followed by uncommented sudoers lines that grant privileges.

System impact

Read-only, sensitive output. Nothing changes. The command reads fixture-local group and sudoers stubs and prints privilege grants.

May require elevated permissions on protected paths or service-owned files.

Recovery / rollback: no state is changed.

When to use it

Use when auditing who can elevate privileges or when preparing to remove stale access.

When not to use it

Do not edit sudoers based only on this summary; validate syntax and account ownership on real systems.

Watch this command run

Command transcript

This sanitized transcript shows the commands and output shape without exposing host details.

demo@lab:~$

$ cat sample-files/user-access-audit/etc/group sample-files/user-access-audit/etc/sudoers sample-files/user-access-audit/etc/sudoers.d/app-deploy

root:x:0:
daemon:x:1:
www-data:x:33:
alex:x:1000:
deploy:x:1001:
reports:x:1002:
breakglass:x:1003:
backup:x:1004:
sudo:x:27:alex,breakglass
docker:x:998:deploy
adm:x:4:alex
Defaults env_reset
root ALL=(ALL:ALL) ALL
%sudo ALL=(ALL:ALL) ALL
deploy ALL=(root) NOPASSWD: /usr/bin/systemctl restart app.service
# app deploy automation
deploy ALL=(root) NOPASSWD: /usr/bin/journalctl -u app.service, /usr/bin/systemctl reload nginx

$ awk -F: '$1=="sudo" {print "sudo group: " $4}' sample-files/user-access-audit/etc/group; grep -RhnE '^[^#].*ALL=' sample-files/user-access-audit/etc/sudoers sample-files/user-access-audit/etc/sudoers.d

sudo group: alex,breakglass
2:root ALL=(ALL:ALL) ALL
3:%sudo ALL=(ALL:ALL) ALL
4:deploy ALL=(root) NOPASSWD: /usr/bin/systemctl restart app.service
2:deploy ALL=(root) NOPASSWD: /usr/bin/journalctl -u app.service, /usr/bin/systemctl reload nginx
View commands shown

These are the commands shown in the sanitized transcript.

Commands shown

  1. cat fixtures/user-access-audit/etc/group fixtures/user-access-audit/etc/sudoers fixtures/user-access-audit/etc/sudoers.d/app-deploy
  2. awk -F: '$1=="sudo" {print "sudo group: " $4}' fixtures/user-access-audit/etc/group; grep -RhnE '^[^#].*ALL=' fixtures/user-access-audit/etc/sudoers fixtures/user-access-audit/etc/sudoers.d

next steps

Related commands

Cybersecurity Triage Sensitive output

List Privileged Group Members

Group membership can grant more access than the username suggests.

awk -F: '$1 ~ /^(sudo|adm|docker)$/ && $4 != "" {print $1 ": " $4}' fixtures/user-access-audit/etc/group
Cybersecurity Triage Sensitive output

Find SSH Key Users with sudo

The highest-priority access review starts where SSH keys and sudo overlap.

comm -12 <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' fixtures/user-access-audit/etc/group | sort)
Cybersecurity Triage Sensitive output

Find SSH Keys for nologin Users

A nologin shell does not automatically mean SSH keys are irrelevant.

comm -12 <(awk -F: '$7 !~ /(bash|sh|zsh)$/ {print $1}' fixtures/user-access-audit/etc/passwd | sort) <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort)
Cybersecurity Triage Read-only

Find Password-Enabled Accounts

A shell account with an unlocked password hash deserves extra attention.

awk -F: '$2 !~ /^(!|\*)/ {print $1}' fixtures/user-access-audit/etc/shadow
Cybersecurity Triage Can be slow

Review a Breakglass Account

Emergency accounts should be easy to find and hard to ignore.

grep -Rhn 'breakglass' fixtures/user-access-audit/etc fixtures/user-access-audit/home fixtures/user-access-audit/logs
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:103-gnu-unix-commands
  • lpic1:104-filesystems-permissions-fhs
  • lpic1:107-admin-tasks
  • lpic1:110-security
  • lfcs:essential-commands
  • lfcs:security-hygiene
  • lfcs:users-groups
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • linuxplus:security
  • risk:read-only
  • risk:security-sensitive

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.