$ Linux One Liners
Back to commands

Cybersecurity Triage

Read-only, sensitive output

Show Successful Logins and sudo Use

You need a compact access timeline from auth logs that includes successful SSH logins and sudo commands.

Command

grep -E 'Accepted publickey|sudo:' fixtures/user-access-audit/logs/auth.log

Before you run this

System impact: Read-only. Output may expose users, paths, tokens, keys, IPs, process arguments, or log details.

When not to use it: Do not treat this as a complete audit trail; also check rotated logs, system journal, and identity-provider logs on real systems.

Expected output

Accepted SSH login lines and sudo command lines in log order.

System impact

Read-only, sensitive output. Nothing changes. The command filters the fixture-local auth log for successful access and privilege-use lines.

May require elevated permissions on protected paths or service-owned files.

Recovery / rollback: no state is changed.

When to use it

Use during first response, server handoff, or after a suspicious change to build a quick access timeline.

When not to use it

Do not treat this as a complete audit trail; also check rotated logs, system journal, and identity-provider logs on real systems.

Watch this command run

Command transcript

This sanitized transcript shows the commands and output shape without exposing host details.

demo@lab:~$

$ sed -n '1,8p' sample-files/user-access-audit/logs/auth.log

Jun 25 08:11:04 host sshd[1401]: Accepted publickey for alex from 198.51.100.21 port 51244 ssh2
Jun 25 08:12:19 host sudo:     alex : TTY=pts/0 ; PWD=/srv/app ; USER=root ; COMMAND=/usr/bin/systemctl reload nginx
Jun 25 09:03:55 host sshd[1519]: Accepted publickey for deploy from 198.51.100.45 port 44920 ssh2
Jun 25 09:04:02 host sudo:   deploy : TTY=pts/1 ; PWD=/srv/app ; USER=root ; COMMAND=/usr/bin/journalctl -u app.service
Jun 25 09:42:30 host sshd[1660]: Failed password for invalid user oracle from 203.0.113.19 port 39120 ssh2
Jun 25 10:15:14 host sshd[1722]: Accepted publickey for breakglass from 198.51.100.99 port 52001 ssh2
Jun 25 10:16:02 host sudo: breakglass : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/passwd alex

$ grep -E 'Accepted publickey|sudo:' sample-files/user-access-audit/logs/auth.log

Jun 25 08:11:04 host sshd[1401]: Accepted publickey for alex from 198.51.100.21 port 51244 ssh2
Jun 25 08:12:19 host sudo:     alex : TTY=pts/0 ; PWD=/srv/app ; USER=root ; COMMAND=/usr/bin/systemctl reload nginx
Jun 25 09:03:55 host sshd[1519]: Accepted publickey for deploy from 198.51.100.45 port 44920 ssh2
Jun 25 09:04:02 host sudo:   deploy : TTY=pts/1 ; PWD=/srv/app ; USER=root ; COMMAND=/usr/bin/journalctl -u app.service
Jun 25 10:15:14 host sshd[1722]: Accepted publickey for breakglass from 198.51.100.99 port 52001 ssh2
Jun 25 10:16:02 host sudo: breakglass : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/passwd alex
View commands shown

These are the commands shown in the sanitized transcript.

Commands shown

  1. sed -n '1,8p' fixtures/user-access-audit/logs/auth.log
  2. grep -E 'Accepted publickey|sudo:' fixtures/user-access-audit/logs/auth.log

next steps

Related commands

Cybersecurity Triage Sensitive output

Show Accepted SSH Logins

During first response, successful logins matter more than background noise.

grep 'Accepted publickey' logs/auth.log
Cybersecurity Triage Sensitive output

Summarize sudo Commands by User

Privilege history is easier to review when users and commands are separated.

sed -n 's/.*sudo: *\([^: ]*\).*COMMAND=\(.*\)$/\1 -> \2/p' fixtures/user-access-audit/logs/auth.log | sort
Cybersecurity Triage Sensitive output

Show Recent sudo Commands

Privilege use is one of the fastest first-response signals.

grep 'sudo:' logs/auth.log | tail -n 10
Cybersecurity Triage Sensitive output

List Accepted SSH Login Sources

Successful SSH logins are the access events worth anchoring first.

awk '/Accepted publickey/ {print $1, $2, $3, $9, $11}' logs/auth.log
Cybersecurity Triage Sensitive output

Review sudo Grants

Privilege paths should be visible before you remove or approve access.

awk -F: '$1=="sudo" {print "sudo group: " $4}' fixtures/user-access-audit/etc/group; grep -RhnE '^[^#].*ALL=' fixtures/user-access-audit/etc/sudoers fixtures/user-access-audit/etc/sudoers.d
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:103-gnu-unix-commands
  • lpic1:104-filesystems-permissions-fhs
  • lpic1:107-admin-tasks
  • lpic1:109-networking
  • lpic1:110-security
  • lfcs:essential-commands
  • lfcs:networking
  • lfcs:security-hygiene
  • lfcs:users-groups
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • linuxplus:security
  • risk:read-only
  • risk:security-sensitive

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.