$ Linux One Liners
Back to commands

Cybersecurity Triage

Read-only

Review Recent Docker Events

Something changed on the host and you need a quick timeline of recent Docker activity.

Command

docker events --since 30m --until 0s

Before you run this

System impact: Read-only. Low when scoped to the shown target.

When not to use it: Do not treat it as a permanent audit log; Docker events are not a compliance log.

Expected output

Timestamped Docker events such as start, die, pull, health_status, or restart.

System impact

Read-only. Nothing changes. Docker reads daemon events for a bounded time window.

Recovery / rollback: no state is changed.

When to use it

Use after an unexplained restart, image pull, container stop, or health-status change.

When not to use it

Do not treat it as a permanent audit log; Docker events are not a compliance log.

Watch this command run

Command transcript

This sanitized transcript shows the commands and output shape without exposing host details.

demo@lab:~$

$ docker events --since 30m --until 0s

2026-06-25T14:14:50 image pull registry.example/api:v1.9.4
2026-06-25T14:15:01 container start web
2026-06-25T14:18:05 container die api exitCode=1
2026-06-25T14:18:06 container restart api

$ docker events --since 30m --until 0s --filter type=container

2026-06-25T14:15:01 container start web
2026-06-25T14:18:05 container die api exitCode=1
2026-06-25T14:18:06 container restart api
View commands shown

These are the commands shown in the sanitized transcript.

Commands shown

  1. docker events --since 30m --until 0s
  2. docker events --since 30m --until 0s --filter type=container

next steps

Related commands

Cybersecurity Triage Sensitive output

List Privileged Group Members

Group membership can grant more access than the username suggests.

awk -F: '$1 ~ /^(sudo|adm|docker)$/ && $4 != "" {print $1 ": " $4}' fixtures/user-access-audit/etc/group
Cybersecurity Triage Read-only

Build a Recent Apt Patch Timeline

Apt history turns patch claims into timestamps and package names.

awk '/^(Start-Date|Commandline|Upgrade|End-Date)/ {print}' /var/log/apt/history.log
Cybersecurity Triage State change

Inspect Container Environment Names

Check what environment variables exist without printing their secret values.

docker inspect --format '{{range .Config.Env}}{{println .}}{{end}}' api | sed 's/=.*$/=<redacted>/'
Cybersecurity Triage Sensitive output

Find SSH Key Users with sudo

The highest-priority access review starts where SSH keys and sudo overlap.

comm -12 <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' fixtures/user-access-audit/etc/group | sort)
Cybersecurity Triage Read-only

List Accounts with Login Shells

Login shells are the first account inventory to review.

awk -F: '$7 ~ /(bash|sh|zsh)$/ {printf "%s %s\n", $1, $7}' fixtures/user-access-audit/etc/passwd
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:110-security
  • lfcs:security-hygiene
  • risk:read-only

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.