$ Linux One Liners
Back to lessons

Cybersecurity Triage

Risk: safe

Find Password-Enabled Accounts

You need to identify accounts whose shadow field is not locked with ! or *.

Command

awk -F: '$2 !~ /^(!|\*)/ {print $1}' fixtures/user-access-audit/etc/shadow

Before you run this

Risk: safe. Do not infer SSH password login policy from shadow alone; also check sshd configuration and PAM policy on real systems.

Expected output

Account names with non-locked password fields.

System impact

Nothing changes. The command reads the fixture-local shadow stub and prints accounts whose password field is not locked.

Recovery / rollback: no state is changed.

When to use it

Use during access audits when you need to distinguish locked accounts from accounts that may accept password authentication.

When not to use it

Do not infer SSH password login policy from shadow alone; also check sshd configuration and PAM policy on real systems.

Watch this command run

Example output from a temporary Linux lab

This example uses disposable sample files and sanitized output so you can inspect the shape of the result before touching a real system.

demo@lab:~$

$ cut -d: -f1,2 sample-files/user-access-audit/etc/shadow

root:!
daemon:*
www-data:*
alex:$y$j9T$demoHashOnlyAlex
deploy:!
reports:!
breakglass:$y$j9T$demoHashOnlyBreakglass
backup:!

$ awk -F: '$2 !~ /^(!|\*)/ {print $1}' sample-files/user-access-audit/etc/shadow

alex
breakglass
View reproducible demo details

This page shows the sanitized shell transcript and the setup steps needed to reproduce the example.

Lab setup steps

  1. cut -d: -f1,2 fixtures/user-access-audit/etc/shadow
  2. awk -F: '$2 !~ /^(!|\*)/ {print $1}' fixtures/user-access-audit/etc/shadow

next steps

Related commands

Cybersecurity Triage Risk: safe

Find SSH Keys for nologin Users

A nologin shell does not automatically mean SSH keys are irrelevant.

comm -12 <(awk -F: '$7 !~ /(bash|sh|zsh)$/ {print $1}' fixtures/user-access-audit/etc/passwd | sort) <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort)
Cybersecurity Triage Risk: safe

Find SSH Key Users with sudo

The highest-priority access review starts where SSH keys and sudo overlap.

comm -12 <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' fixtures/user-access-audit/etc/group | sort)
Cybersecurity Triage Risk: safe

List Privileged Group Members

Group membership can grant more access than the username suggests.

awk -F: '$1 ~ /^(sudo|adm|docker)$/ && $4 != "" {print $1 ": " $4}' fixtures/user-access-audit/etc/group
Cybersecurity Triage Risk: safe

Review sudo Grants

Privilege paths should be visible before you remove or approve access.

awk -F: '$1=="sudo" {print "sudo group: " $4}' fixtures/user-access-audit/etc/group; grep -RhnE '^[^#].*ALL=' fixtures/user-access-audit/etc/sudoers fixtures/user-access-audit/etc/sudoers.d
Cybersecurity Triage Risk: safe

List Accounts with Login Shells

Login shells are the first account inventory to review.

awk -F: '$7 ~ /(bash|sh|zsh)$/ {printf "%s %s\n", $1, $7}' fixtures/user-access-audit/etc/passwd
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:103-gnu-unix-commands
  • lpic1:110-security
  • lfcs:essential-commands
  • lfcs:security-hygiene
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • risk:read-only

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.