$ Linux One Liners
Back to lessons

Cybersecurity Triage

Risk: safe

List Privileged Group Members

You need to review accounts listed in privileged groups such as sudo, adm, or docker.

Command

awk -F: '$1 ~ /^(sudo|adm|docker)$/ && $4 != "" {print $1 ": " $4}' fixtures/user-access-audit/etc/group

Before you run this

Risk: safe. Do not remove group members from this output alone; confirm role ownership, automation, and approval records first.

Expected output

Privileged group names followed by their listed members.

System impact

Nothing changes. The command reads a fixture-local group stub and prints populated privileged groups.

Recovery / rollback: no state is changed.

When to use it

Use during access reviews when group membership may grant root, log, or runtime control.

When not to use it

Do not remove group members from this output alone; confirm role ownership, automation, and approval records first.

Watch this command run

Example output from a temporary Linux lab

This example uses disposable sample files and sanitized output so you can inspect the shape of the result before touching a real system.

demo@lab:~$

$ cat sample-files/user-access-audit/etc/group

root:x:0:
daemon:x:1:
www-data:x:33:
alex:x:1000:
deploy:x:1001:
reports:x:1002:
breakglass:x:1003:
backup:x:1004:
sudo:x:27:alex,breakglass
docker:x:998:deploy
adm:x:4:alex

$ awk -F: '$1 ~ /^(sudo|adm|docker)$/ && $4 != "" {print $1 ": " $4}' sample-files/user-access-audit/etc/group

sudo: alex,breakglass
docker: deploy
adm: alex
View reproducible demo details

This page shows the sanitized shell transcript and the setup steps needed to reproduce the example.

Lab setup steps

  1. cat fixtures/user-access-audit/etc/group
  2. awk -F: '$1 ~ /^(sudo|adm|docker)$/ && $4 != "" {print $1 ": " $4}' fixtures/user-access-audit/etc/group

next steps

Related commands

Cybersecurity Triage Risk: safe

Review sudo Grants

Privilege paths should be visible before you remove or approve access.

awk -F: '$1=="sudo" {print "sudo group: " $4}' fixtures/user-access-audit/etc/group; grep -RhnE '^[^#].*ALL=' fixtures/user-access-audit/etc/sudoers fixtures/user-access-audit/etc/sudoers.d
Cybersecurity Triage Risk: safe

Find SSH Key Users with sudo

The highest-priority access review starts where SSH keys and sudo overlap.

comm -12 <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' fixtures/user-access-audit/etc/group | sort)
Cybersecurity Triage Risk: safe

Find SSH Keys for nologin Users

A nologin shell does not automatically mean SSH keys are irrelevant.

comm -12 <(awk -F: '$7 !~ /(bash|sh|zsh)$/ {print $1}' fixtures/user-access-audit/etc/passwd | sort) <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort)
Cybersecurity Triage Risk: safe

Find Password-Enabled Accounts

A shell account with an unlocked password hash deserves extra attention.

awk -F: '$2 !~ /^(!|\*)/ {print $1}' fixtures/user-access-audit/etc/shadow
Cybersecurity Triage Risk: safe

List Accounts with Login Shells

Login shells are the first account inventory to review.

awk -F: '$7 ~ /(bash|sh|zsh)$/ {printf "%s %s\n", $1, $7}' fixtures/user-access-audit/etc/passwd
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:103-gnu-unix-commands
  • lpic1:104-filesystems-permissions-fhs
  • lpic1:107-admin-tasks
  • lpic1:110-security
  • lfcs:essential-commands
  • lfcs:security-hygiene
  • lfcs:users-groups
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • linuxplus:security
  • risk:read-only
  • risk:security-sensitive

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.