Cybersecurity Triage
Risk: safeReview a Breakglass Account
You need to collect account, group, SSH key, and log evidence for a breakglass user from fixture-local files.
Command
grep -Rhn 'breakglass' fixtures/user-access-audit/etc fixtures/user-access-audit/home fixtures/user-access-audit/logsBefore you run this
Risk: safe. Do not delete emergency access from search results alone; verify business continuity requirements and approval policy.
Expected output
Line-numbered matches showing breakglass records across account files, keys, and logs.
System impact
Nothing changes. The command searches fixture-local account, access, and log stubs for the breakglass username.
Recovery / rollback: no state is changed.
When to use it
Use when auditing emergency accounts or checking whether exceptional access was used recently.
When not to use it
Do not delete emergency access from search results alone; verify business continuity requirements and approval policy.
Watch this command run
Example output from a temporary Linux lab
This example uses disposable sample files and sanitized output so you can inspect the shape of the result before touching a real system.
$ grep -Rhn 'breakglass' sample-files/user-access-audit/etc sample-files/user-access-audit/users
7:breakglass:x:1003:1003:Break Glass:/srv/example/users/breakglass:/bin/bash
7:breakglass:x:1003:
9:sudo:x:27:alex,breakglass
7:breakglass:$y$j9T$demoHashOnlyBreakglass:20530:0:99999:7:::
1:ssh-ed25519 AAAAC3NzaDemoOnlyBreakglassVault breakglass@vault$ grep -Rhn 'breakglass' sample-files/user-access-audit/etc sample-files/user-access-audit/users sample-files/user-access-audit/logs
7:breakglass:x:1003:1003:Break Glass:/srv/example/users/breakglass:/bin/bash
7:breakglass:x:1003:
9:sudo:x:27:alex,breakglass
7:breakglass:$y$j9T$demoHashOnlyBreakglass:20530:0:99999:7:::
1:ssh-ed25519 AAAAC3NzaDemoOnlyBreakglassVault breakglass@vault
2:Jun 25 10:15:14 host sshd[1722]: Accepted publickey for breakglass from 198.51.100.99 port 52001 ssh2
6:Jun 25 10:15:14 host sshd[1722]: Accepted publickey for breakglass from 198.51.100.99 port 52001 ssh2
7:Jun 25 10:16:02 host sudo: breakglass : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/passwd alexView reproducible demo details
This page shows the sanitized shell transcript and the setup steps needed to reproduce the example.
Lab setup steps
grep -Rhn 'breakglass' fixtures/user-access-audit/etc fixtures/user-access-audit/homegrep -Rhn 'breakglass' fixtures/user-access-audit/etc fixtures/user-access-audit/home fixtures/user-access-audit/logs
next steps
Related commands
Find SSH Key Users with sudo
The highest-priority access review starts where SSH keys and sudo overlap.
comm -12 <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' fixtures/user-access-audit/etc/group | sort)
Count authorized_keys by User
authorized_keys is the practical SSH access list.
find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -exec sh -c 'for f do user=$(basename "$(dirname "$(dirname "$f")")"); keys=$(grep -vc "^[[:space:]]*#" "$f"); printf "%s %s %s\n" "$user" "$keys" "$f"; done' sh {} + | sort
Find SSH Keys for nologin Users
A nologin shell does not automatically mean SSH keys are irrelevant.
comm -12 <(awk -F: '$7 !~ /(bash|sh|zsh)$/ {print $1}' fixtures/user-access-audit/etc/passwd | sort) <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort)
Review sudo Grants
Privilege paths should be visible before you remove or approve access.
awk -F: '$1=="sudo" {print "sudo group: " $4}' fixtures/user-access-audit/etc/group; grep -RhnE '^[^#].*ALL=' fixtures/user-access-audit/etc/sudoers fixtures/user-access-audit/etc/sudoers.d
Show Successful Logins and sudo Use
Access reviews need both who logged in and who elevated privileges.
grep -E 'Accepted publickey|sudo:' fixtures/user-access-audit/logs/auth.log
Study mapping
Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.
Useful for
- LPIC-1 style command-line practice
- LFCS style performance tasks
- Linux+ style troubleshooting review
Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.