Cybersecurity Triage
Risk: safeSummarize sudo Commands by User
You need to extract sudo users and command paths from auth log lines.
Command
sed -n 's/.*sudo: *\([^: ]*\).*COMMAND=\(.*\)$/\1 -> \2/p' fixtures/user-access-audit/logs/auth.log | sortBefore you run this
Risk: safe. Do not assume this covers every privileged action; rotated logs, journal data, and direct root sessions may add context.
Expected output
A sorted list of sudo users mapped to the commands they ran.
System impact
Nothing changes. The command filters sudo log lines and extracts the acting user plus command.
Recovery / rollback: no state is changed.
When to use it
Use during access reviews, incident triage, or post-change checks when privilege use matters.
When not to use it
Do not assume this covers every privileged action; rotated logs, journal data, and direct root sessions may add context.
Watch this command run
Example output from a temporary Linux lab
This example uses disposable sample files and sanitized output so you can inspect the shape of the result before touching a real system.
$ grep 'sudo:' sample-files/user-access-audit/logs/auth.log
Jun 25 08:12:19 host sudo: alex : TTY=pts/0 ; PWD=/srv/app ; USER=root ; COMMAND=/usr/bin/systemctl reload nginx
Jun 25 09:04:02 host sudo: deploy : TTY=pts/1 ; PWD=/srv/app ; USER=root ; COMMAND=/usr/bin/journalctl -u app.service
Jun 25 10:16:02 host sudo: breakglass : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/passwd alex$ sed -n 's/.*sudo: *\([^: ]*\).*COMMAND=\(.*\)$/\1 -> \2/p' sample-files/user-access-audit/logs/auth.log | sort
alex -> /usr/bin/systemctl reload nginx
breakglass -> /usr/bin/passwd alex
deploy -> /usr/bin/journalctl -u app.serviceView reproducible demo details
This page shows the sanitized shell transcript and the setup steps needed to reproduce the example.
Lab setup steps
grep 'sudo:' fixtures/user-access-audit/logs/auth.logsed -n 's/.*sudo: *\([^: ]*\).*COMMAND=\(.*\)$/\1 -> \2/p' fixtures/user-access-audit/logs/auth.log | sort
next steps
Related commands
Show Successful Logins and sudo Use
Access reviews need both who logged in and who elevated privileges.
grep -E 'Accepted publickey|sudo:' fixtures/user-access-audit/logs/auth.log
Count Failed SSH Login Users
Failed SSH attempts are noisy; grouping users makes the pattern readable.
sed -n 's/.*Failed password for \(invalid user \)\?\([^ ]*\) from .*/\2/p' logs/auth.log | sort | uniq -c | sort -nr
Find SSH Key Users with sudo
The highest-priority access review starts where SSH keys and sudo overlap.
comm -12 <(find fixtures/user-access-audit/home -path '*/.ssh/authorized_keys' -printf '%h\n' | awk -F/ '{print $(NF-1)}' | sort) <(awk -F: '$1=="sudo" {gsub(",","\n",$4); print $4}' fixtures/user-access-audit/etc/group | sort)
Count Failed SSH Login IPs
The loudest SSH source is usually visible with one count.
sed -n 's/.*Failed password .* from \([0-9.]*\) port.*/\1/p' logs/auth.log | sort | uniq -c | sort -nr
Show Recent sudo Commands
Privilege use is one of the fastest first-response signals.
grep 'sudo:' logs/auth.log | tail -n 10
Study mapping
Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.
Useful for
- LPIC-1 style command-line practice
- LFCS style performance tasks
- Linux+ style troubleshooting review
Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.