Cybersecurity Triage
Show Recent sudo Commands
You need to see recent sudo commands from auth logs.
Command
grep 'sudo:' logs/auth.log | tail -n 10What changed
Nothing changes. The command filters sudo lines and shows the newest matches in file order.
Danger
safe
When to use it
Use during incident triage or after unexpected service changes.
When not to use it
Do not assume all privileged actions use sudo; also inspect service logs and shell history where appropriate.
Undo or recovery
No undo needed because this command is read-only.
Expected output
Recent sudo log lines including user, working directory, target user, and command.
demo script
Disposable terminal steps
grep 'sudo:' logs/auth.loggrep 'sudo:' logs/auth.log | tail -n 10
simulated output
What it looks like
::fixture-ready::
$ grep 'sudo:' logs/auth.log
Jun 25 12:03:12 vps sudo: alex : TTY=pts/0 ; PWD=/srv/www ; USER=root ; COMMAND=/usr/bin/systemctl reload nginx
Jun 25 12:04:33 vps sudo: deploy : TTY=pts/1 ; PWD=/srv/app ; USER=root ; COMMAND=/usr/bin/journalctl -u app
::exit-code::0
$ grep 'sudo:' logs/auth.log | tail -n 10
Jun 25 12:03:12 vps sudo: alex : TTY=pts/0 ; PWD=/srv/www ; USER=root ; COMMAND=/usr/bin/systemctl reload nginx
Jun 25 12:04:33 vps sudo: deploy : TTY=pts/1 ; PWD=/srv/app ; USER=root ; COMMAND=/usr/bin/journalctl -u app
::exit-code::0
YouTube Short
Review recent sudo use.
Filter sudo lines from auth logs to see recent privileged commands and who ran them.
LinkedIn hook
Privilege use is one of the fastest first-response signals.
Question: Do you check sudo logs when a VPS changes unexpectedly?
experiments
A/B tests to run
Metric: save_rate
A: Who used sudo?
B: Privilege timeline first.