Cybersecurity Triage

List Privileged Group Members

You need to review accounts listed in privileged groups such as sudo, adm, or docker.

Command

awk -F: '$1 ~ /^(sudo|adm|docker)$/ && $4 != "" {print $1 ": " $4}' fixtures/user-access-audit/etc/group

What changed

Nothing changes. The command reads a fixture-local group stub and prints populated privileged groups.

Danger

safe

When to use it

Use during access reviews when group membership may grant root, log, or runtime control.

When not to use it

Do not remove group members from this output alone; confirm role ownership, automation, and approval records first.

Undo or recovery

No undo needed because this command is read-only.

Expected output

Privileged group names followed by their listed members.

demo script

Disposable terminal steps

cat fixtures/user-access-audit/etc/group
awk -F: '$1 ~ /^(sudo|adm|docker)$/ && $4 != "" {print $1 ": " $4}' fixtures/user-access-audit/etc/group

Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel

::fixture-ready::
$ cat fixtures/user-access-audit/etc/group
root:x:0:
daemon:x:1:
www-data:x:33:
alex:x:1000:
deploy:x:1001:
reports:x:1002:
breakglass:x:1003:
backup:x:1004:
sudo:x:27:alex,breakglass
docker:x:998:deploy
adm:x:4:alex
::exit-code::0
$ awk -F: '$1 ~ /^(sudo|adm|docker)$/ && $4 != "" {print $1 ": " $4}' fixtures/user-access-audit/etc/group
sudo: alex,breakglass
docker: deploy
adm: alex
::exit-code::0

YouTube Short

Review privileged groups.

Sudo is not the only group that matters. Print privileged groups with members so hidden access paths are visible.

experiments

A/B tests to run

Metric: save_rate

A: Groups can be access paths.

B: Review sudo, adm, and docker together.