$ Linux One Liners
Back to lessons

Cybersecurity Triage

Review a Breakglass Account

You need to collect account, group, SSH key, and log evidence for a breakglass user from fixture-local files.

Command

grep -Rhn 'breakglass' fixtures/user-access-audit/etc fixtures/user-access-audit/home fixtures/user-access-audit/logs

What changed

Nothing changes. The command searches fixture-local account, access, and log stubs for the breakglass username.

Danger

safe

When to use it

Use when auditing emergency accounts or checking whether exceptional access was used recently.

When not to use it

Do not delete emergency access from search results alone; verify business continuity requirements and approval policy.

Undo or recovery

No undo needed because this command is read-only.

Expected output

Line-numbered matches showing breakglass records across account files, keys, and logs.

demo script

Disposable terminal steps

  1. grep -Rhn 'breakglass' fixtures/user-access-audit/etc fixtures/user-access-audit/home
  2. grep -Rhn 'breakglass' fixtures/user-access-audit/etc fixtures/user-access-audit/home fixtures/user-access-audit/logs
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ grep -Rhn 'breakglass' fixtures/user-access-audit/etc fixtures/user-access-audit/home
7:breakglass:x:1003:1003:Break Glass:/home/breakglass:/bin/bash
7:breakglass:x:1003:
9:sudo:x:27:alex,breakglass
7:breakglass:$y$j9T$demoHashOnlyBreakglass:20530:0:99999:7:::
1:ssh-ed25519 AAAAC3NzaDemoOnlyBreakglassVault breakglass@vault
::exit-code::0
$ grep -Rhn 'breakglass' fixtures/user-access-audit/etc fixtures/user-access-audit/home fixtures/user-access-audit/logs
7:breakglass:x:1003:1003:Break Glass:/home/breakglass:/bin/bash
7:breakglass:x:1003:
9:sudo:x:27:alex,breakglass
7:breakglass:$y$j9T$demoHashOnlyBreakglass:20530:0:99999:7:::
1:ssh-ed25519 AAAAC3NzaDemoOnlyBreakglassVault breakglass@vault
2:Jun 25 10:15:14 host sshd[1722]: Accepted publickey for breakglass from 198.51.100.99 port 52001 ssh2
6:Jun 25 10:15:14 host sshd[1722]: Accepted publickey for breakglass from 198.51.100.99 port 52001 ssh2
7:Jun 25 10:16:02 host sudo: breakglass : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/passwd alex
::exit-code::0

YouTube Short

Review breakglass access.

Emergency access should not be mysterious. Search account files, SSH keys, and logs for the breakglass user in one pass.

LinkedIn hook

Emergency accounts should be easy to find and hard to ignore.

Question: Do you include recent log use when reviewing emergency accounts?

experiments

A/B tests to run

Metric: watch_time

A: Emergency accounts need evidence.

B: Find breakglass access everywhere.