Cybersecurity Triage

Summarize sudo Commands by User

You need to extract sudo users and command paths from auth log lines.

Command

sed -n 's/.*sudo: *\([^: ]*\).*COMMAND=\(.*\)$/\1 -> \2/p' fixtures/user-access-audit/logs/auth.log | sort

What changed

Nothing changes. The command filters sudo log lines and extracts the acting user plus command.

Danger

safe

When to use it

Use during access reviews, incident triage, or post-change checks when privilege use matters.

When not to use it

Do not assume this covers every privileged action; rotated logs, journal data, and direct root sessions may add context.

Undo or recovery

No undo needed because this command is read-only.

Expected output

A sorted list of sudo users mapped to the commands they ran.

demo script

Disposable terminal steps

grep 'sudo:' fixtures/user-access-audit/logs/auth.log
sed -n 's/.*sudo: *$[^: ]*$.*COMMAND=$.*$$/\1 -> \2/p' fixtures/user-access-audit/logs/auth.log | sort

Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel

::fixture-ready::
$ grep 'sudo:' fixtures/user-access-audit/logs/auth.log
Jun 25 08:12:19 host sudo:     alex : TTY=pts/0 ; PWD=/srv/app ; USER=root ; COMMAND=/usr/bin/systemctl reload nginx
Jun 25 09:04:02 host sudo:   deploy : TTY=pts/1 ; PWD=/srv/app ; USER=root ; COMMAND=/usr/bin/journalctl -u app.service
Jun 25 10:16:02 host sudo: breakglass : TTY=pts/2 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/passwd alex
::exit-code::0
$ sed -n 's/.*sudo: *\([^: ]*\).*COMMAND=\(.*\)$/\1 -> \2/p' fixtures/user-access-audit/logs/auth.log | sort
alex -> /usr/bin/systemctl reload nginx
breakglass -> /usr/bin/passwd alex
deploy -> /usr/bin/journalctl -u app.service
::exit-code::0

YouTube Short

Summarize sudo history.

Extract the sudo user and command from auth logs so privilege use becomes a short review list instead of raw log noise.

experiments

A/B tests to run

Metric: completion_rate

A: Privilege history should be readable.

B: Who ran which sudo command?