Parse and report structured account data using record-driven
awk
filters. Extract specific fields, apply conditions, and produce
clean output without opening an editor.
You are validating user account data and need fast, repeatable
parsing without opening an editor. Your source is
/etc/passwd
, and your job is to extract specific fields, filter records
by conditions, and format clean output for review.
Use this workflow when you need quick evidence about account state during audits and troubleshooting. Keep output stable so it can be pasted into tickets and reviewed under time pressure.
/etc/passwd.
NR in an END block.-F
for structured input like
/etc/passwd
.
$N
and whole-record access with
$0
.
$3 == 0
).
-v
.
NR
and end-of-stream reporting using
END{...}
.
/etc/passwd.
awk -F: '{print $1}' /etc/passwd
-F:
sets the input field separator to a colon. Printing
$1
returns the username field only, which is the fastest way to
establish the account list you are working with.
root
daemon
sys
...awk -F: '$3 == 0 {print $0}' /etc/passwd
UID
0
is the effective superuser identity. This filter isolates
records that should be treated as high-risk and reviewed for
legitimacy.
root:x:0:0:root:/root:/bin/bashawk -F: -v sep=' -> ' '{print $1 sep $7}' /etc/passwd
Passing a separator with
-v
keeps output consistent and easy to scan. The shell field
($7) is a fast proxy for whether an account is
intended to be interactive.
root -> /bin/bash
daemon -> /usr/sbin/nologin
sys -> /usr/sbin/nologin
...NR.
awk 'END{print NR}' /etc/passwd
NR
is the current record number. When printed from
END{...}
, it becomes the total count of processed records.
42awk -F: '$7 == "/bin/bash" {print $1}' /etc/passwdFiltering by shell is a quick audit pattern when you need to identify accounts that may be able to obtain an interactive session. This is not a full security review, but it is a reliable starting point.
root
student
If you forget
-F:
, awk will treat the entire line as one field and
$1
will return the full record. Confirm the delimiter matches
your input format before troubleshooting filters.
UID
0
should normally map to
root
only. If multiple records match, investigate immediately and
verify system provenance and account management history.
Some systems use
/usr/bin/bash
or other shells. Confirm the value in the seventh field
before hardcoding filters, or adjust the condition to match
your environment.
Piping through
cat
adds no value here and can hide file-related errors. Prefer
passing the file directly to awk unless you are intentionally
streaming transformed input.
This lab is read-only. Your cleanup is verifying you did not
modify system files and that any output you captured reflects
the current state of
/etc/passwd
.
ls -l /etc/passwd
tail -n 5 /etc/passwd
/etc/passwd
permissions and timestamps look normal, and your filters
still produce consistent results.
awk -F: '{print $1}' /etc/passwd
: Prints the username field from a colon-delimited passwd
file.
-F:
: Sets the input field separator to :.
$1
: First field (username).
awk -F: '$3 == 0 {print $0}' /etc/passwd
: Filters records where UID equals 0 and prints the full
record.
$3
: Third field (UID).
$0
: Entire current record.
awk -F: -v sep=' -> ' '{print $1 sep $7}' /etc/passwd
: Formats a report of username and login shell.
-v sep='...'
: Defines a variable used during processing.
$7
: Seventh field (login shell).
awk 'END{print NR}' /etc/passwd
: Prints the total number of records processed.
NR
: Record number (total records when used in
END
).
END{...}
: Runs once after all input is processed.
awk -F: '$7 == "/bin/bash" {print $1}' /etc/passwd
: Prints usernames for accounts with a
/bin/bash
login shell.
$7 == "/bin/bash"
: Condition matching the shell field.
{print $1}
: Outputs username only.