Linux security essentials: use of AWK commands

　　awk is a powerful text analysis tool, with the search for grep and the editing of SED, which is especially powerful when it comes to analyzing data and generating reports. To put it simply, awk reads the file line-by-row, using spaces as the default delimiter to slice each row, and then perform various analytical processing of the cut.
AWK has 3 different versions: AWK, Nawk, and gawk, which are not specifically described, generally referred to as the GNU version of awk, Gawk,gawk.

1. Syntax

awk ' {pattern + action} ' {filenames}

Although the operation can be complex, the syntax is always the same, where pattern represents what AWK looks for in the data, and the action is a series of commands that are executed when a match is found. Curly braces ({}) do not need to always appear in the program, but they are used to group a series of instructions according to a particular pattern. pattern is the regular expression to be represented, surrounded by slashes.

The most basic function of the awk language is to browse and extract information in a file or string based on the specified rules, before awk extracts the information for additional text operations. A complete awk script is typically used to format the information in a text file. Typically, awk is treated as a unit of a file's behavior. awk processes the text by executing the corresponding command for each line that receives the file.

2. Command parameters

-F FS or--field-Separator FS Specifies the input file delimiter, FS is a string or a regular expression, such as-F:. -V Var=value or--asign var=Value assigns a user-defined variable. -F scripfile or--fileScriptFile reads the awk command from the script file. -MF NNN and-Mr nnn sets intrinsic limits on nnn values,The-MF option limits the maximum number of blocks allocated to NNN;The MR Option limits the maximum number of records. These two features are the extended functionality of the Bell Lab version of AWK and are not available in standard awk. -W compact or--compat,-w traditional or--traditional running awk in compatibility mode. So Gawk's behavior is exactly the same as the standard awk, and all awk extensions are ignored. -W copyleft or--copyleft,-w copyright or--Copyrights Print short copyright information. -W Help or--help,-w usage or--usage Prints all awk options and a short description of each option. -W lint or--Lint print warnings for structures that cannot be ported to traditional UNIX platforms. -W lint-old or--lint-old prints a warning about structures that cannot be ported to traditional UNIX platforms. -W POSIX turns on compatibility mode. However, the following limitations are not recognized:/x, function keyword, func, swap sequence, and when FS is a space, the new row is used as a domain delimiter; operators * and **= cannot replace ^ and ^=; fflush invalid. -W re-interval or--re-Inerval allows the use of interval regular expressions, reference (POSIX character class in grep), such as parenthesis expression [[: Alpha:]]. -W source Program-text or--source program-Text Using program-text as source code, available with-The F command is mixed. -W version or--version Prints the versions of the bug report information. 

2. Usage examples

Case 1: Assume that the output of Last-n 5 is as follows:

[Email protected] ~]# Last-N5<==Remove the first five elements root pts only/1 192.168.1.100Tue FebTen  One: +Still loggedinchRoot pts/1 192.168.1.100Tue FebTen xx: $- Geneva: -( on: A) root pts/1 192.168.1.100Mon Feb9  One: A- -: -( .: -) Dmtsai pts/1 192.168.1.100Mon Feb9  One: A- One: A(xx:xx) root tty1 Fri Sep5  -: the- -:Ten(xx: on)

Case 2: Show only the 5 most recently logged-in accounts

# last5awk  '{print '}'rootrootrootdmtsairoot 

Case 3: Only/etc/passwd accounts are displayed

#Cat /etc/passwd | awk  ' : '  ' {print $} '   Rootdaemonbinsys

-f Specifies the domain delimiter as ': '.

Case 4: Show only the/etc/passwd account and the shell of the account, and the account and the Shell tab-key split

#Cat /etc/passwd | awk  ' : '  ' {print ' \ t ' $7} ' Root     /bin/bashdaemon  /bin/shbin     /bin/shsys     / bin/SH

Case 5: Show only the/etc/passwd account and the shell of the account, and the account is separated from the shell with a comma, and add the column name Name,shell to all rows, add "Blue,/bin/nosh" to the last line.

cat /etc/passwd | awk  ' : '  ' BEGIN {print "Name,shell"}  {print $ "," $7} END {print "Blue,/bin/nosh"}'name,shellroot,/bin/Bashdaemon,/bin/sh  bin,/bin/shsys,/bin/sh.... Blue,/bin/nosh

Case 6: Search all rows with the root keyword/etc/passwd

#awk'/root/' /etc/passwdroot:x:0:0: Root :/root:/bin/bash

Case 7: Search all rows with the root keyword/etc/passwd and display the corresponding shell

awk ' /root/{print $7} ' /etc/passwd             /bin/bash

Linux security essentials: use of AWK commands