User account management is one of the most critical security responsibilities on any Linux server. Orphaned accounts with active login shells, users with unnecessary sudo privileges, empty passwords, duplicate UIDs ā each of these represents a potential attack vector that can be exploited by malicious actors.
This guide walks you through a comprehensive Linux user account audit using dargslan-user-audit, a free Python tool that automates the most important checks every sysadmin should perform regularly.
Why Regular User Audits Are Essential
Linux user accounts accumulate over time like technical debt. Former employees retain access, test accounts created for debugging never get removed, and service accounts get more privileges than they need. Industry security frameworks like CIS Benchmarks, NIST, and SOC 2 all require regular user account audits.
- Principle of Least Privilege ā Users should have only the access they need
- Account hygiene ā Remove inactive and orphaned accounts
- Sudo oversight ā Know exactly who has root-level access
- Password policy ā Enforce strong password requirements
- Compliance ā Meet audit requirements for security frameworks
Installing dargslan-user-audit
pip install dargslan-user-audit
# Or install the complete 15-tool toolkit
pip install dargslan-toolkitCLI Usage
# Full user audit report
dargslan-users report
# List login users (non-system)
dargslan-users list
# Show sudo users
dargslan-users sudo
# Show root-level accounts (UID 0)
dargslan-users root
# Show security issues
dargslan-users issues
# JSON output
dargslan-users jsonPython API for Automation
from dargslan_user_audit import UserAudit
ua = UserAudit()
# Full report
ua.print_report()
# Get login users (excludes system accounts)
for user in ua.get_login_users():
print(f" {user['username']:20s} UID:{user['uid']} Shell:{user['shell']}")
# Check who has sudo access
sudo_users = ua.check_sudo_users()
print(f"Sudo users: {', '.join(sudo_users)}")
# Find root-level accounts
root_accounts = ua.check_root_accounts()
if len(root_accounts) > 1:
print("WARNING: Multiple UID 0 accounts!")
# Run full audit
issues = ua.audit()
for issue in issues:
print(f" [{issue['severity']}] {issue['message']}")Understanding /etc/passwd and /etc/shadow
/etc/passwd Format
# username:x:UID:GID:GECOS:home:shell
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
deploy:x:1001:1001:Deploy User:/home/deploy:/bin/bashKey Fields to Audit
- UID 0 ā Only root should have UID 0. Multiple accounts = security risk
- Shell ā Service accounts should have
/usr/sbin/nologinor/bin/false - Home directory ā Should exist and be owned by the user
- GECOS ā Should contain meaningful description
Manual Audit Commands
# List all users with login shells
grep -v nologin /etc/passwd | grep -v /bin/false
# Find UID 0 accounts (should only be root)
awk -F: '$3==0' /etc/passwd
# Check for empty passwords
awk -F: '($2=="")' /etc/shadow 2>/dev/null
# List sudo/wheel group members
getent group sudo
getent group wheel
# Check last login times
lastlog | grep -v "Never"
# Currently logged in users
who
w
# Failed login attempts
lastb | head -20
# Check password aging
chage -l usernameUser Management Best Practices
Creating Users Securely
# Create user with home directory
useradd -m -s /bin/bash -c "John Doe" johndoe
# Set strong password
passwd johndoe
# Add to supplementary group
usermod -aG developers johndoe
# Set password expiry (90 days max)
chage -M 90 johndoe
# Set minimum password age (7 days)
chage -m 7 johndoeDisabling Accounts
# Lock account (disable password login)
usermod -L username
# Change shell to nologin
usermod -s /usr/sbin/nologin username
# Set account expiry date
usermod -e 2026-06-01 username
# Remove user completely
userdel -r usernameSudo Configuration Security
# Edit sudoers safely
visudo
# Allow specific commands only
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx, /usr/bin/systemctl restart php-fpm
# Require password for sudo
%admin ALL=(ALL) ALL
# Log all sudo commands
Defaults logfile=/var/log/sudo.log
Defaults log_input, log_outputHome Directory Security
# Check home directory permissions
ls -la /home/
# Correct permissions (owner only)
chmod 700 /home/username
# Check for world-readable files
find /home -perm -o+r -type f 2>/dev/null
# Check .ssh permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chmod 600 ~/.ssh/id_rsaAutomated User Audit Script
#!/usr/bin/env python3
# /opt/scripts/user-audit.py
from dargslan_user_audit import UserAudit
ua = UserAudit()
issues = ua.audit()
critical = [i for i in issues if i['severity'] == 'critical']
if critical:
print("CRITICAL USER AUDIT ISSUES:")
for i in critical:
print(f" ! {i['message']}")
# Check sudo user count
sudo_users = ua.check_sudo_users()
if len(sudo_users) > 5:
print(f"WARNING: {len(sudo_users)} users have sudo access")
# List all login users for review
print(f"\nLogin users ({len(ua.get_login_users())}):")
for u in ua.get_login_users():
sudo = "[SUDO]" if u['username'] in sudo_users else ""
print(f" {u['username']:20s} {sudo}")š Master Linux Security Hardening
Our security eBooks cover user management, PAM configuration, SSH hardening, sudo policies, SELinux/AppArmor, and complete server hardening checklists.
Browse Security Books āRegular user account audits are a cornerstone of Linux security. dargslan-user-audit automates the most important checks ā sudo access, root-level accounts, home directory permissions, and duplicate UIDs ā so you can identify issues before they become breaches.
Install now: pip install dargslan-user-audit ā or get all 15 tools: pip install dargslan-toolkit
Download our free User Account Audit Cheat Sheet for quick reference.
