There is a requirement within Cyber Essentials for Linux users to also have account separation, not just using sudo.
You are required to have account separation (that is users' day-to-day accounts are not admin accounts) for all operating systems, and that includes Linux, where the user (day-to-day account) must not be a member of the sudoers and a separate sudoer (root) account must be used.
Please remember: It is not a problem for any or all users to have administrative access if you have a business need for that and a documented business case, however, separation of admin/users must exist within the device or directory solution.
You can check the users status with the following command:
sudo -nv
If this returned nothing, that is an issue, as that means the user has administrative (root/sudoers) permissions, however, if this returns "Sorry, user xxx may not run sudo on {device}" that is fine.
Other methods of checking users on the system include:
sudo -l -U {username}
This would return "User {username} is not allowed to run sudo on {device}"
If you receive the message "User {username} may run the following commands on {device} (ALL : ALL) ALL" that would be an issue, as they are a root/sudoer.
You can also use the getent command:
getent group sudo | cut -d: -f4
This will provide a response of who is a sudo user
You can also use grep:
grep '^sudo:.*$' /etc/group | cut -d: -f4
Finally, to get a list of all users within the system, you can use:
awk -F':' '{ print $1}' /etc/passwd
This will provide a list of all users on the Linux system.