Account separation: sudo / sudoers check in Linux

There is a requirement within Cyber Essentials for Linux users to also have account separation, not just using sudo.

You are required to have account separation (that is users' day-to-day accounts are not admin accounts) for all operating systems, and that includes Linux, where the user (day-to-day account) must not be a member of the sudoers and a separate sudoer (root) account must be used.

Please remember: It is not a problem for any or all users to have administrative access if you have a business need for that and a documented business case, however, separation of admin/users must exist within the device or directory solution.

You can check the users status with the following command:

sudo -nv

If this returned nothing, that is an issue, as that means the user has administrative (root/sudoers) permissions, however, if this returns "Sorry, user xxx may not run sudo on {device}" that is fine.

Other methods of checking users on the system include:

sudo -l -U {username}

This would return "User {username} is not allowed to run sudo on {device}"

If you receive the message "User {username} may run the following commands on {device} (ALL : ALL) ALL" that would be an issue, as they are a root/sudoer.

You can also use the getent command:

getent group sudo | cut -d: -f4

This will provide a response of who is a sudo user

You can also use grep:

grep '^sudo:.*$' /etc/group | cut -d: -f4

Finally, to get a list of all users within the system, you can use:

awk -F':' '{ print $1}' /etc/passwd

This will provide a list of all users on the Linux system.