Back to Resources

Level Verified

Linux Unauthorized Admins Script

Created by

Level

Type

Script

Category

Security

Platforms
WindowsApple iOSLinux
Import into Level
Copy link

Problem Overview

This script addresses the need for clear visibility over Linux privilege assignments by instantly comparing the list of detected admins against an official roster of authorized administrators, ensuring that any unauthorized accounts stand out and can be promptly addressed.

Description

It takes two comma-separated lists—one for currently detected admins (DetectedAdmins) and one for the authorized admin list (AuthorizedAdmins)—and converts them to case-insensitive arrays. It then identifies any usernames present in the detected list that do not match the authorized list, flags them as unauthorized, and exits with a non-zero code to trigger alerts or notifications in Level. Because it runs with root-level permissions, there’s no need for manual elevation, enabling effortless integration into your day-to-day security and compliance routines.

Script

#!/bin/bash

# This resource is provided as a convenience for Level users. We cannot 
# guarantee it will work in all environments. Please test before deploying 
# to your production environment. We welcome contributions to our community 
# library

# Level Library
# https://level.io/library/script-linux-unauthorized-admins

#!/bin/bash

# Define authorized admins
AUTHORIZED_ADMINS="{{cf_authorized_admins}}"

# Define detected admins
# Get all users in the 'sudo' group (local admins)
admins=$(getent group sudo | cut -d: -f4 | tr ',' '\n')
active_admins=()

for admin in $admins; do
    if [[ -n "$admin" ]]; then
        # Check if the account is expired
        exp_date=$(sudo chage -l "$admin" | grep "Account expires" | awk -F': ' '{print $2}')
        if [[ "$exp_date" == "never" || "$exp_date" == "" ]]; then
            # Check if the account is locked
            status=$(sudo passwd -S "$admin" | awk '{print $2}')
            if [[ "$status" != "L" ]]; then
                active_admins+=("$admin")
            fi
        fi
    fi
done

# Convert array to comma-separated string
DETECTED_ADMINS=$(IFS=','; echo "${active_admins[*]}")

# Convert lists to arrays (lowercase for case-insensitive comparison)
IFS=',' read -r -a detectedArray <<< "$(echo "$DETECTED_ADMINS" | tr '[:upper:]' '[:lower:]' | sed 's/, */,/g')"
IFS=',' read -r -a authorizedArray <<< "$(echo "$AUTHORIZED_ADMINS" | tr '[:upper:]' '[:lower:]' | sed 's/, */,/g')"

# Find unauthorized admins
unauthorizedAdmins=()
for detected in "${detectedArray[@]}"; do
    found=false
    for authorized in "${authorizedArray[@]}"; do
        if [[ "$detected" == "$authorized" ]]; then
            found=true
            break
        fi
    done
    if [[ "$found" == false ]]; then
        unauthorizedAdmins+=("$detected")
    fi
done

# Join unauthorized admins into a comma-separated string
unauthorizedString=$(IFS=,; echo "${unauthorizedAdmins[*]}")

# Output unauthorized admins or success message
if [[ ${#unauthorizedAdmins[@]} -gt 0 ]]; then
    echo "$unauthorizedString"
    exit 1
else
    echo "No unauthorized admins detected."
    exit 0
fi

Use Cases

  • Monitoring newly added Linux administrators that lack official authorization
  • Performing regular compliance audits of Linux privileged users
  • Enforcing least-privilege policies by detecting any unexpected admin accounts
  • Consolidating results into larger admin compliance workflows or reporting structures

Recommendations

  • Pair this script with a script-based monitor in Level to immediately alert on unauthorized admin additions
  • For scheduled checks, build a Level automation with a time-based trigger to run frequent compliance scans
  • Always update your custom “AuthorizedAdmins” field in Level to ensure accurate comparisons
  • Test the script in a non-production environment to verify it functions correctly with your specific distribution

FAQ

  • How does the script know which admins are detected?
    It retrieves a comma-separated string from the “DetectedAdmins” script variable, typically populated by a separate script that identifies Linux admins.
  • What happens if no unauthorized admins are found?
    The script outputs “No unauthorized admins detected.” and exits with a zero code, indicating normal operation.
  • Do I need special permissions to run this script?
    No, Level executes scripts with root permissions in Linux environments, so no manual elevation is required.
  • Can I customize the script for different privileged groups or naming conventions?
    Absolutely, you can adapt the script to pull from alternative groups or fields by modifying how it obtains the detected and authorized admins.

Included with this Script:

Below is a list of what you can expect to find when importing this Script.

Script details:

The following data and settings will be imported with your script.

Script Name

Linux - Unauthorized Admins

Description

This Bash script compares detected administrator accounts against a predefined list of authorized administrators using Level's script variables and custom fields. It processes both lists into arrays with case-insensitive values, then iterates through the detected administrators to identify any that aren't present in the authorized list. The script outputs either a comma-separated list of unauthorized administrators and exits with an error code, or confirms no unauthorized admins were found and exits successfully.

Language

Bash

Timeout (In Seconds)

100

Run As

Local system

Import into Level

Related resources

Explore more automations, scripts, and policies to further enhance your IT operations.

View all resources

Start automating thousands of your devices with Level

Start your 14-day free trial today.

Book a demoGet started for free

© 2025 Level Software, Inc.