Linux Unauthorized Admins Script

Problem Overview

This script addresses the need for clear visibility over Linux privilege assignments by instantly comparing the list of detected admins against an official roster of authorized administrators, ensuring that any unauthorized accounts stand out and can be promptly addressed.

Description

It takes two comma-separated lists—one for currently detected admins (DetectedAdmins) and one for the authorized admin list (AuthorizedAdmins)—and converts them to case-insensitive arrays. It then identifies any usernames present in the detected list that do not match the authorized list, flags them as unauthorized, and exits with a non-zero code to trigger alerts or notifications in Level. Because it runs with root-level permissions, there’s no need for manual elevation, enabling effortless integration into your day-to-day security and compliance routines.

Script

1#!/bin/bash
2
3# This resource is provided as a convenience for Level users. We cannot 
4# guarantee it will work in all environments. Please test before deploying 
5# to your production environment. We welcome contributions to our community 
6# library
7
8# Level Library
9# https://level.io/library/script-linux-unauthorized-admins
10
11#!/bin/bash
12
13# Define authorized admins (replace with actual values)
14AUTHORIZED_ADMINS="{{cf_authorized_admins}}"
15
16# Define detected admins (replace with actual values)
17DETECTED_ADMINS="{{DetectedAdmins}}"
18
19# Convert lists to arrays (lowercase for case-insensitive comparison)
20IFS=',' read -r -a detectedArray <<< "$(echo "$DETECTED_ADMINS" | tr '[:upper:]' '[:lower:]' | sed 's/, */,/g')"
21IFS=',' read -r -a authorizedArray <<< "$(echo "$AUTHORIZED_ADMINS" | tr '[:upper:]' '[:lower:]' | sed 's/, */,/g')"
22
23# Find unauthorized admins
24unauthorizedAdmins=()
25for detected in "${detectedArray[@]}"; do
26    found=false
27    for authorized in "${authorizedArray[@]}"; do
28        if [[ "$detected" == "$authorized" ]]; then
29            found=true
30            break
31        fi
32    done
33    if [[ "$found" == false ]]; then
34        unauthorizedAdmins+=("$detected")
35    fi
36done
37
38# Join unauthorized admins into a comma-separated string
39unauthorizedString=$(IFS=,; echo "${unauthorizedAdmins[*]}")
40
41# Output unauthorized admins or success message
42if [[ ${#unauthorizedAdmins[@]} -gt 0 ]]; then
43    echo "$unauthorizedString"
44    exit 1
45else
46    echo "No unauthorized admins detected."
47    exit 0
48fi
49

Use Cases

• Monitoring newly added Linux administrators that lack official authorization
• Performing regular compliance audits of Linux privileged users
• Enforcing least-privilege policies by detecting any unexpected admin accounts
• Consolidating results into larger admin compliance workflows or reporting structures

Recommendations

• Pair this script with a script-based monitor in Level to immediately alert on unauthorized admin additions
• For scheduled checks, build a Level automation with a time-based trigger to run frequent compliance scans
• Always update your custom “AuthorizedAdmins” field in Level to ensure accurate comparisons
• Test the script in a non-production environment to verify it functions correctly with your specific distribution

FAQ

• How does the script know which admins are detected?
  ‍It retrieves a comma-separated string from the “DetectedAdmins” script variable, typically populated by a separate script that identifies Linux admins.

• What happens if no unauthorized admins are found?
  ‍The script outputs “No unauthorized admins detected.” and exits with a zero code, indicating normal operation.

• Do I need special permissions to run this script?
  ‍No, Level executes scripts with root permissions in Linux environments, so no manual elevation is required.

• Can I customize the script for different privileged groups or naming conventions?
  ‍Absolutely, you can adapt the script to pull from alternative groups or fields by modifying how it obtains the detected and authorized admins.