User Auditing - Beginner
Author(s): c-bass
Last Updated: 7-1-2025
Details
Recommended Prerequisites (click to expand)
None! This is an introductory article.Fundamental concepts
Users
A user on linux is just like a user on other operating systems, like MacOS or Windows: it's an account that represents something (a person or a process) that can access the system. Every user gets a unique username, a password, a home folder (called a directory on linux), and a UID (User ID, a number used by the system to uniquely identify users).
Groups
Put simply, a group on linux is a collection of users that share the same permissions. This makes access control significantly easier. Say you have a set of users that need access to a directory-- you can put them all in a group and give the group itself, not the individual users, access to that directory. This is advantageous since if you need to give more users access in the future, you can simply add them to the group. Note this is a singular use of groups - there are many other uses - but this demonstrates the usefulness groups can have. Each group has a GID (Group ID), just like how each user has a UID.
Key files
The /etc/passwd file
The /etc/passwd file stores user info. Let's explore how it works:
ubuntu@ubuntu:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
...
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
There's one line per user. The first user listed is the root user, having a UID of 0. This should be the only user to have this uid. The root user is an administration account with unrestricted access to the system. System users have UIDs below 1000 (like daemon in the output above), and normal users (like the ubuntu user above) have UIDs 1000 or greater.
What is a system user? (click to expand)
Many of the users above are system users, meaning they're for system accounts and not meant for actual use. A user is a system user if it has a UID under 1000. System users exist because many programs/services need a user account to own their respective files. For instance, a webserver needs a system account to own files in /var/www.
Each line in /etc/passwd follows this format:
username:password:UID:GID:comment:home_directory:shell
There are some important things to note about this:
- Each user's password isn't stored in
/etc/passwd, instead a placeholder takes the password field. Typically that placeholder isx, denoting the password hash is stored in another file (/etc/shadow). The same goes for the/etc/groupfile! - While normal users have loginable shells, like
/bin/bash, system users by convention don't have loginable shells, usually/bin/falseor/usr/sbin/nologin. - A GID denotes a user's primary group. Secondary groups (often called supplementary groups) are denoted by entries in
/etc/group. This'll be explained more below!
The /etc/group file
Like how /etc/passwd stores user info, the /etc/group file stores group info.
ubuntu@ubuntu:~$ cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
...
sudo:x:27:ubuntu
...
Each line follows this structure:
group:password:GID:users
A particularly important group is sudo: any user in the sudo group effectively has full access to the system.
What is a primary group? What is a supplementary group? (click to expand)
Every user has exactly one primary group that is assigned when the user account is created - this is the group that owns files when the user creates them. Users can also belong to multiple supplementary groups (also called secondary groups) which give them additional permissions beyond their primary group. For example, a user named "josh" might have "josh" as their primary group but also belong to supplementary groups like "sudo" and "docker" to access those specific services. Primary groups are denoted by a user's GID in /etc/passwd, and supplementary groups are denoted by entries in /etc/group.
The /etc/shadow file
The /etc/shadow file stores password hashes and other important information.
ubuntu@ubuntu:~$ sudo cat /etc/shadow
root:!:19827:0:99999:7:::
daemon:*:19790:0:99999:7:::
bin:*:19790:0:99999:7:::
sys:*:19790:0:99999:7:::
sync:*:19790:0:99999:7:::
...
ubuntu:<hash>:19827:0:99999:7:::
Why do we need sudo here, but not /etc/passwd and /etc/group? (click to expand)
Password hashes are incredibly sensitive information. If someone has an insecure password, it's usually trivial to find it if you have their hash. For this reason, we need root permissions (granted through sudo) to view the /etc/shadow file. In contrast, the info in /etc/passwd and /etc/group is less critical.
It's beyond the scope of introductory user auditing to explain the structure of the /etc/shadow file-- for now, just know it exists and what its purpose is.
Hardening
User Auditing
Since users are stored in /etc/passwd, you can use this command to get a list of all users on the system with loginable shells:
grep "/bin/.*sh$" /etc/passwd | cut -d: -f1
In a system hardening scenario, you're usually given a list of authorized users: compare that list to the actual users present.
For any users not supposed to be on the system, remove them:
sudo deluser <user>
To remove their home directory too, use:
sudo deluser --remove-home <user>
userdel also works if needs be, but deluser is standard. Alternatively, simply remove the user's entry in /etc/passwd.
If you need to add a user to the system, run:
sudo adduser <user>
useradd also works in case adduser isn't available.
Group Auditing
Check the members of the sudo group:
getent group sudo
Alternatively,
grep sudo /etc/group
In a system hardening scenario, compare this to known authorized admins. To remove an unauthorized admin (but keep them on the system), do:
sudo deluser username sudo
Alternatively, you can modify the /etc/group file and remove the user from the sudo group manually.
Other Hardening
If a user has an insecure password, change it!
passwd <user>
It'll then prompt you for the user's new password.