User Accounts (sec-users)
Monitors local user accounts, privileges, and group memberships. Detects new accounts, inactive users, and unexpected administrator rights.
Configuration
| Parameter | Type | Default | Description |
|---|
enabled | bool | true | Enable/disable module |
inactive_days | int | 90 | Days without login before an account is considered inactive |
check_authorized_keys | bool | true | Check SSH authorized_keys (Linux only) |
allowed_uid0_users | list | ["root"] | Allowed users with UID 0 (Linux only) |
allowed_sudo_users | list | [] | Allowed sudo/wheel members (Linux only) |
shadow_check | bool | true | Check /etc/shadow for empty passwords (Linux only) |
YAML Example
sec_users:
enabled: true
inactive_days: 60
check_authorized_keys: true
allowed_uid0_users:
- "root"
allowed_sudo_users:
- "admin"
Diagnostic Codes
Linux
| Code | Severity | Meaning | Recommendation |
|---|
| 7000 | 0 | No user account issues detected | — |
| 7001 | 1 | New user created | Verify account |
| 7002 | 2 | User with UID 0 (root privileges) | Only root should have UID 0 |
| 7003 | 2 | Empty password in /etc/shadow | Set a password or lock the account |
| 7004 | 1 | Inactive user | Disable or delete the account |
| 7005 | 0 | authorized_keys found | Review SSH keys |
| 7006 | 1 | New member in sudo/wheel group | Verify authorization |
Windows
| Code | Severity | Meaning | Recommendation |
|---|
| 8000 | 0 | No user account issues detected | — |
| 8001 | 1 | New local user detected | Verify account |
| 8002 | 1 | Unexpected member in Administrators group | Review authorization |
| 8003 | 1 | Guest account is enabled | Disable guest account |
| 8004 | 1 | Inactive user | Disable or delete the account |
| 8005 | 1 | New member in Administrators group | Verify authorization |
- Linux: Reads
/etc/passwd, /etc/shadow, /etc/group, and authorized_keys.
- Windows: Uses
net user, net localgroup, and WMI queries.