Home/Resources/Agents/Account & Privilege Auditor
Identity & Audit

Account & Privilege Auditor

Surfaces the orphaned accounts, NOPASSWD sudo rules, and shared credentials assessors flag first.

Covered practices · NIST SP 800-171 Rev 2
3.1.1Limit system access to authorized usersPrimary3.1.5Least privilege for security functionsPrimary3.1.6Use non-privileged accounts for non-security functions3.1.8Limit unsuccessful logon attempts3.5.7Password complexity
7
800-171 access-control controls audited per host

The problem

Account hygiene is the most common finding in CMMC assessments and the most preventable. Contractors routinely have orphaned admin accounts from former employees, sudoers files granting NOPASSWD ALL=(ALL) ALL to entire groups, password policies that drift below the 15-character minimum, and authorized_keys files with five-year-old keys whose owners no one can identify on demand.

The failure mode is procedural drift. An admin adds a temporary sudo rule and forgets to remove it. An offboarded employee's account is disabled in the directory but their authorized_keys file is still deployed on three servers. A shared 'helpdesk' account persists for legacy tooling no one has used in two years. Each is a finding on its own; together they routinely cost contractors 15+ SPRS points across the 3.1 family alone.

The DoD 800-171 family for access control covers most of this in 3.1.x, and the audit logging family relies on individual accountability that shared accounts cannot satisfy. An assessor will sample accounts, ask who owns each, and check the sudo rules. This agent runs the same sample first, on a cadence, with the answer ready before the question is asked.

What CMMC requires

NIST SP 800-171 Rev 2 controls this agent verifies. Primary mappings drive the gap assessment; secondary mappings provide supporting evidence in the SSP.

Primary mapping
NIST 3.1.1Limit system access to authorized users

Audits account lifecycle directly,inactive accounts, accounts without passwords, shared accounts, and unexpected privileged accounts all map here.

Read in NIST 800-171 r2
NIST 3.1.5Least privilege for security functions

Enumerates every privileged path,UID 0 accounts, wheel/sudo/admin groups, sudo rules with shell-escapes,and flags grants beyond minimum necessary.

Read in NIST 800-171 r2
Secondary mapping
NIST 3.1.6Use non-privileged accounts for non-security functions

Detects routine work happening from privileged accounts,admin group membership for non-IT roles, etc.

Read in NIST 800-171 r2
NIST 3.1.8Limit unsuccessful logon attempts

Verifies pam_faillock, pam_tally2, or Windows LockoutBadCount is configured to bound failed authentication attempts.

Read in NIST 800-171 r2
NIST 3.5.7Password complexity

Audits password length, complexity, history, and rotation policy against the CMMC minimums (15 chars, 24 history, 60-day rotation).

Read in NIST 800-171 r2

How it works

Per-platform detection logic. The agent runs unprivileged where possible and falls back gracefully when raw access is unavailable.

Linux

Reads /etc/passwd, /etc/group, /etc/shadow (when readable), /etc/sudoers and /etc/sudoers.d/, /etc/login.defs, and the PAM configuration tree. Parses sudoers with full handling of Cmnd_Alias, Runas_Alias, NOPASSWD, and shell-escape command lists. Cross-references getent passwd to include LDAP and SSSD-integrated accounts so directory-issued users do not slip through. Reads ~/.ssh/authorized_keys per user and pipes through ssh-keygen -l to extract key type and bit length.

Windows

Uses WMI (Win32_UserAccount), net localgroup Administrators, and secedit /export to inventory accounts and policy. Reads Get-LocalGroupMember equivalents via PowerShell-free WMI to stay portable. Parses the [System Access] section of the secedit export for MinimumPasswordLength, MaximumPasswordAge, LockoutBadCount, and PasswordComplexity. Cross-checks Domain Admins, Enterprise Admins, and Schema Admins membership when domain-joined and reports each privileged group separately.

macOS

Uses dscl . list /Users and dscl . read /Users/<name> for account attributes across both local and MDM-managed accounts. Runs sudo -l -U per user for sudo privileges with the same shell-escape detection as Linux. Reads pwpolicy -getaccountpolicies for password policy and reports the parsed values inline with each account.

What it finds

Concrete findings written to the assessor's mental model,not abstract categories. Severity drives POA&M priority and SPRS deduction.

  • CRITICAL
    Account with empty password hash
    User account in /etc/shadow has an empty password field. Login is permitted with no credential at all.
  • CRITICAL
    UID 0 account other than root
    Linux account has UID 0 without being root. Direct root access without sudo logging,every action by this account bypasses privilege auditing.
  • HIGH
    Inactive account with last login > 90 days
    Active account has not logged in for over 90 days and is not classified as a service account. 3.1.1 requires removal or disabling.
  • HIGH
    Sudo rule with NOPASSWD ALL
    User can escalate to root with no re-authentication. Privilege escalation without re-auth fails 3.1.5 least-privilege requirements.
  • HIGH
    Password minimum length below 15
    PASS_MIN_LEN in /etc/login.defs or MinimumPasswordLength in secedit is below the CMMC minimum of 15 characters.
  • HIGH
    No account lockout policy configured
    PAM has no pam_faillock or pam_tally2 module loaded,failed login attempts are not bounded. 3.1.8 violation.
  • MEDIUM
    Shared or generic account name
    Account named helpdesk, ops, sysadmin, or similar shared identifier,fails individual accountability for 3.3.1 and 3.3.2.
SPRS impact

Account findings span at least seven 800-171 controls. Inactive accounts and shared accounts hit 3.1.1 (5 points). NOPASSWD sudo and broad admin membership hit 3.1.5 (5 points). Missing lockout policy hits 3.1.8 (5 points). Weak password policy hits 3.5.7 (3 points). A typical first-scan report on a 50-FTE contractor reveals 12 to 18 SPRS points of exposure in this family alone, the majority of which can be remediated within a week of the report landing.

How it hooks into the platform

The platform sweeps every host and directory-integrated account source on its own cadence; account hygiene is one of the highest-cadence categories because it drifts fastest. You decide whether per-account metadata stays on-prem or syncs up. The accounts array populates the SSP's user account table directly, covering username, classification, last login, group memberships, sudo status, and password age. Findings cite the username and the rule that produced them, mapped across 3.1.1, 3.1.5, 3.1.8, and 3.5.7. POA&M items track per-account remediations. New privileged accounts and sudo rules surface between scans.

How we know it's working

Acceptance criteria from the engineering spec,what the agent must do to ship.

  • Runs unprivileged on Linux for the majority of account checks
  • Parses sudoers including Cmnd_Alias, Runas_Alias, NOPASSWD, and negation
  • Identifies $1$, $5$, $6$, and $2b$ hash prefixes per account correctly
  • Returns the full account inventory in structured output, even on clean hosts
  • Configurable inactive-account threshold, default 90 days per CMMC norms
  • Tags every finding with the specific username for unambiguous remediation
  • Reads SSH key bit length from ssh-keygen output, never inferred
Other agents in Identity & Audit
Identity & Audit

Audit Log Compliance Checker

Confirms the audit daemon is running, the right events are captured, and the timestamps will hold up.

Identity & Audit

Identity & Authentication Auditor

Reports the 3.5.3 SPRS tier (-5, -3, or 0) per host, plus every credential weakness Mimikatz lives on.

Run this agent against your environment.

Book a 30-minute scoping call. We'll deploy the agent on your systems and walk through the findings together.

Book a Scoping Call →