Preventing Admin Abuse (Logging and Limited Flags)

December 17, 2025 Daemon666 9 min read 18 просмотров

The fastest way to kill a community is a power-tripping admin, and the second fastest is having no way to prove they didn't. AMX Mod X gives you granular access flags precisely so you can hand out limited power, plus activity visibility and logging so nothing happens in the dark. This shows how to build tiered admin roles and keep an audit trail.

1. Understand the access flags

An admin's power is a string of flags in addons/amxmodx/configs/users.ini. Each letter grants one capability:

FlagGrants
aImmunity (cannot be kicked/banned by others)
bReservation (reserved slot access)
camx_kick
damx_ban / amx_unban
eamx_slay / amx_slap
famx_map (change map)
gamx_cvar (change cvars)
hamx_cfg (exec configs)
iamx_chat / admin chat
jamx_vote
lamx_rcon (run RCON commands)
uMenu access

The lazy move is to give everyone abcdefghijklmnopqrstu — full admin. That is exactly how a trusted regular ends up able to amx_rcon your rcon_password out of the server. Grant roles instead.

2. Build tiered roles

The users.ini line format is <authid or name> <password> <access flags> <account flags>. Account flag c means the first field is a SteamID; d means an IP; e means name-only with no password. A sensible three-tier setup:

; Moderator: kick, slay/slap, chat, menu — no ban, no cvar, no rcon
"STEAM_0:1:1001" "" "ceiu" "ce"

; Admin: adds ban and map control, still no rcon/cvar
"STEAM_0:1:1002" "" "abcdefiju" "ce"

; Owner: everything, including rcon
"STEAM_0:1:1003" "" "abcdefghijlu" "ce"

Note the deliberate omissions: moderators get no d (ban), no g (cvar), no l (rcon). Reserve l for people you would trust with the server password, because that is effectively what it is.

3. Keep admin actions visible

Hidden admin actions breed accusations you cannot answer, so announce them:

amx_show_activity 2

At 2, players see both the action and the admin's name. This is covered in full in the amxx.cfg guide; the point here is that transparency is itself an abuse deterrent — an admin who knows the whole server sees their name on every slap behaves better.

4. Log every command

AMXX writes admin commands to its logs under addons/amxmodx/logs/ and to the game logs. Make sure logging is on (amx_logging 1 in amxx.cfg, log on in server.cfg), then audit periodically:

grep -iE 'amx_(ban|kick|slay|slap|map|cvar)' cstrike/logs/*.log

This is the record you produce when someone claims they were banned for no reason. The full technique is in parsing server logs — grep by the admin's SteamID to see everything they have done.

5. Protect the escalation paths

  • Immunity is not a toy — flag a means no one else can act on that admin. Give it only where it is needed, or a rogue admin becomes untouchable.
  • Never grant g (cvar) or l (rcon) casually — with amx_cvar an admin can change sv_cheats, rates, or gravity; with rcon they own the box.
  • Prefer SteamID auth (c) over name-only (e) — name-only admin is trivially impersonated by anyone who copies the nickname.

A useful mental model: treat flags the way you would treat filesystem permissions. Nobody runs as root for daily work, and nobody should hold l (rcon) or a (immunity) just because they are "senior." Start every new admin at the moderator tier, and promote only when a concrete need appears and the person has earned trust. Demotion should be just as routine — pull a flag the moment a role changes, and reload admins so the change is live immediately rather than at the next map.

Troubleshooting

  • An admin can do more than intended — too many flags, or they inherited access from amx_default_access in amxx.cfg (which must stay empty). Trim the flag string.
  • Everyone has admin — a flag was left in amx_default_access. Set it back to "".
  • Admin cannot authenticate — account flag mismatch: c for SteamID vs e for name-only, or a password field that does not match their setinfo.
  • No audit trailamx_logging 0 or log off. Turn both on; without them you cannot prove anything.
  • Cannot act on a misbehaving admin — they hold immunity (a). Remove it from users.ini and reload admins.

Verification

Reload the admin list and confirm the flags took:

amx_reloadadmins

Log in as the moderator account and confirm amx_ban is refused (You have no access to that command) while amx_kick works. Perform a slap and confirm the on-screen message names you at amx_show_activity 2. Finally grep the log and confirm your test action was recorded. When all three hold — limited flags, visible activity, logged commands — your admin team is accountable.

Участники: Daemon666 ✦
Поделиться: