Detections
Analytics

1.24 APPL-14-000100

Information

The macOS system must disable root logon.

GROUP ID: V-259444RULE ID: SV-259444r1009580

To ensure individual accountability and prevent unauthorized access, logging in as root at the login window must be disabled.

The macOS system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users must never log in directly as root.

Satisfies: SRG-OS-000104-GPOS-00051,SRG-OS-000109-GPOS-00056,SRG-OS-000364-GPOS-00151

Solution

Configure the macOS system to disable root login with the following command:

/usr/bin/dscl . -create /Users/root UserShell /usr/bin/false

See Also

https://workbench.cisecurity.org/benchmarks/24070

Item Details

Category: CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

References: 800-53|CM-5(1), 800-53|IA-2, 800-53|IA-2(5), CAT|II, CCI|CCI-000764, CCI|CCI-000770, CCI|CCI-001813, CCI|CCI-004045, Rule-ID|SV-259444r1009580_rule, STIG-ID|APPL-14-000100, Vuln-ID|V-259444

Plugin: Unix

Control ID: 806ac803d7fb6edf5da3f82206ae4c568d9c69d48c2f3fd05e8ace6b2e9d6823