The root account must be the only account having a UID of 0.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-59721 | AOSX-10-001065 | SV-74151r1_rule | Medium |
| Description |
|---|
| The built-in root account is disabled by default and administrator users are required to use sudo to run a process with the UID '0'. If another account with UID '0' exists, this is a sign of a network intrusion or a malicious user that is attempting to circumvent security controls. |
| STIG | Date |
|---|---|
| Apple OS X 10.10 (Yosemite) Workstation Security Technical Implementation Guide | 2017-04-06 |
Details
| Check Text ( C-60491r1_chk ) |
|---|
| To list all of the accounts with a UID of '0', run this command: sudo dscl . -list /Users UniqueID | grep -w 0 | wc -l If the result is not '1', this is a finding. |
| Fix Text (F-65131r1_fix) |
|---|
| Investigate as to why any additional accounts were set up with a UID of '0'. Remove any invalid accounts. |