UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The macOS system must not have a root account.


Overview

Finding ID Version Rule ID IA Controls Severity
V-81613 AOSX-13-000553 SV-96327r1_rule Medium
Description
To assure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated.
STIG Date
Apple OS X 10.13 Security Technical Implementation Guide 2019-07-01

Details

Check Text ( C-81389r1_chk )
To check if the root account is disabled, run the following command:

defaults read /var/db/dslocal/nodes/Default/users/root.plist passwd
(
"*"
)

The output should be a single asterisk in quotes, as seen above. If the output is as follow, this is a finding:

(
"********"
)
Fix Text (F-88461r1_fix)
Disable the root account with the following command:

/usr/sbin/dsenableroot -d