The macOS system must not have a root account.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-214867 | AOSX-13-000553 | SV-214867r609363_rule | Medium |
| Description |
|---|
| To assure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. |
| STIG | Date |
|---|---|
| Apple OS X 10.13 Security Technical Implementation Guide | 2021-11-19 |
Details
| Check Text ( C-16067r397173_chk ) |
|---|
| To check if the root account is disabled, run the following command: defaults read /var/db/dslocal/nodes/Default/users/root.plist passwd ( "*" ) The output should be a single asterisk in quotes, as seen above. If the output is as follow, this is a finding: ( "********" ) |
| Fix Text (F-16065r397174_fix) |
|---|
| Disable the root account with the following command: /usr/sbin/dsenableroot -d |