The macOS system must disable root logon.

STIG ID: APPL-14-000100  |  SRG: SRG-OS-000104-GPOS-00051 |  Severity: medium |  CCI: CCI-000764,CCI-000770,CCI-001813 |  Vulnerability Id: V-259444 | 

Vulnerability Discussion

To ensure individual accountability and prevent unauthorized access,
logging in as root at the login window must be disabled.

The macOS system must require individuals to be authenticated with an individual authenticator prior to
using a group authenticator, and administrator users must never log in directly as root.

Satisfies: SRG-OS-000104-GPOS-00051,SRG-OS-000109-GPOS-00056,SRG-OS-000364-GPOS-00151

Check

Verify the macOS system is configured to disable root login with the following command:

/usr/bin/dscl . -read /Users/root UserShell 2>&1 | /usr/bin/grep -c "/usr/bin/false"

If the result is not "1", this is a finding.

Fix

Configure the macOS system to disable root login with the following
command:

/usr/bin/dscl . -create /Users/root UserShell /usr/bin/false
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.