Vulnerability Discussion
To ensure individual accountability and prevent unauthorized access, logging in as root at the login window must be disabled.
The macOS system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users must never log in directly as root.
Satisfies: SRG-OS-000104-GPOS-00051,SRG-OS-000109-GPOS-00056,SRG-OS-000364-GPOS-00151
Check
Verify the macOS system is configured to disable root login with the following command:
/usr/bin/dscl . -read /Users/root UserShell 2>&1 | /usr/bin/grep -c "/usr/bin/false"
If the result is not "1", this is a finding.
Fix
Configure the macOS system to disable root login with the following command:
/usr/bin/dscl . -create /Users/root UserShell /usr/bin/false