The macOS system must disable root logon.

STIG ID: APPL-14-000100  |  SRG: SRG-OS-000104-GPOS-00051 | Severity: medium |  CCI: CCI-000764,CCI-000770,CCI-001813

Vulnerability Discussion

To ensure individual accountability and prevent unauthorized access, logging in as root at the login window must be disabled.

The macOS system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users must never log in directly as root.

Satisfies: SRG-OS-000104-GPOS-00051,SRG-OS-000109-GPOS-00056,SRG-OS-000364-GPOS-00151

Check

Verify the macOS system is configured to disable root login with the following command:

/usr/bin/dscl . -read /Users/root UserShell 2>&1 | /usr/bin/grep -c "/usr/bin/false"

If the result is not "1", this is a finding.

Fix

Configure the macOS system to disable root login with the following command:

/usr/bin/dscl . -create /Users/root UserShell /usr/bin/false
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.