This is not the latest version of the STIG. This is provided for archival purposes. See the latest STIG.

The macOS system must disable root logon.

STIG ID: APPL-14-000100  |  SRG: SRG-OS-000104-GPOS-00051 |  Severity: medium (CAT II)  |  CCI: CCI-000764,CCI-000770,CCI-001813 |  Vulnerability Id: V-259444

Vulnerability Discussion

To ensure individual accountability and prevent unauthorized access, logging in as root at the login window must be disabled.

The macOS system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users must never log in directly as root.

Satisfies: SRG-OS-000104-GPOS-00051,SRG-OS-000109-GPOS-00056,SRG-OS-000364-GPOS-00151

Check

Verify the macOS system is configured to disable root login with the following command:

/usr/bin/dscl . -read /Users/root UserShell 2>&1 | /usr/bin/grep -c "/usr/bin/false"

If the result is not "1", this is a finding.

Fix

Configure the macOS system to disable root login with the following command:

/usr/bin/dscl . -create /Users/root UserShell /usr/bin/false
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.