An error occurred:

Check: APPL-14-000100

Apple macOS 14 (Sonoma) STIG: APPL-14-000100 (in versions v1 r2 through v1 r1)

Title

The macOS system must disable root logon. (Cat II impact)

Discussion

To ensure individual accountability and prevent unauthorized access, logging in as root at the login window must be disabled. The macOS system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users must never log in directly as root. Satisfies: SRG-OS-000104-GPOS-00051,SRG-OS-000109-GPOS-00056,SRG-OS-000364-GPOS-00151

Check Content

Verify the macOS system is configured to disable root login with the following command: /usr/bin/dscl . -read /Users/root UserShell 2>&1 | /usr/bin/grep -c "/usr/bin/false" If the result is not "1", this is a finding.

Fix Text

Configure the macOS system to disable root login with the following command: /usr/bin/dscl . -create /Users/root UserShell /usr/bin/false

Additional Identifiers

Rule ID: SV-259444r940954_rule

Vulnerability ID: V-259444

Group Title: SRG-OS-000104-GPOS-00051

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000764

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
CCI-000770

The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.
CCI-001813

The information system enforces access restrictions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-5 (1)

Automated Access Enforcement / Auditing
IA-2

Identification And Authentication (Organizational Users)
IA-2 (5)

Group Authentication