Check: APPL-14-000100
Apple macOS 14 (Sonoma) STIG:
APPL-14-000100
(in versions v2 r2 through v1 r1)
Title
The macOS system must disable root logon. (Cat II impact)
Discussion
To ensure individual accountability and prevent unauthorized access, logging in as root at the login window must be disabled. The macOS system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator, and administrator users must never log in directly as root. Satisfies: SRG-OS-000104-GPOS-00051,SRG-OS-000109-GPOS-00056,SRG-OS-000364-GPOS-00151
Check Content
Verify the macOS system is configured to disable root login with the following command: /usr/bin/dscl . -read /Users/root UserShell 2>&1 | /usr/bin/grep -c "/usr/bin/false" If the result is not "1", this is a finding.
Fix Text
Configure the macOS system to disable root login with the following command: /usr/bin/dscl . -create /Users/root UserShell /usr/bin/false
Additional Identifiers
Rule ID: SV-259444r1009580_rule
Vulnerability ID: V-259444
Group Title: SRG-OS-000104-GPOS-00051
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000764 |
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. |
| CCI-000770 |
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. |
| CCI-001813 |
Enforce access restrictions using organization-defined mechanisms. |
| CCI-004045 |
Require users to be individually authenticated before granting access to the shared accounts or resources. |