Title

The root account must be the only account having a UID of 0. (Cat II impact)

Discussion

The built-in root account is disabled by default and administrator users are required to use sudo to run a process with the UID '0'. If another account with UID '0' exists, this is a sign of a network intrusion or a malicious user that is attempting to circumvent security controls.

Check Content

To list all of the accounts with a UID of '0', run this command: sudo dscl . -list /Users UniqueID | grep -w 0 | wc -l If the result is not '1', this is a finding.

Fix Text

Investigate as to why any additional accounts were set up with a UID of '0'. Remove any invalid accounts.

Additional Identifiers

Rule ID: SV-74151r1_rule

Vulnerability ID: V-59721

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.