Check: AOSX-09-000565
Apple OS X 10.9 Workstation STIG:
AOSX-09-000565
(in version v1 r2)
Title
The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator. (Cat II impact)
Discussion
Administrator users must never log in directly as root. To assure individual accountability and prevent unauthorized access, logging in as root over a remote connection must be disabled. Administrators should only run commands as root after first authenticating with their individual user names and passwords.
Check Content
To check if SSH has root logins enabled, run the following command: sudo grep ^PermitRootLogin /etc/sshd_config If there is no result, or the result is set to 'yes', this is a finding.
Fix Text
In order to make sure that PermitRootLogin is disabled by sshd, run the following command: sudo sed -i.bak 's/^[\#]*PermitRootLogin.*/PermitRootLogin no/' /etc/sshd_config
Additional Identifiers
Rule ID: SV-72791r1_rule
Vulnerability ID: V-58361
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000770 |
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. |
Controls
Number | Title |
---|---|
IA-2 (5) |
Group Authentication |