Check: GEN001020
Solaris 10 X86 STIG:
GEN001020
(in versions v2 r4 through v1 r17)
Title
The root account must not be used for direct logins. (Cat II impact)
Discussion
Direct login with the root account prevents individual user accountability. Acceptable non-routine uses of the root account for direct login are limited to emergency maintenance, the use of single-user mode for maintenance, and situations where individual administrator accounts are not available.
Check Content
Check if the root is used for direct logins. Procedure: # last root | grep -v reboot If any direct login records for root exist, this is a finding. Verify the root user is configured as a role, rather than a normal user. Procedure: # egrep '^root:' /etc/user_attr If the returned line does not include "type=role", this is a finding.
Fix Text
Convert the root user into a role. # usermod -K type=role root Add the root role to authorized users' logins. # usermod -R root <userid>
Additional Identifiers
Rule ID: SV-227605r603266_rule
Vulnerability ID: V-227605
Group Title: SRG-OS-000109
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000770 |
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. |
Controls
Number | Title |
---|---|
IA-2 (5) |
Group Authentication |