The root account must be disabled.

From MAC OSX 10.6 Workstation Security Technical Implementation Guide

Part of OSX00655-Securing the System Admin Account

Associated with IA controls: IAAC-1

SV-38568r1_rule The root account must be disabled.

Vulnerability discussion

The most powerful user account in Mac OS X is the system administrator or root account. By default, the root account on Mac OS X is disabled and it is recommended to not enable it. The root account is primarily used for performing UNIX commands. Generally, actions involving critical system files require performing those actions as root.

Check content

Open Finder. Click the Hard Drive icon. Double Click System. Double Click Library. Double Click CoreServices. Double Click Directory Utility. Click the Lock and enter the password to unlock the options. Click the Edit menu (Directory Utility bar on top) and verify that "Enable Root User" appears. If the "Disable Root User" option is visible, this is a finding.

Fix text

Open Finder Click the Hard Drive icon. Double Click System. Double Click Library. Double Click CoreServices. Double Click Directory Utility. Click the Lock and enter the password to unlock the options. Click the Edit menu (Directory Utility bar on top). Click Disable Root User.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer