5.7 Do not enable the 'root' account

Information

Enabling the root account puts the system at risk since any exploit would have unlimited
access privileges within the system. Using the sudo command allows users to perform
functions as a root user while limiting and password protecting the access privileges. By
default the root account is not enabled on a Mac OS X client computer. It is enabled on Mac
OS X Server. An administrator can escalate privileges using the sudo command (use -s or -i to get a root shell).

Solution

Open System Preferences, Users & Groups. Click the lock icon to unlock it. In the Network Account Server section, click Join or Edit. Click Open Directory Utility. Click the lock icon to unlock it. Select the Edit menu > Disable Root User.

See Also

https://workbench.cisecurity.org/files/300

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6

Plugin: Unix

Control ID: 85c639d3575a2f47174597a2a00dd2a5090ca22700b7684056708e4d564ac01f