highaccess-controlverified ✓
Ensure root account access is controlled
root-access-controlled · RHEL ≥ 8 · 1 impl
Description
Access to the root account should be controlled by limiting the methods by which root can login (e.g., only via su from wheel group).
Rationale
Controlling root access reduces the risk of unauthorized root logins and ensures accountability for privileged actions.
Check → Remediate
Checkcommand
# CIS 5.4.2.4: the root account must have a usable password (P) or be
# locked (L) per `passwd -S root` — an account with no password (NP) is
# a finding. (SSH root-login restriction is a separate sshd control.)
status=$(passwd -S root 2>/dev/null | awk '{print $2}')
case "$status" in
P|L|LK|PS)
echo "OK: root account access controlled (passwd -S: $status)"
exit 0
;;
"")
echo "FAIL: could not determine root account status (passwd -S root)"
exit 1
;;
*)
echo "FAIL: root account status '$status' (must be P/password-set or L/locked, not NP)"
exit 1
;;
esac
- expected_exit:
- 0
Remediatemanual
- note:
- Set a password for root (passwd root) or lock the account (passwd -l root) per site policy; an account with no password (NP) is a finding.
Framework references
CIS
rhel9 5.4.2.4rhel10 5.4.2.4rhel8 5.4.2.4
NIST 800-53
AC-6IA-2
Live verification
rhel10:checkrhel9:check
#root#access-control#security#privilege