← Rules Catalog
highaccess-controlverified

Ensure root account access is controlled

root-access-controlled · RHEL ≥ 8 · 1 impl

Description

Access to the root account should be controlled by limiting the methods by which root can login (e.g., only via su from wheel group).

Rationale

Controlling root access reduces the risk of unauthorized root logins and ensures accountability for privileged actions.

Check → Remediate

Checkcommand
# CIS 5.4.2.4: the root account must have a usable password (P) or be
# locked (L) per `passwd -S root` — an account with no password (NP) is
# a finding. (SSH root-login restriction is a separate sshd control.)
status=$(passwd -S root 2>/dev/null | awk '{print $2}')
case "$status" in
  P|L|LK|PS)
    echo "OK: root account access controlled (passwd -S: $status)"
    exit 0
    ;;
  "")
    echo "FAIL: could not determine root account status (passwd -S root)"
    exit 1
    ;;
  *)
    echo "FAIL: root account status '$status' (must be P/password-set or L/locked, not NP)"
    exit 1
    ;;
esac
expected_exit:
0
Remediatemanual
note:
Set a password for root (passwd root) or lock the account (passwd -l root) per site policy; an account with no password (NP) is a finding.

Framework references

CIS

rhel9 5.4.2.4rhel10 5.4.2.4rhel8 5.4.2.4

NIST 800-53

AC-6IA-2

Live verification

rhel10:checkrhel9:check
#root#access-control#security#privilege