mediumaccess-controlverified ✓
Lock the root account password
root-account-locked · UBUNTU ≥ 22 · 1 impl
Description
The root account password must be locked to prevent direct password authentication as root. Administrative access is obtained by authenticating as an individual user and escalating privileges via sudo.
Rationale
A locked root password removes the highest-privilege account as a direct authentication target and enforces individual accountability: administrators must log in as themselves and escalate via sudo, so every privileged action is attributable. A password-authenticable root account is a single high-value credential exposed to brute force and shared use.
Check → Remediate
Checkcommand
passwd -S root 2>/dev/null | grep -q '^root L'
- expected_exit:
- 0
Remediatecommand_exec
passwd -l root
- unless:
- passwd -S root 2>/dev/null | grep -q '^root L'
Framework references
STIG
V-270724 / UBTU-24-400110V-260542 / UBTU-22-411010
NIST 800-53
AC-6IA-2
Live verification
ubuntu22:checkubuntu24:check
#root#authentication#account-lock#privileged-access