← Rules Catalog
mediumaccess-controlverified

Lock the root account password

root-account-locked · UBUNTU ≥ 22 · 1 impl

Description

The root account password must be locked to prevent direct password authentication as root. Administrative access is obtained by authenticating as an individual user and escalating privileges via sudo.

Rationale

A locked root password removes the highest-privilege account as a direct authentication target and enforces individual accountability: administrators must log in as themselves and escalate via sudo, so every privileged action is attributable. A password-authenticable root account is a single high-value credential exposed to brute force and shared use.

Check → Remediate

Checkcommand
passwd -S root 2>/dev/null | grep -q '^root L'
expected_exit:
0
Remediatecommand_exec
passwd -l root
unless:
passwd -S root 2>/dev/null | grep -q '^root L'

Framework references

STIG

V-270724 / UBTU-24-400110V-260542 / UBTU-22-411010

NIST 800-53

AC-6IA-2

Live verification

ubuntu22:checkubuntu24:check
#root#authentication#account-lock#privileged-access