highaccess-controlverified ✓
Ensure root is the only GID 0 account
root-only-gid0 · RHEL ≥ 8 · 1 impl
Description
Only the root account should have GID 0 as its primary group. Other accounts with GID 0 have root group privileges.
Rationale
Having multiple accounts with GID 0 complicates accountability and may grant unintended root group access to files and resources.
Check → Remediate
Checkcommand
# Find accounts with GID 0 that are not root
gid0_users=$(awk -F: '$4 == 0 && $1 != "root" { print $1 }' /etc/passwd)
if [ -n "$gid0_users" ]; then
echo "FAIL: Non-root accounts with GID 0: $gid0_users"
exit 1
fi
echo "OK: Only root has GID 0"
exit 0
- expected_exit:
- 0
Remediatemanual
- note:
- Change primary GID for non-root accounts with GID 0
Framework references
CIS
rhel9 5.4.2.2rhel8 5.4.2.2rhel10 5.4.2.2
NIST 800-53
AC-6
Live verification
rhel10:checkrhel8:checkrhel9:check
#root#gid#accounts#privilege