Skip to content

Verify Only Root Has UID 0

An XCCDF Rule

Description

If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.

Rationale

An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.

ID
xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
Severity
High
References
Updated



Remediation - Ansible

- name: Get all /etc/passwd file entries
  getent:
    database: passwd
    split: ':'
  tags:
  - DISA-STIG-RHEL-08-040200

Remediation - Shell Script

awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs --no-run-if-empty --max-lines=1 passwd -l