So I disabled root by changing the shell they log into. Works well, they can enable it all they want, but they can't login. The downside is that some of their developer apps that they use install and update via script that calls root. This is as designed by the vendor of the apps. Anybody have any suggestions how to keep them happy while addressing our security dept concerns of having it enabled?
Solved
Disabled Root now devs having problems
+23Best answer by Josh_S
Apologies, that was a code snippet for the whole EA. You need to echo out your result in brackets as @mm2270 points out. Let me see if I can clean this up a bit more for you and make it a little more useful.
If your management account is not 'mgmtaccount', you will need to change the text that it searches for.
#!/bin/bash
# Determine if the 'root' account is enabled for login.
if [ "$(dscl . -read /Users/root Password | grep -c '**')" -gt '0' ]; then
result=',root-enabled,'
else
result=','
fi
# Grab array of all non-service accounts.
userArray=()
while read line; do
userArray+=("${line}")
done <<< "$(/usr/sbin/jamf listUsers | awk -F '[<>]' '/<name>/ { print $3 }')"
# Loop through all the accounts gathered.
for i in "${userArray[@]}"; do
# Ignore case.
i="$(tr '[:upper:]' '[:lower:]' <<< "${i}")"
# Flag mgmtaccount as the management account
if [ "${i}" == 'mgmtaccount' ]; then
result="${result}${i}-management"
else
# Check to see if it is a domain/mobile account.
if [ "$(dscl . -read /Users/${i} AuthenticationAuthority | grep -ic 'LocalCachedUser')" -gt '0' ]; then
result="${result}${i}-mobile"
else
result="${result}${i}-local"
fi
fi
# Check to see if the account is a member of the admin group.
if [ "$(dscl . -read /Groups/admin GroupMembership | tr ' ' '
' | grep -ic "^${i}$")" -gt "0" ]; then
result="${result}-admin"
fi
# Use a comma to separate accounts.
result="${result},"
done
printf "<result>%s</result>" "${result}"
+11We have an Ext. Attribute that inventories the user accounts and various attributes of the account, whether they are local or mobile or if they are admins for example, and one of the things it checks for is if root is enabled:
if [ "$(dscl . -read /Users/root Password | grep -c '**')" -gt '0' ]; then
result=',root-enabled,'
else
result=','
fiWe then have a policy with a one-liner which disables root, scoped to every machine that the previously mentioned EA has a match like ',root-enabled,':
dscl . -passwd /Users/root 'randomstring'; dsenableroot -d -u root -p 'randomstring''randomstring' is a randomly generated string of characters. It has to be the same in both commands, and I guess it doesn't technically have to be the secure since you're disabling the root account that uses that password for - but that line of thinking makes me nervous so I use an actual long string of randomly generated characters.
+23would that still allow root to work then I assume?
+11Yep. The root account still works and still exists, and has a shell that can be used. But it disables it in the sense that it removes any password that could be used to log into it directly.
Admin users will need to use sudo in order to elevate their privileges to root.
+23so i set it up a while ago, but none of the information is populating, i set it up as a script and added bin/sh
+24No echo line with <result> </result> tags
+11Apologies, that was a code snippet for the whole EA. You need to echo out your result in brackets as @mm2270 points out. Let me see if I can clean this up a bit more for you and make it a little more useful.
If your management account is not 'mgmtaccount', you will need to change the text that it searches for.
#!/bin/bash
# Determine if the 'root' account is enabled for login.
if [ "$(dscl . -read /Users/root Password | grep -c '**')" -gt '0' ]; then
result=',root-enabled,'
else
result=','
fi
# Grab array of all non-service accounts.
userArray=()
while read line; do
userArray+=("${line}")
done <<< "$(/usr/sbin/jamf listUsers | awk -F '[<>]' '/<name>/ { print $3 }')"
# Loop through all the accounts gathered.
for i in "${userArray[@]}"; do
# Ignore case.
i="$(tr '[:upper:]' '[:lower:]' <<< "${i}")"
# Flag mgmtaccount as the management account
if [ "${i}" == 'mgmtaccount' ]; then
result="${result}${i}-management"
else
# Check to see if it is a domain/mobile account.
if [ "$(dscl . -read /Users/${i} AuthenticationAuthority | grep -ic 'LocalCachedUser')" -gt '0' ]; then
result="${result}${i}-mobile"
else
result="${result}${i}-local"
fi
fi
# Check to see if the account is a member of the admin group.
if [ "$(dscl . -read /Groups/admin GroupMembership | tr ' ' '
' | grep -ic "^${i}$")" -gt "0" ]; then
result="${result}-admin"
fi
# Use a comma to separate accounts.
result="${result},"
done
printf "<result>%s</result>" "${result}"thank you for this... real quick, we have 2 management account, one for the JSS that only me and a couple other people have (but it's on every box), and then the local admin that the IT staff has.
how would I modify the magmtaccount info to allow for either this or that?
+11Sure. Simple change to allow "match this" or "match that".
if [ "${i}" == 'mgmtaccount' ] || [ "${i}" == 'otheraccount' ]; thenYou might find this useful, I know I did: http://www.tldp.org/LDP/abs/html/
+23thank you, I will take a look at that link and see if I can learn something.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.