Posted on 07-22-2021 10:20 AM
In my fleet there are a small handful of users that enabled the root account.
This is the EA i use to determine it from someone on this forum
#!/bin/bash
rootCheck=`dscl . read /Users/root | grep AuthenticationAuthority 2>&1 > /dev/null ; echo $?`
if [ "${rootCheck}" == 1 ]; then
echo "<result>Disabled</result>"
else
echo "<result>Enabled</result>"
fi
My questions are:
Thanks!
Solved! Go to Solution.
Posted on 07-22-2021 12:31 PM
It looks like it might not be possible to disable root without knowing the password of the account it was enabled for, according to what I can see in the dsenableroot command. I'm not quite sure how best to handle this, outside of contacting those users and explaining to them that enabling root is a security risk and against company policy (I assume it's against policy), and asking them to disable it.
As for preventing it? Short of removing their admin rights, it sounds like something where you will need to publish to all users as policy that will be enforced and then just monitor for violations as you're already doing. As the saying goes, once someone is admin, all bets are off.
Posted on 07-22-2021 12:31 PM
It looks like it might not be possible to disable root without knowing the password of the account it was enabled for, according to what I can see in the dsenableroot command. I'm not quite sure how best to handle this, outside of contacting those users and explaining to them that enabling root is a security risk and against company policy (I assume it's against policy), and asking them to disable it.
As for preventing it? Short of removing their admin rights, it sounds like something where you will need to publish to all users as policy that will be enforced and then just monitor for violations as you're already doing. As the saying goes, once someone is admin, all bets are off.
Posted on 07-26-2021 07:45 PM
#!/bin/bash
# remove the AuthenticationAuthority from the user's account
dscl . delete /Users/root AuthenticationAuthority
# Put a single asterisk in the password entry, thus locking the acount.
dscl . -create /Users/root Password '*'
# Disable root login by setting root's shell to /usr/bin/false
dscl . -create /Users/root UserShell /usr/bin/false
exit 0
I agree with @mm2270 that once a user is Admin, all bets are off. But if you are worried about the default 'root' user being used for any exploits, the above script should help you disable 'root' on a recurring basis.
Posted on 07-27-2021 07:48 AM
I'm wondering why those particular users are setting up the root account. Are they developers/engineers? There has to be a reason why they are doing this. The fact that you are concerned that other users may do this tells me it's not allowed. I would take this to your reporting manager and if you have one an information security team about this issue. Have them set the policy of what users are and are not allowed to do on the company computer. Then you can or them can notify the users of their actions and to delete those root accounts.
Posted on 08-23-2021 10:25 AM
Sure, I can do that, but its not entirely feasible for the users who are noncompliance.
Just like forcing an app update, I feel like JSS needs to be able to prevent or reverse this.
If there was a config profile that could be set as preventative measure thatd be awesome, but aside from having a user do it themselves, which may or may not be possible, itd be nice to force it from an admin perspective.
Posted on 08-23-2021 11:38 AM
I think you're asking for Jamf to do something that I'm not sure is doable.
We haven't had issues with anyone enabling root other than people on my own team forgetting to disable it when it was needed. I have a smartgroup that recognizes when root is enabled and then runs a script via a policy set to ongoing to disable it automatically. It's not a prevention technique but does what I need it to do. If someone else unofficially insisted that they had to enable root, I would imagine this would get very irritating for them.
I'd say the right direction at this point is to make sure that there's a company/institution policy of this not being enabled and then you can use Jamf for reporting if/when it does occur. Let administration deal with possible discipline.
Posted on 08-23-2021 01:17 PM
what was your solution to disable it? same as listed by another user above?
Posted on 08-23-2021 01:24 PM
I'm just using dsenableroot.