Jamf Nation Community

AJPinto · ‎09-05-2023

Does anyone have a working Extension Attribute to read if the Root account is enabled? The one I was using does not appear to work anymore, and none of the commands I am seeing on the internet are working either.

This is what I was using.

#!/bin/bash

rootCheck=$(dscl . read /Users/root | grep AuthenticationAuthority > /dev/null 2>&1 ; echo $?)
if [ "${rootCheck}" == 1 ]; then
    echo "<result>Disabled</result>"
else
    echo "<result>Enabled</result>"\
fi

obi-k · ‎09-05-2023

The command below is from the CIS Ventura guide. Could you hash it up and re-fit for your EA?

Terminal Method:

Run the following command to verify the the root user has not been enabled:

$ /usr/bin/sudo /usr/bin/dscl . -read /Users/root AuthenticationAuthority

No such key: AuthenticationAuthority

View solution in original post

obi-k · ‎09-05-2023

The command below is from the CIS Ventura guide. Could you hash it up and re-fit for your EA?

Terminal Method:

Run the following command to verify the the root user has not been enabled:

$ /usr/bin/sudo /usr/bin/dscl . -read /Users/root AuthenticationAuthority

No such key: AuthenticationAuthority

AJPinto · ‎09-05-2023

I did not think to check the CIS benchmarks, ill give that a try. thanks.

AJPinto · ‎09-05-2023

@obi-k that got what I needed, thank you much.

If anyone else needs it, here is the EA.

#!/bin/bash
rootCheck=`/usr/bin/sudo /usr/bin/dscl . -read /Users/root AuthenticationAuthority`
if [ "${rootCheck}" == dsenableroot ]; then
	echo "Disabled"
        exit 0
else
	echo "Enabled"
fi

obi-k · ‎09-05-2023

Cool. Thanks for sharing your EA.

Jamf Nation Community

Root Account Enabled Extension Attribute