passwd_zero_uid

This built-in function ensures that only one account has a UID of “0” in /etc/passwd. This is intended to be reserved for the “root” account but it is possible to add additional accounts with UID 0 that would have the same privileged access. This test succeeds if only one account has a UID of zero and fails otherwise.

A UID of “0” grants root privileges on the system. A root user can perform anything they want to on the system, which typically includes snooping the memory of other processes (or of the kernel), read and write any file on the system and so on. Because this account is so powerful, its use must be restrained to the bare minimum and it must be well protected.

Good administrative practices dictate that each UID be unique (hence the “U” in UID). Having two (or more) accounts with “root” privileges negates the accountability a system administrator may have towards the system. In addition, many systems restrict the direct login of root to the console only so that administrative use can be tracked. Typically, systems administrators have to first log in to their own account and use the su command to become root. An additional UID 0 account evades this restriction.

If “root” access needs to be shared among users, use a tool like sudo or calife instead (or RBAC on Solaris). There should only be one account with a UID of “0”.

Usage

<item>

name: "passwd_zero_uid"

description: "This check makes sure that only ONE account has a uid of 0."

</item>

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.