9.1 Non-Root Execution

Description

Agents MUST NOT run with root or administrator privileges.

Rationale

Running as root provides unrestricted access. A compromised agent running as root means total system compromise.

Audit Procedure

1. Check process owner
2. Verify not running as root/Administrator
3. Check service account permissions

Remediation

1. Create dedicated service account
2. Use systemd/launchd with User= directive
3. Remove sudo access

Framework Mappings