Auditors in general audit against a set of specific rules, guidelines or baselines. If you don’t produce a reasonable baseline yourself, they will use their own baselines, and then you get requirements like this.
The principle of least privilege (PoLP) refers to an information security concept in which a user is given the minimum levels of access – or permissions – needed to perform his/her job functions.
That means, that if you can explain why root-access is necessary for developers on their own laptop, then you can give them the root access. But you need to explain why it is necessary (and acceptable), and document that, with appropriate signatures.
You may also want to describe what security measures you have taken to minimize the risks. A possible set would be:
- put them on their own network
- firewall-off that network
- any further separation between test, development and production
- an awareness campaign (users only get root after a talk with the Security guy)
things like that.
Running a VM with admin access only moves the problem. You will get the same requirement/discussion of least privileges on the VM as well.