2.3 Lock the BIND User Account

Information

The user account under which BIND runs should not have a valid password, but should be locked.

Rationale:

As a defense-in-depth measure the named user account should be locked to prevent logins, and to prevent a user from su'ing to named using a password. In general, there shouldn't be a need for anyone to have to su as named, and when there is a need, then sudo should be used instead, which would not require the account password.

Solution

To remediate, lock the named account using the password command with the lock option as shown below.

# passwd -l named
Locking password for user named.
passwd: Success

Default Value:

Account is locked by default.

See Also

https://workbench.cisecurity.org/files/2997