2.3 Lock the BIND User Account

Information

The user account under which BIND runs should not have a valid password, but should be locked.

Rationale:

As a defense-in-depth measure the named user account should be locked to prevent logins, and to prevent a user from su'ing to named using a password. In general, there shouldn't be a need for anyone to have to su as named, and when there is a need, then sudo should be used instead, which would not require the account password.

Solution

Change the named account to use the nologin shell as shown:

# chsh -s /sbin/nologin named

Default Value:
Account is locked by default.

See Also

https://workbench.cisecurity.org/files/1735