2.7 Lock Out Accounts if Not Currently in Use

Information

If users with accounts will not be using their account for some time, to reduce the risk of attacks or inappropriate account usage or if suspicions exist that an account might be under attack, disabling the account will secure it and once it's ready to resume use it can easily be re-enabled.

Rationale:

Only have active accounts that will be used.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To lock accounts - example:

ALTER USER 'jeffrey'@'localhost' ACCOUNT LOCK;

To unlock accounts - example

ALTER USER 'jeffrey'@'localhost' ACCOUNT UNLOCK;

Note: Works for CREATE as well. It is good practice to LOCK an account if created ahead of time.

Default Value:

Accounts are unlocked by default.

See Also

https://workbench.cisecurity.org/benchmarks/16527

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(3), CSCv7|16.9

Plugin: Unix

Control ID: 0dcb514c0416e87de63fa06cd26dd6b6d35eb49c1d9f01fefc31c0f300123ad3