Information
If users with database accounts will not be using the database for some time, disabling the account will reduce the risk of attacks or inappropriate account usage.
Rationale:
Only actively used database accounts should be allowed to login to the database.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
To lock accounts, as a superuser, run:
ALTER ROLE <account> NOLOGIN;
To unlock accounts, as a superuser, runL
ALTER ROLE <account> LOGIN;
Default Value:
Accounts created by CREATE ROLE are NOLOGIN by default. Accounts created by CREATE USER are LOGIN by default.
Additional Information:
It is possible to specify NOLOGIN when using both CREATE ROLE and CREATE USER:
CREATE ROLE <account> NOLOGIN;
CREATE USER <account> NOLOGIN;