4.4 Lock Out Accounts if Not Currently in Use

Information

If users with database accounts will not be using the database for some time, disabling the account will reduce the risk of attacks or inappropriate account usage.

Rationale:

Only actively used database accounts should be allowed to login to the database.


NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To lock accounts, as a superuser, run:

ALTER ROLE <account> NOLOGIN;

To unlock accounts, as a superuser, runL

ALTER ROLE <account> LOGIN;

Default Value:

Accounts created by CREATE ROLE are NOLOGIN by default. Accounts created by CREATE USER are LOGIN by default.

Additional Information:

It is possible to specify NOLOGIN when using both CREATE ROLE and CREATE USER:

CREATE ROLE <account> NOLOGIN;

CREATE USER <account> NOLOGIN;

See Also

https://workbench.cisecurity.org/benchmarks/17004

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(3)

Plugin: PostgreSQLDB

Control ID: ddd0e6d0975021f5f51d3bac075c53f9407c7b854bc12e20edb9e84670ede0d2