2.3 Lock the BIND User Account

Information

The user account under which BIND runs should not have a valid password, but should be locked.

Rationale:

As a defense-in-depth measure the named user account should be locked to prevent logins, and to prevent a user from su'ing to named using a password. In general, there shouldn't be a need for anyone to have to su as named, and when there is a need, then sudo should be used instead, which would not require the account password.

Solution

Change the named account to use the nologin shell as shown:

# chsh -s /sbin/nologin named

Default Value:
Account is locked by default.

See Also

https://benchmarks.cisecurity.org/downloads/show-single/?file=bind.300

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2

Plugin: Unix

Control ID: 8e79f1f7326b4e0afdbe1ea0ae1db23a3097383a21c91efed14faf10ccd23d3d