InformationThe user account under which BIND runs should not have a valid password, but should be locked.
As a defense-in-depth measure the named user account should be locked to prevent logins, and to prevent a user from su'ing to named using a password. In general, there shouldn't be a need for anyone to have to su as named, and when there is a need, then sudo should be used instead, which would not require the account password.
SolutionTo remediate, lock the named account using the password command with the lock option as shown below.
# passwd -l named
Locking password for user named.
Account is locked by default.