2.3 Lock the BIND User Account


The user account under which BIND runs should not have a valid password, but should be locked.


As a defense-in-depth measure the named user account should be locked to prevent logins, and to prevent a user from su'ing to named using a password. In general, there shouldn't be a need for anyone to have to su as named, and when there is a need, then sudo should be used instead, which would not require the account password.


To remediate, lock the named account using the password command with the lock option as shown below.

# passwd -l named
Locking password for user named.
passwd: Success

Default Value:

Account is locked by default.

See Also