Disabling Accounts

OS

If you need to disable an OS user account, you can expire the account using usermod --expiredate 1. For example, to disable the account for user tom:

sudo usermod --expiredate 1 tom

For more information, please see man passwd and man usermod.

SOC

If you need to disable an account in Security Onion Console (SOC) and FleetDM, you can use the so-user-disable command and specify the user’s email address. For example, to disable the account for tom@example.com:

sudo so-user-disable tom@example.com

After disabling a user account, the Security Onion Console (SOC) Administration page will show the disabled user account with a disabled icon in the Status column:

_images/users.png