Change the security settings on Exadata with the script host_access_control

About three months ago I found a script named host_access_control.

The script provides the API to managing several host access and security settings. The script is available on Compute Nodes and Storage Cells since the Exadata Software Version 11.2.3.3.0. The utility is located in /opt/oracle.cellos/host_access_control. The script is not documented in the Exadata Documentation, but in the Super Cluster documentation.

The script called with the Option „-h“ displays the help:

<pre class="wp-block-syntaxhighlighter-code brush: plain; notranslate">
/opt/oracle.cellos/host_access_control -h

Usage: [-q|--quiet] command [argument]
     command is one of:
     access           - User access from hosts, networks, etc.
     access-ilomweb   - Control overall access from the ILOM Web Remote Console device (tty1)
     access-export    - Export access rules to a file
     access-import    - Import access rules via a supplied file
     audit-rules      - Import audit rules via a supplied file
     banner           - Login banner management
     fips-mode        - FIPS mode for openSSH
     grub-password    - GRUB password control
     idle-timeout     - Shell and SSH client idle timeout control
     ilom-configure   - ILOM settings control
     ilom-password    - ILOM root user password control
     kernel-dump      - kdump (kernel dump file creation) control
     maint-password   - Diagnostic ISO shell and Rescue password control
     pam-auth         - PAM authentication settings: pam_tally2 deny and lock_time, passwdqc, and password history values
     password-aging   - Adjust current users' password aging
     password-policy  - Adjust the system's password age policies
     rootssh          - Root user SSH access control
     sshciphers       - SSH cipher support control
     ssh-listen       - Control the SSHD service optional ListenAddress entries
     ssh-service      - Control the SSHD service and active connections
     sudo             - User privilege control through sudo
     sudodeny         - Manage the Exadata sudo users deny list
     get-runtime      - Maintenance command: import system configuration settings, storing them in host_access_control parameter settings files.
     restore          - Maintenance command: reapply settings previously set by this utility, as in after an upgrade
</pre>

I used the script for changing the pam-auth settings.

<pre class="wp-block-syntaxhighlighter-code brush: plain; notranslate">
/opt/oracle.cellos/host_access_control pam-auth -h

    Usage: host_access_control  pam-auth [options] [arguments] [arguments]
    --deny {integer}
    --lock {integer}
    --passwdqc {comma-separated values}
    --remember {integer}
    --defaults
    --secdefaults
    --status
    --deny, --lock, --passwdqc, and --remember maybe be combined options
</pre>

We can change settings for:

  • Number of allowed unsuccessful logins (default: 5): – -deny (-d)
  • Lock Time (Default: 600 Secunds -> 10 minutes) after the number of allowed unsuccessfull logins is reached: – -lock (-l)
  • Passwort complexity: –paswdqc
  • and more…

I changed the default settings for number of allowed unsuccessful logins and lock time.

See the actually settings:

<pre class="wp-block-syntaxhighlighter-code brush: plain; notranslate">
opt/oracle.cellos/host_access_control pam-auth -s

[2018-10-08 15:10:54 +0200] [INFO] [IMG-SEC-0801] Deny on login failure count is deny=5
[2018-10-08 15:10:54 +0200] [INFO] [IMG-SEC-0802] Account lock-out time is lock_time=600
[2018-10-08 15:10:54 +0200] [INFO] [IMG-SEC-0803] Password strength, passwdqc setting is min=5,5,5,5,5
[2018-10-08 15:10:54 +0200] [INFO] [IMG-SEC-0804] Password history depth setting is remember=10
</pre>

To change the settings try:

<pre class="wp-block-syntaxhighlighter-code brush: plain; notranslate">
/opt/oracle.cellos/host_access_control pam-auth -d 10 -l 0
</pre>

and check again:

<pre class="wp-block-syntaxhighlighter-code brush: plain; notranslate">
/opt/oracle.cellos/host_access_control pam-auth -s

[2018-10-08 15:10:54 +0200] [INFO] [IMG-SEC-0801] Deny on login failure count is deny=10
[2018-10-08 15:10:54 +0200] [INFO] [IMG-SEC-0802] Account lock-out time is lock_time=0
[2018-10-08 15:10:54 +0200] [INFO] [IMG-SEC-0803] Password strength, passwdqc setting is min=5,5,5,5,5
[2018-10-08 15:10:54 +0200] [INFO] [IMG-SEC-0804] Password history depth setting is remember=10
</pre>
Werbeanzeigen

Autor: Neselovskyi, Borys

Borys Neselovskyi is a leading Infrastructure Architect at OPITZ CONSULTING - a German Oracle Platinum Partner. Since Februar 2019 he is an Oracle ACE. Borys field of work includes the conceptual design and implementation of infrastructure solutions based on Oracle Database/Middleware/Engineered Systems/Virtualization. He is also a frequent speaker at conferences (with live demos about Oracle software, sessions, panels, etc.).

Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

WordPress.com-Logo

Du kommentierst mit Deinem WordPress.com-Konto. Abmelden /  Ändern )

Google Foto

Du kommentierst mit Deinem Google-Konto. Abmelden /  Ändern )

Twitter-Bild

Du kommentierst mit Deinem Twitter-Konto. Abmelden /  Ändern )

Facebook-Foto

Du kommentierst mit Deinem Facebook-Konto. Abmelden /  Ändern )

Verbinde mit %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.