Exam accounts are set up so that they are blocked for 10 minutes after the first wrong password entered. This brings a lot of inconvenience to users.
/sbin/pam_tally2
The pam_tally2 is login enabler utility.For example i will connect to oracle user with wrong password and flush the blocker.
[root@z01dbadm01 ~]# pam_tally2
<--- emply output here, so no locked account
[root@z01dbadm01 ~]# ssh z01dbadm01 -l oracle
oracle@z01dbadm01's password: <--- wrong password here
Permission denied, please try again.
After unsuccessful attempt to login you'll see:
[root@z01dbadm01 ~]# pam_tally2
Login Failures Latest failure From
oracle 1 08/14/18 17:17:02 z01dbadm01.distr.fors.ru
Remove the lock:
[root@z01dbadm01 ~]# pam_tally2 -u oracle -r
Login Failures Latest failure From
oracle 1 08/14/18 17:17:02 z01dbadm01.distr.fors.ru
[root@z01dbadm01 ~]# pam_tally2
Empty output = the login is allowed.
[root@z01dbadm01 ~]# chage -l oracle
Last password change : Jun 05, 2018
Password expires : Sep 03, 2018
Password inactive : never
Account expires : never
Minimum number of days between password change : 1
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
[root@z01dbadm01 ~]# chage -I -1 -m 0 -M 99999 -E -1 oracle
[root@z01dbadm01 ~]# chage -l oracle
Last password change : Jun 05, 2018
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
HOST_ACCESS_CONTROL
Here is extract from host_access_control.log (one of Exadata installation log files ).
I edited this file and left lines related to Linux config files. You can see security changes the host_access_control make inside Linux :
/opt/oracle.cellos/host_access_control
The host_access_control (undocumented utility), is the only permitted and supported method to implement security configuration changes on the Oracle Exadata Storage Servers.
Customers are not permitted to make manual changes to the configuration of these devices per Oracle Support notice 1068804.1.
Further, before using this tool, customers must first obtain explicit approval from Oracle Product Development to change the security configuration of their Oracle Exadata Storage Servers.
To request this approval, customers must open a service request with Oracle Support.
/opt/oracle.cellos/host_access_control --help
Usage: [-q|--quiet] command [argument]
command is one of:
access - User access from hosts, networks, etc.
access-ilomweb - Control overall access from the ILOM Web Remote Console device (tty1)
access-export - Export access rules to a file
access-import - Import access rules via a supplied file
audit-rules - Import audit rules via a supplied file
banner - Login banner management
fips-mode - FIPS mode for openSSH
grub-password - GRUB password control
idle-timeout - Shell and SSH client idle timeout control
ilom-configure - ILOM settings control
ilom-password - ILOM root user password control
kernel-dump - kdump (kernel dump file creation) control
maint-password - Diagnostic ISO shell and Rescue password control
pam-auth - PAM authentication settings: pam_tally2 deny and lock_time, passwdqc, and password history values
password-aging - Adjust current users' password aging
password-policy - Adjust the system's password age policies
rootssh - Root user SSH access control
sshciphers - SSH cipher support control
ssh-listen - Control the SSHD service optional ListenAddress entries
ssh-service - Control the SSHD service and active connections
sudo - User privilege control through sudo
sudodeny - Manage the Exadata sudo users deny list
get-runtime - Maintenance command: import system configuration settings, storing them in host_access_control parameter settings files.
restore - Maintenance command: reapply settings previously set by this utility, as in after an upgrade
(command help by using --help after command (no help with restore command))
The optional -q|--quiet option is used for silent/noprompting for use with cellcli and must be the first arg.
--------------------------------------------------------------
[root@ed04dbadm01 ~]# /opt/oracle.cellos/host_access_control pam-auth --status
[2018-04-20 16:55:22 +0300] [INFO] [IMG-SEC-0801] Deny on login failure count is deny=5
[2018-04-20 16:55:22 +0300] [INFO] [IMG-SEC-0802] Account lock-out time is lock_time=600
[2018-04-20 16:55:22 +0300] [INFO] [IMG-SEC-0803] Password strength, passwdqc setting is min=5,5,5,5,5
[2018-04-20 16:55:22 +0300] [INFO] [IMG-SEC-0804] Password history depth setting is remember=10
[root@ed04dbadm01 ~]# /opt/oracle.cellos/host_access_control pam-auth -d 10
[2018-04-20 16:56:43 +0300] [INFO] [IMG-SEC-0805] Deny on login failure count set to 10
[root@ed04dbadm01 ~]# /opt/oracle.cellos/host_access_control pam-auth -d 20
[2018-04-20 16:56:51 +0300] [WARNING] [IMG-SEC-0023] Incorrect value for option Integer value for deny option must be between 1 and 10
[root@ed04dbadm01 ~]# /opt/oracle.cellos/host_access_control pam-auth --lock 0
[2018-04-20 16:57:16 +0300] [INFO] [IMG-SEC-0806] Account lock_time after one failed login attempt set to 0
[root@ed04dbadm01 ~]# /opt/oracle.cellos/host_access_control pam-auth --status
[2018-04-20 16:57:33 +0300] [INFO] [IMG-SEC-0801] Deny on login failure count is deny=10
[2018-04-20 16:57:33 +0300] [INFO] [IMG-SEC-0802] Account lock-out time is lock_time=0
[2018-04-20 16:57:33 +0300] [INFO] [IMG-SEC-0803] Password strength, passwdqc setting is min=5,5,5,5,5
[2018-04-20 16:57:33 +0300] [INFO] [IMG-SEC-0804] Password history depth setting is remember=10
/sbin/pam_tally2
The pam_tally2 is login enabler utility.For example i will connect to oracle user with wrong password and flush the blocker.
[root@z01dbadm01 ~]# pam_tally2
<--- emply output here, so no locked account
[root@z01dbadm01 ~]# ssh z01dbadm01 -l oracle
oracle@z01dbadm01's password: <--- wrong password here
Permission denied, please try again.
After unsuccessful attempt to login you'll see:
[root@z01dbadm01 ~]# pam_tally2
Login Failures Latest failure From
oracle 1 08/14/18 17:17:02 z01dbadm01.distr.fors.ru
Remove the lock:
[root@z01dbadm01 ~]# pam_tally2 -u oracle -r
Login Failures Latest failure From
oracle 1 08/14/18 17:17:02 z01dbadm01.distr.fors.ru
[root@z01dbadm01 ~]# pam_tally2
Empty output = the login is allowed.
[root@z01dbadm01 ~]# chage -l oracle
Last password change : Jun 05, 2018
Password expires : Sep 03, 2018
Password inactive : never
Account expires : never
Minimum number of days between password change : 1
Maximum number of days between password change : 90
Number of days of warning before password expires : 7
[root@z01dbadm01 ~]# chage -I -1 -m 0 -M 99999 -E -1 oracle
[root@z01dbadm01 ~]# chage -l oracle
Last password change : Jun 05, 2018
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
HOST_ACCESS_CONTROL
Here is extract from host_access_control.log (one of Exadata installation log files ).
I edited this file and left lines related to Linux config files. You can see security changes the host_access_control make inside Linux :
Restored Exadata Host Access Control rules to /etc/exadata/security/exadata-access.conf
Setting the SSH Server supported ciphers to arcfour,aes128-ctr,aes192-ctr,aes256-ctr
Setting Ciphers arcfour,aes128-ctr,aes192-ctr,aes256-ctr in /etc/ssh/sshd_config
Setting the SSH Client supported ciphers to arcfour,aes128-ctr,aes192-ctr,aes256-ctr
Setting Ciphers arcfour,aes128-ctr,aes192-ctr,aes256-ctr in /etc/ssh/ssh_config
Shell timeout (TMOUT) set to 14400 in /etc/profile
ClientAliveCountMax set to 0 in /etc/ssh/sshd_config
ClientAliveInterval set to 86400 in /etc/ssh/sshd_config
Restored ILOM CLI TIMEOUT to 15
Restored Exadata Host Access Control rules to /etc/exadata/security/exadata-access.conf
pam_tally2 deny set to 5 in /etc/pam.d/login
pam_tally2 deny set to 5 in /etc/pam.d/sshd
pam_tally2 lock_time set to 600 in /etc/pam.d/login
pam_tally2 lock_time set to 600 in /etc/pam.d/sshd
pam_passwdqc.so min set to 5,5,5,5,5 in /etc/pam.d/password-auth and /etc/pam.d/system-auth
pam_unix.so remember set to 10 in /etc/pam.d/password-auth and /etc/pam.d/system-auth
Restored aging parameters [ -M 99999, -m 0, -W 7 ] for user root
Restored aging parameters [ -M 99999, -m 0, -W 7 ] for user dbmsvc
Restored aging parameters [ -M 99999, -m 0, -W 7 ] for user dbmadmin
Restored aging parameters [ -M 99999, -m 0, -W 7 ] for user dbmmonitor
Setting PASS_MAX_DAYS 90 in /etc/login.defs
Setting PASS_MIN_DAYS 1 in /etc/login.defs
Setting PASS_MIN_LEN 8 in /etc/login.defs
Setting PASS_WARN_AGE 7 in /etc/login.defs
Setting PermitRootLogin yes in /etc/ssh/sshd_config
Setting PasswordAuthentication yes in /etc/ssh/sshd_config
/opt/oracle.cellos/host_access_control
The host_access_control (undocumented utility), is the only permitted and supported method to implement security configuration changes on the Oracle Exadata Storage Servers.
Customers are not permitted to make manual changes to the configuration of these devices per Oracle Support notice 1068804.1.
Further, before using this tool, customers must first obtain explicit approval from Oracle Product Development to change the security configuration of their Oracle Exadata Storage Servers.
To request this approval, customers must open a service request with Oracle Support.
/opt/oracle.cellos/host_access_control --help
Usage: [-q|--quiet] command [argument]
command is one of:
access - User access from hosts, networks, etc.
access-ilomweb - Control overall access from the ILOM Web Remote Console device (tty1)
access-export - Export access rules to a file
access-import - Import access rules via a supplied file
audit-rules - Import audit rules via a supplied file
banner - Login banner management
fips-mode - FIPS mode for openSSH
grub-password - GRUB password control
idle-timeout - Shell and SSH client idle timeout control
ilom-configure - ILOM settings control
ilom-password - ILOM root user password control
kernel-dump - kdump (kernel dump file creation) control
maint-password - Diagnostic ISO shell and Rescue password control
pam-auth - PAM authentication settings: pam_tally2 deny and lock_time, passwdqc, and password history values
password-aging - Adjust current users' password aging
password-policy - Adjust the system's password age policies
rootssh - Root user SSH access control
sshciphers - SSH cipher support control
ssh-listen - Control the SSHD service optional ListenAddress entries
ssh-service - Control the SSHD service and active connections
sudo - User privilege control through sudo
sudodeny - Manage the Exadata sudo users deny list
get-runtime - Maintenance command: import system configuration settings, storing them in host_access_control parameter settings files.
restore - Maintenance command: reapply settings previously set by this utility, as in after an upgrade
(command help by using --help after command (no help with restore command))
The optional -q|--quiet option is used for silent/noprompting for use with cellcli and must be the first arg.
--------------------------------------------------------------
[root@ed04dbadm01 ~]# /opt/oracle.cellos/host_access_control pam-auth --status
[2018-04-20 16:55:22 +0300] [INFO] [IMG-SEC-0801] Deny on login failure count is deny=5
[2018-04-20 16:55:22 +0300] [INFO] [IMG-SEC-0802] Account lock-out time is lock_time=600
[2018-04-20 16:55:22 +0300] [INFO] [IMG-SEC-0803] Password strength, passwdqc setting is min=5,5,5,5,5
[2018-04-20 16:55:22 +0300] [INFO] [IMG-SEC-0804] Password history depth setting is remember=10
[root@ed04dbadm01 ~]# /opt/oracle.cellos/host_access_control pam-auth -d 10
[2018-04-20 16:56:43 +0300] [INFO] [IMG-SEC-0805] Deny on login failure count set to 10
[root@ed04dbadm01 ~]# /opt/oracle.cellos/host_access_control pam-auth -d 20
[2018-04-20 16:56:51 +0300] [WARNING] [IMG-SEC-0023] Incorrect value for option Integer value for deny option must be between 1 and 10
[root@ed04dbadm01 ~]# /opt/oracle.cellos/host_access_control pam-auth --lock 0
[2018-04-20 16:57:16 +0300] [INFO] [IMG-SEC-0806] Account lock_time after one failed login attempt set to 0
[root@ed04dbadm01 ~]# /opt/oracle.cellos/host_access_control pam-auth --status
[2018-04-20 16:57:33 +0300] [INFO] [IMG-SEC-0801] Deny on login failure count is deny=10
[2018-04-20 16:57:33 +0300] [INFO] [IMG-SEC-0802] Account lock-out time is lock_time=0
[2018-04-20 16:57:33 +0300] [INFO] [IMG-SEC-0803] Password strength, passwdqc setting is min=5,5,5,5,5
[2018-04-20 16:57:33 +0300] [INFO] [IMG-SEC-0804] Password history depth setting is remember=10
