Tuesday, August 14, 2018

Exadata account locked, pam_tally2 and host_access_control

Exam accounts are set up so that they are blocked for 10 minutes after the first wrong password entered. This brings a lot of inconvenience to users.

 /sbin/pam_tally2
 The pam_tally2 is login enabler utility.For example i will connect to oracle user with wrong password and flush the blocker.

[root@z01dbadm01 ~]# pam_tally2 
                                                   <--- emply output here, so no locked account

[root@z01dbadm01 ~]# ssh z01dbadm01 -l oracle
oracle@z01dbadm01's password:    <--- wrong password here
Permission denied, please try again.


After unsuccessful attempt to login you'll see:

[root@z01dbadm01 ~]# pam_tally2
Login           Failures Latest failure     From
oracle              1    08/14/18 17:17:02  z01dbadm01.distr.fors.ru
 

Remove the lock:
[root@z01dbadm01 ~]# pam_tally2 -u oracle -r
Login           Failures Latest failure     From
oracle              1    08/14/18 17:17:02  z01dbadm01.distr.fors.ru
 

[root@z01dbadm01 ~]# pam_tally2 

Empty output = the login is allowed.                           





[root@z01dbadm01 ~]# chage -l oracle
Last password change                              : Jun 05, 2018
Password expires                                  : Sep 03, 2018
Password inactive                                 : never
Account expires                                   : never
Minimum number of days between password change    : 1
Maximum number of days between password change    : 90
Number of days of warning before password expires : 7



[root@z01dbadm01 ~]# chage -I -1 -m 0 -M 99999 -E -1 oracle
[root@z01dbadm01 ~]# chage -l oracle
Last password change                              : Jun 05, 2018
Password expires                                  : never
Password inactive                                 : never
Account expires                                   : never
Minimum number of days between password change    : 0
Maximum number of days between password change    : 99999
Number of days of warning before password expires : 7






HOST_ACCESS_CONTROL
Here is extract from host_access_control.log (one of Exadata installation log files ).
I edited this file and left lines related to Linux config files. You can see security changes the host_access_control make inside Linux :

Restored Exadata Host Access Control rules to /etc/exadata/security/exadata-access.conf

Setting the SSH Server supported ciphers to arcfour,aes128-ctr,aes192-ctr,aes256-ctr
Setting Ciphers arcfour,aes128-ctr,aes192-ctr,aes256-ctr in /etc/ssh/sshd_config

Setting the SSH Client supported ciphers to arcfour,aes128-ctr,aes192-ctr,aes256-ctr
Setting Ciphers arcfour,aes128-ctr,aes192-ctr,aes256-ctr in /etc/ssh/ssh_config

Shell timeout (TMOUT) set to 14400 in /etc/profile
ClientAliveCountMax set to 0 in /etc/ssh/sshd_config
ClientAliveInterval set to 86400 in /etc/ssh/sshd_config
Restored ILOM CLI TIMEOUT to 15
Restored Exadata Host Access Control rules to /etc/exadata/security/exadata-access.conf
pam_tally2 deny set to 5 in /etc/pam.d/login
pam_tally2 deny set to 5 in /etc/pam.d/sshd
pam_tally2 lock_time set to 600 in /etc/pam.d/login
pam_tally2 lock_time set to 600 in /etc/pam.d/sshd
pam_passwdqc.so min set to 5,5,5,5,5 in /etc/pam.d/password-auth and /etc/pam.d/system-auth
pam_unix.so remember set to 10 in /etc/pam.d/password-auth and /etc/pam.d/system-auth
Restored aging parameters [ -M 99999, -m 0, -W 7 ] for user root
Restored aging parameters [ -M 99999, -m 0, -W 7 ] for user dbmsvc
Restored aging parameters [ -M 99999, -m 0, -W 7 ] for user dbmadmin
Restored aging parameters [ -M 99999, -m 0, -W 7 ] for user dbmmonitor
Setting PASS_MAX_DAYS 90 in /etc/login.defs
Setting PASS_MIN_DAYS 1 in /etc/login.defs
Setting PASS_MIN_LEN 8 in /etc/login.defs
Setting PASS_WARN_AGE 7 in /etc/login.defs
Setting PermitRootLogin yes in /etc/ssh/sshd_config
Setting PasswordAuthentication yes in /etc/ssh/sshd_config

/opt/oracle.cellos/host_access_control

The host_access_control (undocumented utility), is the only permitted and supported method to implement security configuration changes on the Oracle Exadata Storage Servers.
Customers are not permitted to make manual changes to the configuration of these devices per Oracle Support notice 1068804.1.
Further, before using this tool, customers must first obtain explicit approval from Oracle Product Development to change the security configuration of their Oracle Exadata Storage Servers.
To request this approval, customers must open a service request with Oracle Support.


  /opt/oracle.cellos/host_access_control --help
Usage: [-q|--quiet] command [argument]
     command is one of:
     access           - User access from hosts, networks, etc.
     access-ilomweb   - Control overall access from the ILOM Web Remote Console device (tty1)
     access-export    - Export access rules to a file
     access-import    - Import access rules via a supplied file
     audit-rules      - Import audit rules via a supplied file
     banner           - Login banner management
     fips-mode        - FIPS mode for openSSH
     grub-password    - GRUB password control
     idle-timeout     - Shell and SSH client idle timeout control
     ilom-configure   - ILOM settings control
     ilom-password    - ILOM root user password control
     kernel-dump      - kdump (kernel dump file creation) control
     maint-password   - Diagnostic ISO shell and Rescue password control
     pam-auth         - PAM authentication settings: pam_tally2 deny and lock_time, passwdqc, and password history values
     password-aging   - Adjust current users' password aging
     password-policy  - Adjust the system's password age policies
     rootssh          - Root user SSH access control
     sshciphers       - SSH cipher support control
     ssh-listen       - Control the SSHD service optional ListenAddress entries
     ssh-service      - Control the SSHD service and active connections
     sudo             - User privilege control through sudo
     sudodeny         - Manage the Exadata sudo users deny list
     get-runtime      - Maintenance command: import system configuration settings, storing them in host_access_control parameter settings files.
     restore          - Maintenance command: reapply settings previously set by this utility, as in after an upgrade
     (command help by using --help after command (no help with restore command))
     The optional -q|--quiet option is used for silent/noprompting for use with cellcli and must be the first arg.
--------------------------------------------------------------


[root@ed04dbadm01 ~]# /opt/oracle.cellos/host_access_control pam-auth --status

[2018-04-20 16:55:22 +0300] [INFO] [IMG-SEC-0801] Deny on login failure count is deny=5
[2018-04-20 16:55:22 +0300] [INFO] [IMG-SEC-0802] Account lock-out time is lock_time=600
[2018-04-20 16:55:22 +0300] [INFO] [IMG-SEC-0803] Password strength, passwdqc setting is min=5,5,5,5,5
[2018-04-20 16:55:22 +0300] [INFO] [IMG-SEC-0804] Password history depth setting is remember=10

[root@ed04dbadm01 ~]# /opt/oracle.cellos/host_access_control pam-auth -d 10
[2018-04-20 16:56:43 +0300] [INFO] [IMG-SEC-0805] Deny on login failure count set to 10

[root@ed04dbadm01 ~]# /opt/oracle.cellos/host_access_control pam-auth -d 20
[2018-04-20 16:56:51 +0300] [WARNING] [IMG-SEC-0023] Incorrect value for option Integer value for deny option must be between 1 and 10

[root@ed04dbadm01 ~]# /opt/oracle.cellos/host_access_control pam-auth --lock 0
[2018-04-20 16:57:16 +0300] [INFO] [IMG-SEC-0806] Account lock_time after one failed login attempt set to 0

[root@ed04dbadm01 ~]# /opt/oracle.cellos/host_access_control pam-auth --status
[2018-04-20 16:57:33 +0300] [INFO] [IMG-SEC-0801] Deny on login failure count is deny=10
[2018-04-20 16:57:33 +0300] [INFO] [IMG-SEC-0802] Account lock-out time is lock_time=0
[2018-04-20 16:57:33 +0300] [INFO] [IMG-SEC-0803] Password strength, passwdqc setting is min=5,5,5,5,5
[2018-04-20 16:57:33 +0300] [INFO] [IMG-SEC-0804] Password history depth setting is remember=10





No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

How to disable/setup autostart parameters for specified instance ?

Q: We have a 4-node RAC. I need to disable autostart of the DB on one node only.    How to do it and how to see autostart parameters, confir...