Although we have quite wide Oracle Linux stack I had not come across with pam_tally2 before we got Exadata. If you haven’t read about it it’s module which takes care of failed logins and locks account after certain number of tries.
Every now and then specially after changing the password every three months we ran into issue that the account got locked because somebody tried to login with old password.
If the account gets locked you can see current state by running:
[root@exa1dbadm01] pam_tally2 --user=oracle Login Failures Latest failure From oracle 5 02/03/2017 09:17:01 192.168.1.250
And to reset the account you just run:
[root@exa1dbadm01]# pam_tally2 --user=oracle --reset
At the UKOUG Tech’16 Andy Colvin mentioned this on his presentation and showed there is script called host_access_control in Exadata which handles security settings:
[root@ex1dbadm01 ~]# /opt/oracle.cellos/host_access_control Usage: [-q|--quiet] command [argument] command is one of: access - User access from hosts, networks, etc. access-ilomweb - Control overall access from the ILOM Web Remote Console device (tty1) access-export - Export access rules to a file access-import - Import access rules via a supplied file audit-rules - Import audit rules via a supplied file banner - Login banner management fips-mode - FIPS mode for openSSH grub-password - GRUB password control idle-timeout - Shell and SSH client idle timeout control ilom-configure - ILOM settings control ilom-password - ILOM root user password control kernel-dump - kdump (kernel dump file creation) control maint-password - Diagnostic ISO shell and Rescue password control pam-auth - PAM authentication settings: pam_tally2 deny and lock_time, passwdqc, and password history values password-aging - Adjust current users' password aging password-policy - Adjust the system's password age policies rootssh - Root user SSH access control sshciphers - SSH cipher support control ssh-service - Control the SSH service and active connections sudo - User privilege control through sudo sudodeny - Manage the Exadata sudo users deny list get-runtime - Maintenance command: import system configuration settings, storing them in host_access_control parameter settings files. restore - Maintenance command: reapply settings previously set by this utility, as in after an upgrade (command help by using --help after command (no help with restore command)) The optional -q|--quiet option is used for silent/noprompting for use with cellcli and must be the first arg.
So you can actually manage quite lot of different things with this script. Two things I want to do now is to remove pam_tally2 lock time after failed attempt and change password aging from 90 days to 180 days.
[root@exa1dbadm01 ~]# /opt/oracle.cellos/host_access_control pam-auth -l 0 [2017-02-03 09:25:05 +0100] [INFO] [IMG-SEC-0806] Account lock_time after one failed login attempt set to 0
And now to change the password aging I can use password-aging parameter.
[root@exa1dbadm01 ~]# /opt/oracle.cellos/host_access_control password-aging -s user: oracle ================================================================ Minimum number of days between password change : 1 Maximum number of days between password change : 90 Number of days of warning before password expires : 7 [root@exa1dbadm01 ~]# /opt/oracle.cellos/host_access_control password-aging -u oracle -M 180 [2017-02-03 10:04:22 +0100] [INFO] [IMG-SEC-0F02] Password aging applied, [ -M 180, -m None, -W None ] for oracle) [root@exa1dbadm01 ~]# /opt/oracle.cellos/host_access_control password-aging -s [2017-02-03 10:04:27 +0100] [INFO] [IMG-SEC-0F01] Password aging settings: user: oracle ================================================================ Minimum number of days between password change : 1 Maximum number of days between password change : 180 Number of days of warning before password expires : 7
All changed now!
If you want to do this quickly then just use dcli to do change on all nodes.