Exadata & host_access_control

Although we have quite wide Oracle Linux stack I had not come across with pam_tally2 before we got Exadata. If you haven’t read about it it’s module which takes care of failed logins and locks account after certain number of tries.

Every now and then specially after changing the password every three months we ran into issue that the account got locked because somebody tried to login with old password.

If the account gets locked you can see current state by running:

[root@exa1dbadm01] pam_tally2 --user=oracle
Login Failures Latest failure From
oracle 5    02/03/2017 09:17:01 192.168.1.250

And to reset the account you just run:

[root@exa1dbadm01]# pam_tally2 --user=oracle --reset

At the UKOUG Tech’16 Andy Colvin mentioned this on his presentation and showed there is script called host_access_control in Exadata which handles security settings:

[root@ex1dbadm01 ~]# /opt/oracle.cellos/host_access_control
Usage: [-q|--quiet] command [argument]
 command is one of:
 access - User access from hosts, networks, etc.
 access-ilomweb - Control overall access from the ILOM Web Remote Console device 
(tty1)
 access-export - Export access rules to a file
 access-import - Import access rules via a supplied file
 audit-rules - Import audit rules via a supplied file
 banner - Login banner management
 fips-mode - FIPS mode for openSSH
 grub-password - GRUB password control
 idle-timeout - Shell and SSH client idle timeout control
 ilom-configure - ILOM settings control
 ilom-password - ILOM root user password control
 kernel-dump - kdump (kernel dump file creation) control
 maint-password - Diagnostic ISO shell and Rescue password control
 pam-auth - PAM authentication settings: pam_tally2 deny and lock_time, passwdqc, 
 and password history values
 password-aging - Adjust current users' password aging
 password-policy - Adjust the system's password age policies
 rootssh - Root user SSH access control
 sshciphers - SSH cipher support control
 ssh-service - Control the SSH service and active connections
 sudo - User privilege control through sudo
 sudodeny - Manage the Exadata sudo users deny list
 get-runtime - Maintenance command: import system configuration settings, 
 storing them in host_access_control parameter settings files.
 restore - Maintenance command: reapply settings previously set by this utility, 
 as in after an upgrade
 (command help by using --help after command (no help with restore command))
 The optional -q|--quiet option is used for silent/noprompting for use with 
 cellcli and must be the first arg.

So you can actually manage quite lot of different things with this script. Two things I want to do now is to remove pam_tally2 lock time after failed attempt and change password aging from 90 days to 180 days.

[root@exa1dbadm01 ~]# /opt/oracle.cellos/host_access_control pam-auth -l 0
[2017-02-03 09:25:05 +0100] [INFO] [IMG-SEC-0806] Account lock_time after one 
failed login attempt set to 0

And now to change the password aging I can use password-aging parameter.

[root@exa1dbadm01 ~]# /opt/oracle.cellos/host_access_control password-aging -s

user: oracle
================================================================
Minimum number of days between password change : 1
Maximum number of days between password change : 90
Number of days of warning before password expires : 7


[root@exa1dbadm01 ~]# /opt/oracle.cellos/host_access_control password-aging -u oracle -M 180
[2017-02-03 10:04:22 +0100] [INFO] [IMG-SEC-0F02] Password aging applied, [ -M 180, -m None, -W None ] for oracle)
[root@exa1dbadm01 ~]# /opt/oracle.cellos/host_access_control password-aging -s
[2017-02-03 10:04:27 +0100] [INFO] [IMG-SEC-0F01] Password aging settings:


user: oracle
================================================================
Minimum number of days between password change : 1
Maximum number of days between password change : 180
Number of days of warning before password expires : 7

All changed now!

If you want to do this quickly then just use dcli to do change on all nodes.