Go to main content

Oracle® ILOM Security Guide For Firmware Releases 3.x and 4.x

Exit Print View

Updated: May 2019
 
 

Avoid Unauthenticated Host KCS Device Access

Oracle servers supports a standard, low-speed connection between the host and Oracle ILOM called a Keyboard Controller Style (KCS) interface. This supported KCS interface is fully compliant with the Intelligent Platform Management Interface (IPMI) and likewise cannot be disabled.

While KCS device access might be a convenient way to configure Oracle ILOM from the host, this type of access can also presents security risks since any operating system user who has kernel or driver access to the physical KCS device can modify the Oracle ILOM settings without authentication. Typically, only root or Administrator users can access the KCS device. However, it is possible to configure most operating systems to provide wider access to the KCS device.

For instance, an operating system user with KCS access can do the following:

  • Add or create Oracle ILOM users.

  • Change user passwords.

  • Access the Oracle ILOM CLI as an ILOM Administrator.

  • Access logs and hardware information.

Typically, the device is called /dev/kcs0 or /dev/bmc on Linux or Oracle Solaris and ipmidrv.sys or imbdrv.sys on Microsoft Windows. Access to this device, also referred to as a Baseboard Management Controller (BMC) driver or an IPMI driver, must be carefully controlled using the appropriate access control mechanisms that are part of the host operating system.

As an alternative to using the host IPMI KCS device to configure Oracle ILOM settings, consider using the Oracle ILOM Interconnect interface. For further details, see Preferred Authenticated Host Interconnect Access.

For additional information on how to control or protect access to hardware devices such as the KCS device, see the documentation provided with the host operating system.