Go to main content

Oracle® ILOM Security Guide For Firmware Releases 3.x and 4.x

Exit Print View

Updated: May 2019
 
 

Protect Against Host Serial Console Shared Access

The host console for most operating systems is also available using a text-based, serial console. This console is available by running the start /HOST/console command at the command-line of the Oracle ILOM CLI. Similar to the graphical console, there is only a single serial console available to all Oracle ILOM users. Therefore, it is considered a shared resource. If one user logs in to the host operating system from the serial console and then terminates the console redirection without logging out, a second user of the serial console could access the previously authenticated operating system session.

Oracle ILOM sends a Data Transfer Request (DTR) signal to the host operating system when a console redirection session is terminated. Many operating systems automatically log out a user when this signal is received. However, not all operating systems have support for this feature:

  • Oracle Linux 5 has DTR signal support that works by default.

  • Oracle Linux 6 has DTR support, but it must be enabled manually.

  • Oracle Solaris has no support for the DTR signal. To reduce security risk, users can configure a session time-out in the host operating system.

For guidelines for protecting against authenticated operating system sessions that are left idle after terminating a host serial redirection session, see the following:

  • Determine if the DTR signal feature in the host operating system is supported, and if it is, ensure that this feature is enabled by default.

    For information about the DTR signal, refer to the user documentation for your host operating system.

  • Configure a session time-out interval in the host operating system.

    For information about how to set a session time-out interval in the host operating system, refer to the user documentation for your host operating system.

  • Implement a security policy to ensure that users never leave a remote serial host console unattended. Users should always logged out of all remote host console sessions when sessions are not in use.