1. DSR Security Guide
  2. Other Optional Configurations

6 Other Optional Configurations

The features explained in this section do not provide a GUI. The following features require the administrator to issue the Linux commands provided in the instructions.

6.1 Authentication for Single User Mode

This section describes the procedure to require authentication for single user mode.

Perform the following steps for each and every server in the topology:
  1. Log in as admusr on the server.
    login: admusr
Password: <current admin user password>
  2. Run the following command to check out the file init and grep for variable PermitUserEnvironment in the file:
    $ sudo rcstool co /etc/sysconfig/init
$ grep ^SINGLE /etc/sysconfig/init
  3. If no result is returned, run the following command:
    $ sudo echo "SINGLE=/sbin/sulogin" >> /etc/sysconfig/init

    If some result is returned after performing Step 2, then run the following command:

    $ sudo sed -i "s/SINGLE.*/SINGLE=\/sbin\/sulogin/g" /etc/sysconfig/init
  4. Run the following command to check in the file init:
    $ sudo rcstool ci /etc/sysconfig/init

6.2 Changing OS User Account Default Passwords

This section describes the procedure to change the default passwords for all OS accounts that need to change the respective default passwords.

Perform the following steps to change the default passwords:
  1. Log in as admusr on the server.
    login: admusr
Password: <current admin user password>
  2. Run the following command to change the passwords for each of the accounts being changed:
    $ sudo passwd <user account>
Changing password for user <user account>.
New UNIX password: <new password - will not display>
Retype new UNIX password: <new password - will not display>
passwd: all authentication tokens updated successfully.
  3. Repeat steps 1 and 2 for all servers.

6.3 Changing Login Display Message

This section describes the procedure to change the login display message.

Perform the following steps to change the login display message:
  1. Log in as admusr on the server.
    login: admusr
Password: <current admin user password>
  2. Run the following command to create a backup copy of sshd_config:
    $ sudo cd /etc/ssh
$ sudo cp sshd_config sshd_config.bak
  3. Perform the following steps to edit the sshd configuration file:
    1. Edit the sshd configuration file.
      $ sudo rcstool co sshd_config
$ sudo vi sshd_config
    2. Uncomment and edit Banner /some/path line to Banner /etc/ssh/sshd-banner.
    3. Save and exit the vi session.
  4. Perform the following steps to edit the banner file.
    1. Edit the banner file.
      $ sudo vi sshd-banner
    2. Add and format the desired text.
    3. Save and exit the vi session.
  5. Run the following command to restart the sshd service:
    $ sudo service sshd restart
  6. Perform the following steps to verify the changes:
    1. Test the change. Repeat steps 4 and 5 until the message is formatted correctly.
      $ sudo ssh <current server name>
    2. Verify message line feeds are formatted correctly.
      $ exit
  7. Run the following command to check the files into rcs to preserve changes during upgrades:
    $ sudo rcstool init /etc/ssh/sshd-banner
$ sudo rcstool ci sshd_config

6.4 Forcing iLO to Use Strong Encryption

This section describes the procedure for an administrator to force iLO to use strong encryption.

Log in as an administrator to the iLO and perform the following steps:
  1. On the Administration menu, click Security.

    Figure 6-1 iLO Security Menu


    iLO Security Menu

  2. Select Encryption tab, and under Encryption Enforcement Settings, set the Enforce AES/3DES Encryption to Enabled.

    Figure 6-2 iLO Security Encryption Settings


    iLO Security Encryption Settings

  3. Click Apply.
  4. Logout and wait 30 seconds before logging back again.

6.5 Setting Up rsyslog for External Logging

This section describes the procedure to set up rsyslog for external logging to a central server from NOAMs and SOAMs.

Perform the following steps to set up rsyslog for external logging to a central server from NOAMs and SOAMs:
  1. Log in as admusr on the source server.
    login: admusr
Password: <current admin user password>
  2. Run the following command to enable remote logging:
    $ sudo syslog_config --remote=<IP of remote host to log to>
  3. Repeat the steps on all necessary NOAMs and SOAMs.

    Note:

    The following restrictions exist:
    • Only OS level log events are forwarded, such as /var/log/messages and /var/log/secure content.
    • Application level logging is not included and should be accessed through the Main Menu -> Administration -> Remote Servers -> Data Export GUI screen.
    • Remote logging is over a non-secure communication channel that is not encrypted.

6.6 Adding sudo Users

This section describes how new OS users can perform priviledged operations through the configuration of the “sudo” capability.

The “sudo” configuration supports very granular authorization to an individual OS user for certain desired commands.

Perform the following procedure for the admusr to enter a password in order to run the commands using sudo access:
  1. Log in as admusr on the source server.
    login: admusr
Password: <current admin user password>
  2. Run the following command to check out the plat.admusr.sudo file:
    $ sudo rcstool co /usr/TKLC/plat/etc/sudoers.d/plat.admusr.sudo
  3. Run the following command to suppress the NOPASSWD line:
    $ sudo sed -i '/^%admgrp ALL = NOPASSWD: ALL$/ s/^/#/' \
/usr/TKLC/plat/etc/sudoers.d/plat.admusr.sudo
  4. Run the following command to check in the plat.admusr.sudo file:
    $ sudo rcstool ci /usr/TKLC/plat/etc/sudoers.d/plat.admusr.sudo “require password”

After making this change, all activities through sudo by the admusr requires admusr password. Existing documentation does not and will not indicate this.

The sudo configuration file is constructed from piece parts; the syntax is complex, and editing mistakes could leave a system without the required access. For this reason, details of the configuration rules are available through Oracle Help Center (OHC) or by opening a ticket with My Oracle Support.

6.7 Reporting and Disabling Expired OS User Accounts

This section describes the procedure to report and disable expired user accounts.

Perform the following steps to report and disable expired user accounts:
  1. Log in as admusr on the source server.
    login: admusr
Password: <current admin user password>
  2. Run the following command to run the report of expired users:
    $ sudo lastlog -b <N>

    Note:

    This command displays the users who have not logged in over N number of days. It also shows the users that have never logged in. To filter those users out of the display use the following command:
    $ sudo lastlog -b <N> | grep -v Never
  3. Run the following commnd to disable the user accounts identified by the lastlog report:
    $ sudo passwd -l <user acct>

    Note:

    Repeat this step for each user account you want to disable.
  4. Run the following commnd to re-enable an account:
    $ sudo passwd -u <user acct>

    Note:

    Repeat this step for each user account you want to re-enable.