3.7 Enhanced Default Security Settings for Storage Server Operating System Users

Enhanced default security measures prevent storage server OS users from performing unnecessary and potentially damaging OS commands, either accidentally or maliciously.

Starting with Oracle Exadata System Software release 26.1.0, the Exadata storage server built-in operating system (OS) user accounts, celladmin and cellmonitor, are restricted to only run specific Cell Command Line Interface (CellCLI) and Exascale Command Line Interface (ESCLI) commands, along with a limited set of read-only Linux OS commands.

Additionally, for Exascale environments, each OS user now uses a separate Exascale keystore (wallet) with appropriate corresponding credentials. By default, the wallet associated with celladmin provides Exascale administrator privileges, while the cellmonitor wallet provides read-only access to Exascale objects and metadata.

These changes limit the ability to perform malicious operations using the celladmin and cellmonitor accounts if their credentials are compromised. They also reduce the possibility of accidental damage through mistakes by legitimate users.

All of these changes are configured and enabled by default on newly deployed systems using Oracle Exadata System Software release 26.1.0 or later. On systems updated from an earlier release, you must create the cellmonitor Exascale wallet. On each storage server, the wallet must be located at /opt/oracle/cell/cellsrv/deploy/config/cellmonitor_wallet and must be linked to an Exascale user account with the cl_monitor privilege.