3 User Security on Oracle Exadata Database Machine

Increase the security of your data and system by limiting user access and developing strong password security policies.

3.1 Understanding User Accounts

There are several users used to manage the components of Oracle Exadata Database Machine

In addition to the root user, Oracle Exadata Storage Servers have two users, celladmin and cellmonitor. The celladmin user is used to run all services on the cell. The cellmonitor user is used for monitoring purposes. The cellmonitor user cannot run services on the cell. Other Oracle Exadata Database Machine components have users for the management of the component.

Note:

After Oracle Exadata Database Machine has been deployed, the installation process disables all root SSH keys and expires all user passwords as a security measure for your system. If you do not want the SSH keys disabled or the passwords expired, advise the installation engineer before the deployment.

Starting with Oracle Exadata System Software release 19.1.0, two new users are created, to improve security of specific actions. The cellofl user runs query offload processes on the storage servers as a non-root user. The exawatch user is responsible for collecting and archiving system statistics on both the database servers and the storage servers.

The following table lists the default users and passwords for the Oracle Exadata Database Machine components. All default passwords should be changed after installation of Oracle Exadata Database Machine. Refer to My Oracle Support note 1291766.1 for information about changing the default user accounts passwords.

Table 3-1 Default Users and Passwords

User Name and password User type Component

root/welcome1

Operating system user

Oracle Exadata Database Servers

Oracle Exadata Storage Servers

InfiniBand Transport Layer systems based on an InfiniBand Network Layer switches

InfiniBand Transport Layer systems based on a RoCE Network Layer switches

Database server ILOMs

Oracle Exadata Storage Server ILOMs

InfiniBand Transport Layer systems based on an InfiniBand Network Layer ILOMs

oracle/We1come$

Operating system user

Oracle Exadata Database Servers

grid/We1come$ (this user exists only if role separation is chosen during deployment)

Operating system user

Oracle Exadata Database Servers

celladmin/welcome

Operating system user

Oracle Exadata Storage Servers

CELLDIAG/Welcome12345

The password of the CELLDIAG user is reset to a random password during the "Apply Security Fixes" step of Oracle Exadata Deployment Assistant (OEDA).

Oracle Exadata System Software user

Oracle Exadata Storage Servers

cellmonitor/welcome

Operating system user

Oracle Exadata Storage Servers

cellofl (release 19.1.0 and later) - no logon privileges

Operating system user

Oracle Exadata Storage Servers

dbmadmin/welcome

Operating system user

Oracle Exadata Database Servers

dbmmonitor/welcome

Operating system user

Oracle Exadata Database Servers

exawatch (release 19.1.0 and later) - no logon privileges

Operating system user

Oracle Exadata Database Servers

Oracle Exadata Storage Servers

SYS/We1come$

Oracle Database user

Oracle Exadata Database Servers

SYSTEM/We1come$

Oracle Database user

Oracle Exadata Database Servers

grub boot loader password: sos1Exadata

Operating system user

Oracle Exadata Database Servers

Oracle Exadata Storage Servers

nm2user/changeme

Firmware user

InfiniBand Transport Layer systems based on an InfiniBand Network Layer switches

ilom-admin/ilom-admin

ILOM user

InfiniBand Transport Layer systems based on an InfiniBand Network Layer switches

ilom-operator/ilom-operator

ILOM user

InfiniBand Transport Layer systems based on an InfiniBand Network Layer switches

admin/welcome1

You should secure the enable mode password and secret values for the admin user.

Firmware user

Ethernet switches

admin/welcome1

The password for the admin user is adm1n if you reset the PDU to factory default settings.

Firmware user

Power distribution units (PDUs)

Keyboard, video, mouse (KVM)

MSUser

Management Server (MS) uses this account to manage ILOM and reset it if it detects a hang.

The MSUser password is not persisted anywhere. Each time MS starts up, it deletes the previous MSUser account and re-creates the account with a randomly generated password.

Do not modify this account. This account is to be used by MS only.

ILOM user

Database server ILOMs

Oracle Exadata Storage Server ILOMs

3.2 Default Password Requirements

Oracle Exadata Deployment Assistant (OEDA) implements a default password policy on Oracle Exadata Database Machine.

The last step of OEDA, "Secure Oracle Exadata Database Machine", implements the following password requirements:

  • Dictionary words are not valid or accepted.
  • Character classes for passwords are uppercase letters, lowercase letters, digits, and special characters.
  • Passwords must contain characters from all four character classes. Passwords using only one, two, or three character classes are not allowed.
  • The minimum length of a password is eight characters.
  • Pass-phrases are allowed. A pass-phrase should contain at least three words, be 16 to 40 characters in length, and contain different character classes.
  • A new password cannot be similar to old passwords. There must be at least eight characters in the new password that were not present in the old password.
  • A maximum of three consecutive characters of the same value can be used in a password.
  • A maximum of four consecutive characters of the same character class can be used in a password. For example, abcde1#6B cannot be used as a password because it uses five consecutive lower case letters.

3.3 Default Security Settings Enacted by OEDA

Oracle Exadata Deployment Assistant (OEDA) includes a step to increase hardware security on Oracle Exadata Database Machine.

The last step of OEDA, Secure Oracle Exadata Database Machine, implements the following security policies:

  • For all newly created operating system users on the database servers and storage servers, the following password-aging values are set:
    • The maximum number of days for a password is 90 days. Starting with Oracle Exadata System Software release 19.1.0, this value has been reduced to 60 days.
    • The minimum amount of time between password changes is 24 hours.
    • The number of days of alerts before a password change is seven days.
    • All non-root users must change their password at their next log in.
  • An operating system user account is temporarily locked for 10 minutes after one failed log in attempt.
  • An operating system user account is locked after five failed attempts.
  • A log in session will terminate after 14400 seconds of no input.
  • An SSH session will terminate after 7200 seconds of inactivity. If you are using Oracle Exadata System Software release 19.1.0 or later, then the SSH session terminates after 600 seconds of inactivity.
  • For the root user, SSH equivalency is removed for all database servers and Oracle Exadata Storage Servers.

  • The following permissions are set by OEDA:

    • The Automatic Diagnostic Repository (ADR) base directory, $ADR_BASE, has SUID (Set owner User ID) on the diag directory and its sub-directories.
    • The celladmin user group has read and write permissions on the $ADR_BASE.

3.4 Modifying Password Policies on the Database Servers

The password policies can be modified for only database servers.

  1. On the database server, modify the settings in the /etc/login.defs file to change the aging policies, for example:
    PASS_MAX_DAYS 90
    PASS_MIN_DAYS 1
    PASS_MIN_LEN 8
    PASS_WARN_AGE 7
    
  2. Modify the character class restrictions by changing the values for the min parameter in the /etc/pam.d/system-auth file.
    The Exadata factory default settings are 5,5,5,5,5. A setting of 5,5,5,5,5 allows passwords to be as short as five characters, and removes character class restrictions. If you run the /opt/oracle.SupportTools/harden_passwords_reset_root_ssh script, then the default settings are min=disabled,disabled,16,12,8.
  3. Restart the database servers.
    # shutdown -r now

See Also:

Refer to the login.defs and passwdqc.conf man pages for additional information

3.5 Creating Oracle Exadata System Software Users and Roles

You can control which Oracle Exadata System Software commands users can run by granting privileges to roles, and granting roles to users.

For example, you can specify that a user can run the LIST GRIDDISK command but not ALTER GRIDDISK. This level of control is useful in Oracle Cloud environments, where you might want to allow full access to the system to only a few users.

Related Topics

3.5.1 Overview of Creating Exadata System Software Users

To set up users and roles, you execute a series of commands.

Oracle Exadata System Software users are required when running ExaCLI in on-premise or Oracle Cloud environments. ExaCLI enables you to manage cells remotely from compute nodes. When you run ExaCLI on a compute node, you need to specify a user name to use to connect to the cell node. The Management Server (MS) authenticates the user credentials, then performs authorization checks on the commands issued by the user. If the user does not have the proper privileges to run a command, MS returns an error.

The password security key is encrypted using Password-Based Key Derivation Function 2 (PBKDF2) with HMAC-SHA1.

The high-level steps for creating users and roles for use with Oracle Exadata System Software are:

  1. Create roles using the CREATE ROLE command.
  2. Grant privileges to roles using the GRANT PRIVILEGE command.
  3. Create users using the CREATE USER command.
  4. Grant roles to users using the GRANT ROLE command.

You can also revoke privileges from roles using the REVOKE PRIVILEGE command. To revoke roles from users, use the REVOKE ROLE command.

3.5.2 Creating Roles and Getting Information about Roles

Use the CREATE ROLE command to create roles for Oracle Exadata System Software users.

For example, to create a role for administrators, you could use the following command:

CellCLI> CREATE ROLE admin

After you have created a role, you can then grant privileges to the role using the GRANT PRIVILEGE command. You can also grant the role to users, for example:

CellCLI> GRANT PRIVILEGE ALL ACTIONS ON ALL OBJECTS TO ROLE admin

CellCLI> GRANT ROLE admin TO USER username

To get detailed information about a role, use the LIST ROLE command. The following command returns all the attributes for the admin role.

CellCLI> LIST ROLE admin DETAIL
         name:                   admin
         privileges:             object=all objects, verb=all actions, 
attributes=all attributes, options=all options

Related Topics

3.5.3 Granting and Revoking Privileges

Use the GRANT PRIVILEGE command to grant privileges to roles for Oracle Exadata System Software users.

  • Grant privileges to roles using the GRANT PRIVILEGE command.
    • The following example grants all privileges to Oracle Exadata System Software users with the admin role.

      CellCLI> GRANT PRIVILEGE ALL ACTIONS ON ALL OBJECTS TO ROLE admin
      
    • You can also grant individual command privileges to a role.

      CellCLI> GRANT PRIVILEGE list ON griddisk TO ROLE diskmonitor
      
      CellCLI> GRANT PRIVILEGE list ON griddisk TO ROLE diskmonitor
    • You can also grant all command privileges for specific objects to a role.

      GRANT PRIVILEGE ALL ON griddisk TO ROLE diskadmin
  • You can revoke privileges from roles using the REVOKE PRIVILEGE command.
    CellCLI> REVOKE PRIVILEGE ALL ON griddisk FROM ROLE diskadmin

3.5.4 Creating Users

Use the CREATE USER command to create Oracle Exadata System Software users.

A newly created user does not have any privileges. The Oracle Exadata System Softwareuser is granted privileges through roles granted to the user.

  1. Use the CREATE USER command to create a user and assign an initial password.

    The following command creates a user called fred with password uq==A*2D$_18.

    CellCLI> CREATE USER fred PASSWORD = "uq==A*2D$_18"
  2. To grant privileges to the new user fred, use the GRANT ROLE command for a role that has already been configured.

3.5.5 Configuring Password Expiration for Users Accessing the Server Remotely

You can configure CELL attributes to expire user passwords.

In Oracle Exadata System Software release 19.1.0, there are new CELL attributes for configuring password security for users that access Oracle Exadata System Software servers remotely, such as with REST API or ExaCLI. These attributes determine if the user is able to change the password remotely, the amount of time before a user password expires, and the number of days prior to password expiration that the user receives warning messages. In the default configuration, user passwords do not expire.

Note:

The CELL attributes for password expiration apply only to users created with Oracle Exadata System Software. Password expiration applies only to users that are displayed with the LIST USER command and does not apply to operating system users like celladmin or oracle.
  • To allow the user to change the password remotely, use the ALTER CELL command to set the remotePwdChangeAllowed attribute to true.
    If you set the value to false, then the user receives a message indicating that they must contact the server administrator to have their password changed.
    CellCLI> ALTER CELL remotePwdChangeAllowed=true
  • To change the length of time before a user password expires, use the ALTER CELL command to modify the pwdExpInDays attribute.
    Set the value n to the number of days before the password expires. If pwdExpInDays is set to 0 (the default value), then the user password does not expire.
    CellCLI> ALTER CELL pwdExpInDays=n
  • To configure the length of the warning period before the password expires, use the ALTER CELL command to modify the pwdExpWarnInDays attribute.
    Set the value n to the number of days to warn the user before the password expires. The default user account password expiration warning time is 7 days.
    CellCLI> ALTER CELL pwdExpWarnInDays=n
  • To specify the length of time before a user account is locked after the user password expires, use the ALTER CELL command to modify the accountLockInDays attribute.
    Set the value n to the number of days before the user account is locked. The default user account lock time is 7 days.
    CellCLI> ALTER CELL accountLockInDays=n

3.5.6 Granting and Revoking Roles

Use the GRANT ROLE command to create roles to Oracle Exadata System Software users.

Command privileges are granted to roles, and then the roles are granted to users. You do not grant command privileges directly to the Oracle Exadata System Software users.
  • Use the GRANT ROLE command to grant roles to users.

    The following example grants the admin role to the user fred.

    CellCLI> GRANT ROLE admin TO USER fred
    
  • You can revoke roles from users using the REVOKE ROLE command.

Related Topics

3.6 Security Policies for Oracle Exadata Storage Server Operating System Users

User access to the operating system can be secured by the use of secure, hardened passwords.

The passwords for operating system users who administer Oracle Exadata System Software adhere to the security guidelines enacted by Oracle Exadata Deployment Assistant (OEDA). See Default Security Setting Enacted by OEDA for more information.

3.6.1 Changing a Password

Use the operating system command passwd to change user passwords.

Operating system users are notified of the need to change their passwords 7 days before the expiration date.

  • To change a password, use the passwd command, where username is the user name for which you want to change the password.
    passwd username
    

3.6.2 Enabling the Security Policies for Operating System Users

The /opt/oracle.cellos/RESECURED_NODE file enables the security policies.

If the file does not exist, then you can reset the security policies for all operating system users by performing the following steps:

  1. Shut down the Oracle Grid Infrastructure services on all database servers.
  2. Shut down the cell services on the storage servers.
    cellcli -e alter cell shutdown services all
    
  3. Use the harden_passwords_reset_root_ssh script to reset the security policies.

    Note:

    The harden_passwords_reset_root_ssh script restarts the cell.
    /opt/oracle.SupportTools/harden_passwords_reset_root_ssh
    
  4. All operating system users must set a new password the next time they log in.

3.6.3 Viewing Failed Operating System Password Attempts

Use the pam_tally2 operating system utility to view log in attempts with incorrect passwords.

  • View failed password attempts using the /sbin/pam_tally2 utility.
    # /sbin/pam_tally2
    Login           Failures Latest failure     From
    celladmin           1    09/18/18 11:17:18  dhcp-10-154-xxx-xxx.example.com
    

3.6.4 Resetting a Locked Operating System User Account

If an operating system user account has 5 failed log in attempts, then the account is locked.

  • To reset an account, use the following command, where username is the name of the user that has the locked account:
    /sbin/pam_tally2 --user username --reset