User Security on Exadata Database Machine

3 User Security on Exadata Database Machine

Increase the security of your data and system by limiting user access and developing strong password security policies.

Default User Accounts for Oracle Exadata
Several user accounts regularly manage the components of Oracle Exadata.
Default Password Requirements
Oracle Exadata Deployment Assistant (OEDA) implements a default password policy on Oracle Exadata Database Machine.
Default Security Settings Enacted by OEDA
Oracle Exadata Deployment Assistant (OEDA) includes a step to increase hardware security on Exadata Database Machine.
Modifying Password Policies on the Database Servers
The password policies can be modified for only database servers.
Creating Oracle Exadata System Software Users and Roles
You can control which Oracle Exadata System Software commands users can run by granting privileges to roles, and granting roles to users.
Security Policies for Oracle Exadata Storage Server Operating System Users
User access to the operating system can be secured by the use of secure, hardened passwords.

3.1 Default User Accounts for Oracle Exadata

Several user accounts regularly manage the components of Oracle Exadata.

In addition to the root user, Oracle Exadata Storage Servers have two users, celladmin and cellmonitor. The celladmin user is used to run all services on the cell. The cellmonitor user is used for monitoring purposes. The cellmonitor user cannot run services on the cell. Other Oracle Exadata components have users for the management of the component.

Note:

After Oracle Exadata has been deployed, the installation process disables all root SSH keys and expires all user passwords as a security measure for your system. If you do not want the SSH keys disabled or the passwords expired, advise the installation engineer before the deployment.

Starting with Oracle Exadata System Software release 19.1.0, two new users are created, to improve security of specific actions. The cellofl user runs query offload processes on the storage servers as a non-root user. The exawatch user is responsible for collecting and archiving system statistics on both the database servers and the storage servers.

The following table lists the default users and passwords for the Oracle Exadata components. All default passwords should be changed after installation of Oracle Exadata. Refer to My Oracle Support note 1291766.1 for information about changing the default user accounts passwords.

Table 3-1 Default Oracle Exadata Users and Passwords

Account	Default Password	Account Type	Component(s)
`root`	`welcome1`	Operating system user	Oracle Exadata Database Servers Oracle Exadata Storage Servers RDMA Network Fabric switches Database server ILOMs Oracle Exadata Storage Server ILOMs RDMA Network Fabric ILOMs
`oracle`	`We1come$`	Operating system user	Oracle Exadata Database Servers
`grid` Note: This account exists only if role separation is chosen during deployment.	`We1come$`	Operating system user	Oracle Exadata Database Servers
`celladmin`	`welcome` Note: Commencing with the Oracle Exadata Deployment Assistant (OEDA) November 2019 release, the password of the `celladmin` user is set to a random string during deployment, which you must change on first use.	Operating system user	Oracle Exadata Storage Servers
`CELLDIAG`	`Welcome12345` Note: The password of the `CELLDIAG` user is reset to a random password during the "Apply Security Fixes" step of OEDA.	Oracle Exadata System Software user	Oracle Exadata Storage Servers
`cellmonitor`	`welcome` Note: Commencing with the OEDA November 2019 release, the password of the `cellmonitor` user is set to a random string during deployment, which you must change on first use.	Operating system user	Oracle Exadata Storage Servers
`cellofl` Note: This account has no login privileges and exists only in release 19.1.0 and later.		Operating system user	Oracle Exadata Storage Servers
`dbmadmin`	`welcome` Note: Commencing with the OEDA November 2019 release, the password of the `dbmadmin` user is set to a random string during deployment, which you must change on first use.	Operating system user	Oracle Exadata Database Servers
`dbmmonitor`	`welcome` Note: Commencing with the OEDA November 2019 release, the password of the `dbmmonitor` user is set to a random string during deployment, which you must change on first use.	Operating system user	Oracle Exadata Database Servers
`dbmsvc` Note: This account has no login privileges and exists only in release 12.1.2.1.0 and later.		Operating system user	Oracle Exadata Database Servers
`exawatch` Note: This account has no login privileges and exists only in release 19.1.0 and later.		Operating system user	Oracle Exadata Database Servers Oracle Exadata Storage Servers
`SYS`	`We1come$`	Oracle Database user	Oracle Exadata Database Servers
`SYSTEM`	`We1come$`	Oracle Database user	Oracle Exadata Database Servers
Grub boot loader	`sos1Exadata`	Operating system user	Oracle Exadata Database Servers Oracle Exadata Storage Servers
`nm2user`	`changeme`	Firmware user	InfiniBand Network Fabric switches
`ilom-admin`	`ilom-admin`	ILOM user	InfiniBand Network Fabric switches
`ilom-operator`	`ilom-operator`	ILOM user	InfiniBand Network Fabric switches
`admin`	`welcome1`	Firmware/switch administrator	RoCE Network Fabric switches
`admin`	`welcome1` Note: You should secure the `enable mode password` and `secret` values for the `admin` user.	Firmware user	Ethernet switches
`admin`	`welcome1` Note: The password for the `admin` user is `adm1n` if you reset the PDU to factory default settings.	Firmware user	Power distribution units (PDUs) Keyboard, video, mouse (KVM)
`MSUser` Note: Management Server (MS) uses this account to manage ILOM and reset it if it detects a hang. Do not modify this account. This account is to be used by MS only.	The `MSUser` password is not persisted anywhere. Each time MS starts up, it deletes the previous `MSUser` account and re-creates the account with a randomly generated password.	ILOM user	Database server ILOMs Oracle Exadata Storage Server ILOMs
`LocalMSV3user` Note: Management Server (MS) uses this account for hardware monitoring and failure handling using an automatic ILOM SNMP notification rule. Do not modify this account or the associated ILOM SNMP notification rule. This account is to be used by MS only.	The `LocalMSV3user` password is not persisted anywhere. Each time MS starts up, it deletes the previous `LocalMSV3user` account and re-creates the account with a randomly generated password.	ILOM SNMP version 3 user	Database server ILOMs Oracle Exadata Storage Server ILOMs
`rocedisc` Note: By default, this account is disabled and cannot be used to log in to the RoCE Network Fabric switch. Do not delete this account. Otherwise, verification of the switch configuration will fail.		RoCE Network Fabric switch user	RoCE Network Fabric switches

Related Topics

Parent topic: User Security on Exadata Database Machine

3.2 Default Password Requirements

Oracle Exadata Deployment Assistant (OEDA) implements a default password policy on Oracle Exadata Database Machine.

The last step of OEDA, "Secure Oracle Exadata Database Machine", implements the following password requirements:

Dictionary words are not valid or accepted.
Character classes for passwords are uppercase letters, lowercase letters, digits, and special characters.
Passwords must contain characters from all four character classes. Passwords using only one, two, or three character classes are not allowed.
The minimum length of a password is eight characters.
Pass-phrases are allowed. A pass-phrase should contain at least three words, be 16 to 40 characters in length, and contain different character classes.
A new password cannot be similar to old passwords. There must be at least eight characters in the new password that were not present in the old password.
A maximum of three consecutive characters of the same value can be used in a password.
A maximum of four consecutive characters of the same character class can be used in a password. For example, abcde1#6B cannot be used as a password because it uses five consecutive lower case letters.

Parent topic: User Security on Exadata Database Machine

3.3 Default Security Settings Enacted by OEDA

Oracle Exadata Deployment Assistant (OEDA) includes a step to increase hardware security on Exadata Database Machine.

The last step of OEDA, Secure Oracle Exadata Database Machine, implements the following security policies:

For all newly created operating system users on the database servers and storage servers, the following password-aging values are set:
- The maximum number of days for a password is 60 days. Starting with Oracle Exadata System Software release 19.1.0, this value was reduced from 90 days to 60 days.
- The minimum amount of time between password changes is 24 hours.
- The number of days of alerts before a password change is seven days.
- All non-root users must change their password at their next log in.
An operating system user account is temporarily locked for 10 minutes after one failed log in attempt.
An operating system user account is locked after five failed attempts.
A log-in session terminates after 14400 seconds of no input.
With Oracle Exadata System Software release 19.1.0 or later, SSH sessions automatically terminate after 600 seconds of inactivity. With older releases, SSH sessions automatically end after 7200 seconds of inactivity.
For the root user, SSH equivalency is removed for all database servers and Oracle Exadata Storage Servers.
The following permissions are set by OEDA:
- The Automatic Diagnostic Repository (ADR) base directory, $ADR_BASE, has SUID (Set owner User ID) on the diag directory and its sub-directories.
- The celladmin user group has read and write permissions on the $ADR_BASE.

Parent topic: User Security on Exadata Database Machine

3.4 Modifying Password Policies on the Database Servers

The password policies can be modified for only database servers.

On the database server, modify the settings in the /etc/login.defs file to change the aging policies, for example:
```
PASS_MAX_DAYS 90
PASS_MIN_DAYS 1
PASS_MIN_LEN 8
PASS_WARN_AGE 7
```
Modify the character class restrictions by changing the values for the min parameter in the /etc/pam.d/system-auth file.
The Exadata factory default settings are 5,5,5,5,5. A setting of 5,5,5,5,5 allows passwords to be as short as five characters, and removes character class restrictions. If you run the /opt/oracle.SupportTools/harden_passwords_reset_root_ssh script, then the default settings are min=disabled,disabled,16,12,8.
Restart the database servers.
```
# shutdown -r now
```

Related Topics

Default Security Setting Enacted by OEDA

3.5 Creating Oracle Exadata System Software Users and Roles

You can control which Oracle Exadata System Software commands users can run by granting privileges to roles, and granting roles to users.

For example, you can specify that a user can run the LIST GRIDDISK command but not ALTER GRIDDISK. This level of control is useful in Oracle Cloud environments, where you might want to allow full access to the system to only a few users.

Overview of Creating Exadata System Software Users
To set up users and roles, you execute a series of commands.
Creating Roles and Getting Information about Roles
Use the CREATE ROLE command to create roles for Oracle Exadata System Software users.
Granting and Revoking Privileges
Use the GRANT PRIVILEGE command to grant privileges to roles for Oracle Exadata System Software users.
Creating Users
Use the CREATE USER command to create Oracle Exadata System Software users.
Configuring Password Expiration for Users Accessing the Server Remotely
You can configure CELL attributes to expire user passwords.
Granting and Revoking Roles
Use the GRANT ROLE command to create roles to Oracle Exadata System Software users.

Related Topics

Using the ExaCLI Utility

Parent topic: User Security on Exadata Database Machine

3.5.1 Overview of Creating Exadata System Software Users

To set up users and roles, you execute a series of commands.

Oracle Exadata System Software users are required when running ExaCLI in on-premise or Oracle Cloud environments. ExaCLI enables you to manage cells remotely from compute nodes. When you run ExaCLI on a compute node, you need to specify a user name to use to connect to the cell node. The Management Server (MS) authenticates the user credentials, then performs authorization checks on the commands issued by the user. If the user does not have the proper privileges to run a command, MS returns an error.

The password security key is encrypted using Password-Based Key Derivation Function 2 (PBKDF2) with HMAC-SHA1.

The high-level steps for creating users and roles for use with Oracle Exadata System Software are:

Create roles using the CREATE ROLE command.
Grant privileges to roles using the GRANT PRIVILEGE command.
Create users using the CREATE USER command.
Grant roles to users using the GRANT ROLE command.

You can also revoke privileges from roles using the REVOKE PRIVILEGE command. To revoke roles from users, use the REVOKE ROLE command.

Parent topic: Creating Oracle Exadata System Software Users and Roles

3.5.2 Creating Roles and Getting Information about Roles

Use the CREATE ROLE command to create roles for Oracle Exadata System Software users.

For example, to create a role for administrators, you could use the following command:

CellCLI> CREATE ROLE admin

After you have created a role, you can then grant privileges to the role using the GRANT PRIVILEGE command. You can also grant the role to users, for example:

CellCLI> GRANT PRIVILEGE ALL ACTIONS ON ALL OBJECTS TO ROLE admin

CellCLI> GRANT ROLE admin TO USER username

To get detailed information about a role, use the LIST ROLE command. The following command returns all the attributes for the admin role.

CellCLI> LIST ROLE admin DETAIL
         name:                   admin
         privileges:             object=all objects, verb=all actions, 
attributes=all attributes, options=all options

3.5.3 Granting and Revoking Privileges

Use the GRANT PRIVILEGE command to grant privileges to roles for Oracle Exadata System Software users.

Grant privileges to roles using the GRANT PRIVILEGE command.
- The following example grants all privileges to Oracle Exadata System Software users with the admin role.
```
CellCLI> GRANT PRIVILEGE ALL ACTIONS ON ALL OBJECTS TO ROLE admin
```
- You can also grant individual command privileges to a role.
```
CellCLI> GRANT PRIVILEGE list ON griddisk TO ROLE diskmonitor

CellCLI> GRANT PRIVILEGE list ON griddisk TO ROLE diskmonitor
```
- You can also grant all command privileges for specific objects to a role.
```
GRANT PRIVILEGE ALL ON griddisk TO ROLE diskadmin
```
You can revoke privileges from roles using the REVOKE PRIVILEGE command.
```
CellCLI> REVOKE PRIVILEGE ALL ON griddisk FROM ROLE diskadmin
```

3.5.4 Creating Users

Use the CREATE USER command to create Oracle Exadata System Software users.

A newly created user does not have any privileges. The Oracle Exadata System Software user is granted privileges through roles granted to the user.

Use the CREATE USER command to create a user and assign an initial password.
The following command creates a user called fred with password uq==A*2D$_18.
```
CellCLI> CREATE USER fred PASSWORD = "uq==A*2D$_18"
```
To grant privileges to the new user fred, use the GRANT ROLE command for a role that has already been configured.

3.5.5 Configuring Password Expiration for Users Accessing the Server Remotely

You can configure CELL attributes to expire user passwords.

In Oracle Exadata System Software release 19.1.0, there are new CELL attributes for configuring password security for users that access Oracle Exadata System Software servers remotely, such as with REST API or ExaCLI. These attributes determine if the user is able to change the password remotely, the amount of time before a user password expires, and the number of days prior to password expiration that the user receives warning messages. In the default configuration, user passwords do not expire.

Note:

The CELL attributes for password expiration apply only to users created with Oracle Exadata System Software. Password expiration applies only to users that are displayed with the LIST USER command and does not apply to operating system users like celladmin or oracle.

To allow the user to change the password remotely, use the ALTER CELL command to set the remotePwdChangeAllowed attribute to true.
If you set the value to false, then the user receives a message indicating that they must contact the server administrator to have their password changed.
```
CellCLI> ALTER CELL remotePwdChangeAllowed=true
```
To change the length of time before a user password expires, use the ALTER CELL command to modify the pwdExpInDays attribute.
Set the value n to the number of days before the password expires. If pwdExpInDays is set to 0 (the default value), then the user password does not expire.
```
CellCLI> ALTER CELL pwdExpInDays=n
```
To configure the length of the warning period before the password expires, use the ALTER CELL command to modify the pwdExpWarnInDays attribute.
Set the value n to the number of days to warn the user before the password expires. The default user account password expiration warning time is 7 days.
```
CellCLI> ALTER CELL pwdExpWarnInDays=n
```
To specify the length of time before a user account is locked after the user password expires, use the ALTER CELL command to modify the accountLockInDays attribute.
Set the value n to the number of days before the user account is locked. The default user account lock time is 7 days.
```
CellCLI> ALTER CELL accountLockInDays=n
```

Parent topic: Creating Oracle Exadata System Software Users and Roles

3.5.6 Granting and Revoking Roles

Use the GRANT ROLE command to create roles to Oracle Exadata System Software users.

Command privileges are granted to roles, and then the roles are granted to users. You do not grant command privileges directly to the Oracle Exadata System Software users.

Use the GRANT ROLE command to grant roles to users.
The following example grants the admin role to the user fred.
```
CellCLI> GRANT ROLE admin TO USER fred
```
You can revoke roles from users using the REVOKE ROLE command.

3.6 Security Policies for Oracle Exadata Storage Server Operating System Users

User access to the operating system can be secured by the use of secure, hardened passwords.

The passwords for operating system users who administer Oracle Exadata System Software adhere to the security guidelines enacted by Oracle Exadata Deployment Assistant (OEDA). See Default Security Setting Enacted by OEDA for more information.

Changing a Password
Use the operating system command passwd to change user passwords.
Enabling the Security Policies for Operating System Users
The /opt/oracle.cellos/RESECURED_NODE file enables the security policies.
Viewing Failed Operating System Password Attempts
Use the pam_tally2 operating system utility to view log in attempts with incorrect passwords.
Resetting a Locked Operating System User Account
If an operating system user account has 5 failed log in attempts, then the account is locked.

Parent topic: User Security on Exadata Database Machine

3.6.1 Changing a Password

Use the operating system command passwd to change user passwords.

Operating system users are notified of the need to change their passwords 7 days before the expiration date.

To change a password, use the passwd command, where username is the user name for which you want to change the password.
```
passwd username
```

Parent topic: Security Policies for Oracle Exadata Storage Server Operating System Users

3.6.2 Enabling the Security Policies for Operating System Users

The /opt/oracle.cellos/RESECURED_NODE file enables the security policies.

If the file does not exist, then you can reset the security policies for all operating system users by performing the following steps:

Shut down the Oracle Grid Infrastructure services on all database servers.
Shut down the cell services on the storage servers.
```
cellcli -e alter cell shutdown services all
```
Use the harden_passwords_reset_root_ssh script to reset the security policies.
Note:
The harden_passwords_reset_root_ssh script restarts the cell.
```
/opt/oracle.SupportTools/harden_passwords_reset_root_ssh
```
All operating system users must set a new password the next time they log in.

Parent topic: Security Policies for Oracle Exadata Storage Server Operating System Users

3.6.3 Viewing Failed Operating System Password Attempts

Use the pam_tally2 operating system utility to view log in attempts with incorrect passwords.

View failed password attempts using the /sbin/pam_tally2 utility.

# /sbin/pam_tally2
Login           Failures Latest failure     From
celladmin           1    09/18/18 11:17:18  dhcp-10-154-xxx-xxx.example.com

Parent topic: Security Policies for Oracle Exadata Storage Server Operating System Users

3.6.4 Resetting a Locked Operating System User Account

If an operating system user account has 5 failed log in attempts, then the account is locked.

To reset an account, use the following command, where username is the name of the user that has the locked account:
```
/sbin/pam_tally2 --user username --reset
```

Parent topic: Security Policies for Oracle Exadata Storage Server Operating System Users