1. Administrative Security Guide
  2. Access
  3. Login Policy

Login Policy

The Login Policy controls concurrent system access to a specified number of users, sets the maximum number of unsuccessful login attempts, specifies the response to login failure, and specifies the login mode (single-factor or two-factor).

Note:

If user authentication fails or a user is locked out of the system, the OCSBC will not display the reason why the login failed.

The single instance login-config configuration element defines login policy.

  1. From admin mode, use the following command path to access the login-config configuration element: 
    ORACLE# configure terminal
ORACLE(configure)# security 
ORACLE(security)# admin-security
ORACLE(admin-security)# login-config
ORACLE(login-config)#

    login-config configuration element properties are shown below with their default values 

    concurrent-session-limit         2
max-login-attempts               3
login-attempt-interval           4
lockout-interval                 60
send-alarm                       enabled
login-auth-mode                  single-factor
enable-login-banner              enabled
  2. concurrent-session-limit—specifies the maximum number of simultaneous connections allowed per user name

    Allowable values are integers within the range 1 through 10, with a default of 2 (simultaneous connections).

    Retain the default value, or specify a new connection limit. 

    ORACLE(login-config)# concurrent-session limit 4
ORACLE(login-config)#
  3. max-login-attempts—specifies the number of consecutive unsuccessful login attempts that trigger disconnection of a console, SSH, or SFTP session.

    Allowable values are integers within the range 2 through 100, with a default of 3 (sessions).

    Retain the default value, or specify a new threshold value. 

    ORACLE(login-config)# max-login-attempts 5
ORACLE(login-config)#
  4. login-attempt-interval—specifies an idle interval in seconds imposed after an unsuccessful login attempt.

    Allowable values are integers within the range 4 through 60, with a default value of 4 seconds.

    Retain the default value, or specify a new login interval. 

    ORACLE(login-config)# login-attempt-interval 6
ORACLE(login-config)#
  5. lockout-interval—specifies the number of seconds that logins from an interface are not allowed after the max-login-attempts threshold has been reached
    Allowable values are integers within the range of 15 through 300. The default value is 60 seconds.

    Note:

    The minimum lockout-interval is 15 when the JITC feature is enabled, but remains 30 when only the Admin Security feature is provisioned.

    Retain the default value, or specify a new lockout interval. 

    ORACLE(login-config)# lockout-interval 30
ORACLE(login-config)#
  6. send-alarm—enables the generation and transmission of alarms in the event of an interface lockout

    Allowable values are enabled (the default) or disabled.

    Retain the default value, or select disabled to squelch alarm generation. 

    ORACLE(login-config)# send-alarm disabled
ORACLE(login-config)#
  7. login-auth-mode—specifies the local login authentication mode

    Allowable values are single-factor (the default) or two-factor.

    single-factor authentication requires the service requester to present a single authentication credential, a password.

    two-factor authentication requires the service requester to present two authentication credentials, a password and a passcode.

    Retain the default value, or specify two-factor authentication. 

    ORACLE(login-config)# login-auth-mode two-factor
ORACLE(login-config)#
  8. enable-login-banner—enables or disables display of the login banner

    Allowable values are enable (the default) or disable.

    Retain the default value, or disable login banner display. 

    ORACLE(login-config)# enable-login-banner disable
ORACLE(login-config)#

    A sample login policy configuration appears below: 

    ORACLE(login-config)# concurrent-session limit 4 
ORACLE(login-config)# max-login-attempts 5 
ORACLE(login-config)# login-attempt-interval 6 
ORACLE(login-config)# lockout-interval 30 
ORACLE(login-config)# done 
ORACLE(login-config)# exit 
ORACLE(admin-security)#

    Defines a login-config configuration element that allows four simultaneous connections per user name. An idle interval of 6 seconds is imposed after an unsuccessful login attempt. Five consecutive unsuccessful login attempts trigger a 30-second lockout of the interface over which the unsuccessful logins were received. By default, single-factor authentication, alarm generation, and login banner display are enable.