User Security on Oracle Exadata

3 User Security on Oracle Exadata

Increase the security of your data and system by limiting user access and developing strong password security policies.

Default User Accounts for Oracle Exadata
Several user accounts regularly manage the components of Oracle Exadata.
Default Password Requirements
Oracle Exadata Deployment Assistant (OEDA) implements a default password policy on Oracle Exadata Database Machine.
Default Security Settings Implemented by OEDA
Oracle Exadata Deployment Assistant (OEDA) includes a step to implement default security settings on Oracle Exadata.
Managing Password and Authentication Policies
Creating Oracle Exadata System Software Users and Roles
You can control which Oracle Exadata System Software commands users can run by granting privileges to roles, and granting roles to users.
Security Policies for Oracle Exadata Storage Server Operating System Users
User access to the operating system can be secured by the use of secure, hardened passwords.

3.1 Default User Accounts for Oracle Exadata

Several user accounts regularly manage the components of Oracle Exadata.

In addition to the root user, Oracle Exadata Storage Servers have two users, celladmin and cellmonitor. The celladmin user is used to run all services on the cell. The cellmonitor user is used for monitoring purposes. The cellmonitor user cannot run services on the cell. Other Oracle Exadata components have users for the management of the component.

Note:

After Oracle Exadata has been deployed, the installation process disables all root SSH keys and expires all user passwords as a security measure for your system. If you do not want the SSH keys disabled or the passwords expired, advise the installation engineer before the deployment.

Starting with Oracle Exadata System Software release 19.1.0, two new users are created, to improve security of specific actions. The cellofl user runs query offload processes on the storage servers as a non-root user. The exawatch user is responsible for collecting and archiving system statistics on both the database servers and the storage servers.

The following table lists the default users and passwords for the Oracle Exadata components. All default passwords should be changed after installation of Oracle Exadata. Refer to My Oracle Support note 1291766.1 for information about changing the default user accounts passwords.

Table 3-1 Default Oracle Exadata Users and Passwords

Account	Default Password	Account Type	Component(s)
`root`	`welcome1`	Operating system user	Oracle Exadata Database Servers Oracle Exadata Storage Servers RDMA Network Fabric switches Database server ILOMs Oracle Exadata Storage Server ILOMs RDMA Network Fabric ILOMs
`oracle`	`We1come$`	Operating system user	Oracle Exadata Database Servers
`grid` Note: This account exists only if role separation is chosen during deployment.	`We1come$`	Operating system user	Oracle Exadata Database Servers
`celladmin`	`welcome` Note: Commencing with the Oracle Exadata Deployment Assistant (OEDA) November 2019 release, the password of the `celladmin` user is set to a random string during deployment, which you must change on first use.	Operating system user	Oracle Exadata Storage Servers
`CELLDIAG`	`Welcome12345` Note: The password of the `CELLDIAG` user is reset to a random password during the "Apply Security Fixes" step of OEDA.	Oracle Exadata System Software user	Oracle Exadata Storage Servers
`cellmonitor`	`welcome` Note: Commencing with the OEDA November 2019 release, the password of the `cellmonitor` user is set to a random string during deployment, which you must change on first use.	Operating system user	Oracle Exadata Storage Servers
`cellofl` Note: This account has no login privileges and exists only in release 19.1.0 and later.		Operating system user	Oracle Exadata Storage Servers
`dbmadmin`	`welcome` Note: Commencing with the OEDA November 2019 release, the password of the `dbmadmin` user is set to a random string during deployment, which you must change on first use.	Operating system user	Oracle Exadata Database Servers
`dbmmonitor`	`welcome` Note: Commencing with the OEDA November 2019 release, the password of the `dbmmonitor` user is set to a random string during deployment, which you must change on first use.	Operating system user	Oracle Exadata Database Servers
`dbmsvc` Note: This account has no login privileges and exists only in release 12.1.2.1.0 and later.		Operating system user	Oracle Exadata Database Servers
`exawatch` Note: This account has no login privileges and exists only in release 19.1.0 and later.		Operating system user	Oracle Exadata Database Servers Oracle Exadata Storage Servers
`SYS`	`We1come$`	Oracle Database user	Oracle Exadata Database Servers
`SYSTEM`	`We1come$`	Oracle Database user	Oracle Exadata Database Servers
Grub boot loader	`sos1Exadata`	Operating system user	Oracle Exadata Database Servers Oracle Exadata Storage Servers
`nm2user`	`changeme`	Firmware user	InfiniBand Network Fabric switches
`ilom-admin`	`ilom-admin`	ILOM user	InfiniBand Network Fabric switches
`ilom-operator`	`ilom-operator`	ILOM user	InfiniBand Network Fabric switches
`admin`	`welcome1`	Firmware/switch administrator	RoCE Network Fabric switches
`admin`	`welcome1` Note: You should secure the `enable mode password` and `secret` values for the `admin` user.	Firmware user	Ethernet switches
`admin`	`welcome1` Note: The password for the `admin` user is `adm1n` if you reset the PDU to factory default settings.	Firmware user	Power distribution units (PDUs) Keyboard, video, mouse (KVM)
`MSUser` Note: Management Server (MS) uses this account to reset the ILOM interface if it stops responding. Do not modify this account. This account is to be used by MS only.	The `MSUser` password is not persisted anywhere. Each time MS starts up, it deletes the previous `MSUser` account and re-creates the account with a randomly generated password.	ILOM user	Database server ILOMs Oracle Exadata Storage Server ILOMs
`LocalMSV3user` Note: Management Server (MS) uses this account for hardware monitoring and failure handling using an automatic ILOM SNMP notification rule. Do not modify this account or the associated ILOM SNMP notification rule. This account is to be used by MS only.	The `LocalMSV3user` password is not persisted anywhere. Each time MS starts up, it deletes the previous `LocalMSV3user` account and re-creates the account with a randomly generated password.	ILOM SNMP version 3 user	Database server ILOMs Oracle Exadata Storage Server ILOMs
`rocedisc` Note: By default, this account is disabled and cannot be used to log in to the RoCE Network Fabric switch. Do not delete this account. Otherwise, verification of the switch configuration will fail.		RoCE Network Fabric switch user	RoCE Network Fabric switches

Related Topics

Parent topic: User Security on Oracle Exadata

3.2 Default Password Requirements

Oracle Exadata Deployment Assistant (OEDA) implements a default password policy on Oracle Exadata Database Machine.

The last step of OEDA, "Secure Oracle Exadata Database Machine", implements the following password requirements:

Dictionary words are not valid or accepted.
Character classes for passwords are uppercase letters, lowercase letters, digits, and special characters.
Passwords must contain characters from all four character classes. Passwords using only one, two, or three character classes are not allowed.
The minimum length of a password is eight characters.
Pass-phrases are allowed. A pass-phrase should contain at least three words, be 16 to 40 characters in length, and contain different character classes.
A new password cannot be similar to old passwords. There must be at least eight characters in the new password that were not present in the old password.
A maximum of three consecutive characters of the same value can be used in a password.
A maximum of four consecutive characters of the same character class can be used in a password. For example, abcde1#6B cannot be used as a password because it uses five consecutive lower case letters.

Parent topic: User Security on Oracle Exadata

3.3 Default Security Settings Implemented by OEDA

Oracle Exadata Deployment Assistant (OEDA) includes a step to implement default security settings on Oracle Exadata.

The last OEDA configuration step, Secure Oracle Exadata Database Machine, implements the following security settings:

The following password rules apply by default for all operating system users on the database servers and storage servers:
- Non-root users must change their password during first login.
- The password complexity rules depend on the Oracle Linux version in use.
  
  For systems with Oracle Linux 7 or later:
  - The minimum password length is 8 characters,
  - The password must contain at least one digit, one uppercase character, one lowercase character, and one other character.
  - The password must not contain the same character consecutively more than 3 times.
  - The password must not contain more than 4 consecutive characters from the same class (digits, lowercase letters, uppercase letters, or other characters).
  - For password changes, the new password must contain a minimum of 8 character changes.
  For systems with Oracle Linux 6 or earlier, the minimum password length is 5 characters with no additional complexity requirements.
- The maximum password age is 60 days.
- The minimum amount of time between password changes is 1 day.
- Warning alerts are generated 7 days before password expiry.
- When changing a user password, the new password cannot match any of the 10 previous passwords.
An operating system user account is locked for 15 minutes after three failed login attempts within a 15-minute period.
Login sessions automatically terminate after 14400 seconds of no input.
SSH sessions automatically terminate after 600 seconds of inactivity.
For the root user, SSH equivalency is removed for all database servers and storage servers.

Parent topic: User Security on Oracle Exadata

3.4 Managing Password and Authentication Policies

Each Oracle Exadata server contains the host_access_control utility (/opt/oracle.cellos/host_access_control), which provides simple interfaces to view and modify the password and authentication policies.

Oracle recommends using the host_access_control utility to view and modify the password and authentication policies. You may perform customizations outside the scope of the host_access_control utility at your own cost and risk.

To manage the password aging policy settings for new account creation, use the host_access_control command with the password-policy option.
- For a complete description of the available options and settings, use:
```
# /opt/oracle.cellos/host_access_control password-policy --help
```
- To view the current policy settings, use:
```
# /opt/oracle.cellos/host_access_control password-policy --status
```
- To reset the policy to the factory default settings, use:
```
# /opt/oracle.cellos/host_access_control password-policy --defaults
```
  Under the factory default password aging policy:
  - The maximum password age is 60 days.
  - The minimum period allowed between password changes is 1 day.
  - The minimum password length is 8 characters.
  - The password expiry warning period is 7 days.
- To modify specific policy settings, specify one or more of the following:
  - --PASS_MAX_DAYS: Specifies the maximum password age (in days).
  - --PASS_MIN_DAYS: Specifies the minimum number of days allowed between password changes.
  - --PASS_MIN_LEN: Specifies the minimum password length.
  - --PASS_WARN_AGE: Specifies the password expiry warning period (in days).
  For example, use the following command to set the maximum password age to 100 days and the minimum password length to 12 characters:
```
# /opt/oracle.cellos/host_access_control password-policy --PASS_MAX_DAYS 100 --PASS_MIN_LEN 12
```
To manage the password aging policy for existing interactive user accounts, use the host_access_control command with the password-aging option.
- For a complete description of the available options and settings, use:
```
# /opt/oracle.cellos/host_access_control password-aging --help
```
- To view the current policy settings, use:
```
# /opt/oracle.cellos/host_access_control password-aging --status
```
- To reset the password aging policy to the factory default settings, use:
```
# /opt/oracle.cellos/host_access_control password-aging --defaults
```
  Under the factory default password aging policy:
  - The maximum password age is 60 days.
  - The minimum period allowed between password changes is 1 day.
  - The minimum password length is 8 characters.
  - The password expiry warning period is 7 days.
- To reset the password aging policy to the Exadata secure default settings, use:
```
# /opt/oracle.cellos/host_access_control password-aging --secdefaults
```
  Under the Exadata secure default settings, the minimum password length is 15 characters. All other settings match the factory default policy.
- To modify existing users to use the policy settings for new account creation, which are the settings defined by using host_access_control with the password-policy option, use:
```
# /opt/oracle.cellos/host_access_control password-aging --policy
```
- To modify specific policy settings for a user, specify the user and one or more of the following attributes:
  - --maxdays: Specifies the maximum password age (in days).
  - --mindays: Specifies the minimum number of days allowed between password changes.
  - --warndays: Specifies the password expiry warning period (in days).
  For example, use the following command to set the maximum password age to 80 days for the oracle OS user:
```
# /opt/oracle.cellos/host_access_control password-aging --maxdays 80 --user oracle
```
To manage the system authentication policy settings, use the host_access_control command with the pam-auth option. The system authentication settings include the password complexity and password history rules that apply to all users.

Commencing with Oracle Exadata System Software 23.1.0 and Oracle Linux 8, the security settings managed by the pam-auth option are encapsulated in a custom Exadata security profile using the Linux authselect utility.
- For a complete description of the available options and settings, use:
```
# /opt/oracle.cellos/host_access_control pam-auth --help
```
- To view the current authentication settings, use:
```
# /opt/oracle.cellos/host_access_control pam-auth --status
```
- To reset the authentication settings the factory default settings, use:
```
# /opt/oracle.cellos/host_access_control pam-auth --defaults
```
  Under the factory default authentication settings:
  - A user account is locked for 15 minutes after three failed login attempts within a 15-minute period.
  - When changing a user password, the new password cannot match any of the 10 previous passwords.
  - The password complexity rules depend on the Oracle Linux version in use.
    
    For systems with Oracle Linux 7 or later:
    - The minimum password length is 8 characters,
    - The password must contain at least one digit, one uppercase character, one lowercase character, and one other character.
    - The password must not contain the same character consecutively more than 3 times.
    - The password must not contain more than 4 consecutive characters from the same class (digits, lowercase letters, uppercase letters, or other characters).
    - For password changes, the new password must contain a minimum of 8 character changes.
    For systems with Oracle Linux 6 or earlier, the minimum password length is 5 characters with no additional complexity requirements.
- To reset the authentication settings to the Exadata secure default settings, use:
```
# /opt/oracle.cellos/host_access_control pam-auth --secdefaults
```
  Under the Exadata secure default settings:
  - A user account is locked for 15 minutes after three failed login attempts within a 15-minute period.
  - When changing a user password, the new password cannot match any of the 10 previous passwords.
  - The password complexity rules depend on the Oracle Linux version in use.
    
    For systems with Oracle Linux 7 or later:
    - The minimum password length is 15 characters,
    - The password must contain at least one digit, one uppercase character, one lowercase character, and one other character.
    - The password must not contain the same character consecutively more than 3 times.
    - The password must not contain more than 4 consecutive characters from the same class (digits, lowercase letters, uppercase letters, or other characters).
    - For password changes, the new password must contain a minimum of 8 character changes.
    For systems with earlier Oracle Linux versions, the minimum password length is 8 characters and the password must contain at least one digit, one uppercase character, one lowercase character, and one other character. Alternatively, you can use a password with at least 12 characters that contains at least 3 out of the 4 character classes (digits, lowercase letters, uppercase letters, or other characters).
- To modify specific authentication settings, specify one or more of the following:
  - --deny: Specifies the required number of consecutive failed login attempts within the interval (specified by --interval) to trigger an account lockout.
  - --interval: Specifies the number of seconds during which the consecutive failed login attempts must happen to trigger an account lockout.
  - --lock: Specifies the duration (in seconds) of an account lockout.
  - --passwdqc: This setting applies only to systems with Oracle Linux 6 or earlier. The value is a comma-separated list defining the minimum allowed length for different types of passwords or passphrases. See the pam_passwdqc Linux man page for details about this setting.
  - --pwquality: This setting applies only to systems with Oracle Linux 7 or later. The value is either an integer that defines the minimum password length or a comma-separated list that defines the password complexity rules using the following attributes: minlen, dcredit, ucredit, lcredit, ocredit, difok, maxrepeat, maxclassrepeat, minclass, maxsequence, and gecoscheck. See the pam_pwquality Linux man page for details about the password complexity attributes.
  - --remember: Specifies the size of the password history list for each user. For password changes, the new password cannot match any of previous passwords in the password history list.
  For example, use the following command to set the lockout period to 20 minutes after two failed login attempts within a 10-minute period:
```
# /opt/oracle.cellos/host_access_control pam-auth --lock 1200 --deny 2 --interval 600
```

Related Topics

Default Security Settings Implemented by OEDA

Parent topic: User Security on Oracle Exadata

3.5 Creating Oracle Exadata System Software Users and Roles

You can control which Oracle Exadata System Software commands users can run by granting privileges to roles, and granting roles to users.

For example, you can specify that a user can run the LIST GRIDDISK command but not ALTER GRIDDISK. This level of control is useful in Oracle Cloud environments, where you might want to allow full access to the system to only a few users.

Overview of Creating Exadata System Software Users
Creating Roles and Getting Information about Roles
Use the CREATE ROLE command to create roles for Oracle Exadata System Software users.
Granting and Revoking Privileges
Use the GRANT PRIVILEGE command to grant privileges to roles for Oracle Exadata System Software users.
Creating Users
Use the CREATE USER command to create Oracle Exadata System Software users.
Configuring Password Expiration for Users Accessing the Server Remotely
You can configure CELL attributes to expire user passwords.
Granting and Revoking Roles
Use the GRANT ROLE command to create roles to Oracle Exadata System Software users.

Related Topics

Using the ExaCLI Utility

Parent topic: User Security on Oracle Exadata

3.5.1 Overview of Creating Exadata System Software Users

Oracle Exadata System Software users are required when running ExaCLI in on-premise or Oracle Cloud environments. ExaCLI enables you to manage cells remotely from compute nodes. When you run ExaCLI on a compute node, you need to specify a user name to use to connect to the cell node. The Management Server (MS) authenticates the user credentials, then performs authorization checks on the commands issued by the user. If the user does not have the proper privileges to run a command, MS returns an error.

The password security key is encrypted using Password-Based Key Derivation Function 2 (PBKDF2) with HMAC-SHA1.

The high-level steps for creating users and roles for use with Oracle Exadata System Software are:

Create roles using the CREATE ROLE command.
Grant privileges to roles using the GRANT PRIVILEGE command.
Create users using the CREATE USER command.
Grant roles to users using the GRANT ROLE command.

You can also revoke privileges from roles using the REVOKE PRIVILEGE command. To revoke roles from users, use the REVOKE ROLE command.

Parent topic: Creating Oracle Exadata System Software Users and Roles

3.5.2 Creating Roles and Getting Information about Roles

Use the CREATE ROLE command to create roles for Oracle Exadata System Software users.

For example, to create a role for administrators, you could use the following command:

CellCLI> CREATE ROLE admin

After you have created a role, you can then grant privileges to the role using the GRANT PRIVILEGE command. You can also grant the role to users, for example:

CellCLI> GRANT PRIVILEGE ALL ACTIONS ON ALL OBJECTS TO ROLE admin

CellCLI> GRANT ROLE admin TO USER username

To get detailed information about a role, use the LIST ROLE command. The following command returns all the attributes for the admin role.

CellCLI> LIST ROLE admin DETAIL
         name:                   admin
         privileges:             object=all objects, verb=all actions, 
attributes=all attributes, options=all options

3.5.3 Granting and Revoking Privileges

Use the GRANT PRIVILEGE command to grant privileges to roles for Oracle Exadata System Software users.

Grant privileges to roles using the GRANT PRIVILEGE command.
- The following example grants all privileges to Oracle Exadata System Software users with the admin role.
```
CellCLI> GRANT PRIVILEGE ALL ACTIONS ON ALL OBJECTS TO ROLE admin
```
- You can also grant individual command privileges to a role.
```
CellCLI> GRANT PRIVILEGE list ON griddisk TO ROLE diskmonitor
```
- You can also grant all command privileges for specific objects to a role.
```
CellCLI> GRANT PRIVILEGE ALL ACTIONS ON griddisk TO ROLE diskadmin
```

You can revoke privileges from roles using the REVOKE PRIVILEGE command.

CellCLI> REVOKE PRIVILEGE ALL ACTIONS ON griddisk FROM ROLE diskadmin

3.5.4 Creating Users

Use the CREATE USER command to create Oracle Exadata System Software users.

A newly created user does not have any privileges. The Oracle Exadata System Software user is granted privileges through roles granted to the user.

Use the CREATE USER command to create a user and assign an initial password.
The following command creates a user called fred with password uq==A*2D$_18.
```
CellCLI> CREATE USER fred PASSWORD = "uq==A*2D$_18"
```
To grant privileges to the new user fred, use the GRANT ROLE command for a role that has already been configured.

3.5.5 Configuring Password Expiration for Users Accessing the Server Remotely

You can configure CELL attributes to expire user passwords.

In Oracle Exadata System Software release 19.1.0, there are new CELL attributes for configuring password security for users that access Oracle Exadata System Software servers remotely, such as with REST API or ExaCLI. These attributes determine if the user is able to change the password remotely, the amount of time before a user password expires, and the number of days prior to password expiration that the user receives warning messages. In the default configuration, user passwords do not expire.

Note:

The CELL attributes for password expiration apply only to users created with Oracle Exadata System Software. Password expiration applies only to users that are displayed with the LIST USER command and does not apply to operating system users like celladmin or oracle.

To allow the user to change the password remotely, use the ALTER CELL command to set the remotePwdChangeAllowed attribute to true.
If you set the value to false, then the user receives a message indicating that they must contact the server administrator to have their password changed.
```
CellCLI> ALTER CELL remotePwdChangeAllowed=true
```
To change the length of time before a user password expires, use the ALTER CELL command to modify the pwdExpInDays attribute.
Set the value n to the number of days before the password expires. If pwdExpInDays is set to 0 (the default value), then the user password does not expire.
```
CellCLI> ALTER CELL pwdExpInDays=n
```
To configure the length of the warning period before the password expires, use the ALTER CELL command to modify the pwdExpWarnInDays attribute.
Set the value n to the number of days to warn the user before the password expires. The default user account password expiration warning time is 7 days.
```
CellCLI> ALTER CELL pwdExpWarnInDays=n
```
To specify the length of time before a user account is locked after the user password expires, use the ALTER CELL command to modify the accountLockInDays attribute.
Set the value n to the number of days before the user account is locked. The default user account lock time is 7 days.
```
CellCLI> ALTER CELL accountLockInDays=n
```

Parent topic: Creating Oracle Exadata System Software Users and Roles

3.5.6 Granting and Revoking Roles

Use the GRANT ROLE command to create roles to Oracle Exadata System Software users.

Command privileges are granted to roles, and then the roles are granted to users. You do not grant command privileges directly to the Oracle Exadata System Software users.

Use the GRANT ROLE command to grant roles to users.
The following example grants the admin role to the user fred.
```
CellCLI> GRANT ROLE admin TO USER fred
```
You can revoke roles from users using the REVOKE ROLE command.

3.6 Security Policies for Oracle Exadata Storage Server Operating System Users

User access to the operating system can be secured by the use of secure, hardened passwords.

The passwords for operating system users who administer Oracle Exadata System Software adhere to the security guidelines enacted by Oracle Exadata Deployment Assistant (OEDA). See Default Security Setting Enacted by OEDA for more information.

Changing a Password
Use the operating system command passwd to change user passwords.
Enabling the Security Policies for Operating System Users
The /opt/oracle.cellos/RESECURED_NODE file enables the security policies.
Viewing Failed Operating System Password Attempts
Resetting a Locked Operating System User Account

Parent topic: User Security on Oracle Exadata

3.6.1 Changing a Password

Use the operating system command passwd to change user passwords.

Operating system users are notified of the need to change their passwords 7 days before the expiration date.

To change a password, use the passwd command, where username is the user name for which you want to change the password.
```
passwd username
```

Parent topic: Security Policies for Oracle Exadata Storage Server Operating System Users

3.6.2 Enabling the Security Policies for Operating System Users

The /opt/oracle.cellos/RESECURED_NODE file enables the security policies.

If the file does not exist, then you can reset the security policies for all operating system users by performing the following steps:

Shut down the Oracle Grid Infrastructure services on all database servers.
Shut down the cell services on the storage servers.
```
cellcli -e alter cell shutdown services all
```
Use the harden_passwords_reset_root_ssh script to reset the security policies.
Note:
The harden_passwords_reset_root_ssh script restarts the cell.
```
/opt/oracle.SupportTools/harden_passwords_reset_root_ssh
```
All operating system users must set a new password the next time they log in.

Parent topic: Security Policies for Oracle Exadata Storage Server Operating System Users

3.6.3 Viewing Failed Operating System Password Attempts

Use the faillock operating system utility to view failed login attempts.

For example, to see the failed login attempts for the celladmin user:

# faillock --user celladmin
celladmin:
When                Type  Source                                           Valid
2022-11-06 18:23:18 RHOST xxx.xxx.xxx.xxx                                      V
2022-11-06 18:23:23 RHOST xxx.xxx.xxx.xxx                                      V
2022-11-06 18:23:27 RHOST xxx.xxx.xxx.xxx                                      V

In the example output, xxx.xxx.xxx.xxx represents the IP address that is the source of the login failure.

Parent topic: Security Policies for Oracle Exadata Storage Server Operating System Users

3.6.4 Resetting a Locked Operating System User Account

The operating system user account is locked when the number of login failures exceeds the threshold in the security policy.

To reset a locked account, use the following command, where username is the name of the locked user:

# faillock --user username --reset

Parent topic: Security Policies for Oracle Exadata Storage Server Operating System Users