In this section:
Use this object to manage account and password-related configurations. For password rules configuration, refer to Password Rules - CLI.
To minimize the possibility of an unauthorized user compromising inactive OS user account, configure this parameter to specify the number of days of OS account inactivity (OSAccountAgingPeriod
) before the account is automatically disabled.
These users are exempted from OS account aging: root, linuxadmin, cnxipmadmin and postgres.
% set system admin <SYSTEM NAME> accountManagement OSAccountAging OSAccountAgingPeriod <7-712 days> state <disabled | enabled>
OS Account Aging Parameters
Parameter | Length/Range | Description |
---|---|---|
OSAccountAgingPeriod | 7-712 days | <period> (default = 30) – The number of days of inactivity before the OS user is disabled. |
state | N/A | Enable this flag to apply the account aging period to OS users.
|
% set system admin <SYSTEM NAME> accountManagement accountAging accountAgingPeriod <30-180 days> state <disabled | enabled>
Account Aging Parameters
Parameter | Length/Range | Description |
---|---|---|
accountAgingPeriod | 30-180 days |
|
state | N/A | Set flag to "enabled" to enable account aging system-wide.
|
Use this parameter to configure the account removal period.
% set system admin <SYSTEM NAME> accountManagement accountRemoval accountRemovalPeriod <60-360 days> state <disabled | enabled>
Brute Force Attack Parameters
Parameter | Length/Range | Description |
---|---|---|
accountRemovalPeriod | 60-360 days | <period> – The number of days to elapse for an unused user account before it is automatically (default = 270 days). |
state | N/A | Administrative state of this feature.
NOTE: Refer to Local Authentication - CLI to enable/disable this feature for a specific user. |
Configuration for defense against brute force OAM password guessing attempts.
% set system admin <SYSTEM NAME> accountManagement bruteForceAttack allowAutoUnlock <disabled | enabled> consecutiveFailedAttemptAllowed <1-10> state <disabled | enabled> unlockTime <30-3600 seconds>
Brute Force Attack Parameters
Parameter | Length/Range | Description |
---|---|---|
allowAutoUnlock | N/A | Enable Auto Unlock of an account blocked due to consecutive wrong password attempts.
|
consecutiveFailedAttemptAllowed | 1-10 |
|
state | N/A | Enable/disable defense against brute force OAM password guessing attempts.
|
unlockTime | 30-3600 seconds |
NOTE: You must first set |
Use this configuration to defend against brute force attacks to Linux OS.
% set system admin <SYSTEM NAME> accountManagement bruteForceAttackOS OSstate <disabled | enabled> allowOSAutoUnlock <disabled | enabled> consecutiveFailedOSAttemptAllowed <1-10> unlockOSTime <30-5400 seconds>
Brute Force Attack Parameters
Parameter | Length/Range | Description |
---|---|---|
OSstate | N/A | Enable this flag to defend the Linux OS against brute force attacks.
|
allowOSAutoUnlock | N/A | Enable this flag to automatically unlock the Linux OS account after a configurable number of seconds set by
|
consecutiveFailedOSAttemptAllowed | 1-10 |
|
unlockOSTime | 30-5400 seconds |
|
% set system admin <SYSTEM NAME> accountManagement maxSessions <1-5>
Max Sessions Parameters
Parameter | Length/Range | Description |
---|---|---|
maxSessions | 1-5 | Maximum number of simultaneous sessions allowed per user (default = 2). |
Password expiration related configuration.
% set system admin <SYSTEM NAME> accountManagement passwordAging OSstate <disabled | enabled> passwordAgingPeriod <1-365 days> passwordExpiryWarningPeriod <3-14 days> passwordMinimumAge <1-365 days> state <disabled | enabled>
Password Aging Parameters
Parameter | Length/Range | Description |
---|---|---|
OSstate | N/A | Enable/disable password aging for OS users.
|
passwordAgingPeriod | 1-365 days |
|
passwordExpiryWarningPeriod | 3-14 days |
|
passwordMinimumAge | 1-365 days | <number of days> (default = 1) – Specify the number of days to elapse before a password is changeable by a non-Administrator user. |
state | N/A | Use this flag to enable/disable
|
Session idle timeout related configuration.
% set system admin <SYSTEM NAME> accountManagement sessionIdleTimeout idleTimeout <1-120> state <disabled | enabled>
Session Idle Timeout
Parameter | Length/Range | Description |
---|---|---|
idleTimeout | 1-120 minutes |
|
state | N/A | To use this feature, set this flag to "enabled".
|
The sftpadmin
account was removed in release 7.1 for user account security purposes.
If only keys (no password) are injected for the admin CLI user, then passwordLoginSupport
is disabled by default. If standalone EMA access is required, then enable passwordLoginSupport
and use the generated password to invoke the EMA. You are not required to enable passwordLoginSupport
if the EMA is accessed via RAMP.
With the removal of sftpadmin
, the RAMP uses an alternate CLI account in its Administrator group (e.g., admin
) for SBC registration. This does not impact SBC cloud networks because RAMP uses emssftp
by default. Refer to the Security Best Practices sections in the current RAMP documentation.
The following example uses the Account Management feature to accomplish the following actions:
% set system admin MYSBC accountManagement bruteForceAttack state enabled allowAutoUnlock enabled consecutiveFailedAttemptAllowed 3 unlockTime 300 % show system admin MYSBC accountManagement bruteForceAttack state enabled; consecutiveFailedAttemptAllowed 3; allowAutoUnlock enabled; unlockTime 300;