Page History

Add_workflow_for_techpubsAUTH1JIRAIDAUTHSBX-60956REV5REV6REV3REV1REV2

Panel

In this section:

Table of Contents

maxLevel	2

Use this object to manage account and password-related configurations. For password rules configuration, refer to Password Rules - CLI.

OS Account Aging

To minimize the possibility of an unauthorized user compromising inactive OS user accounts (root/linuxadmin/sftpadmin/rss)account, configure this parameter to specify the number of days of OS account inactivity (OSAccountAgingPeriod) before the account is automatically disabled.

Info

title	Note

These users are exempted from OS account aging: root, linuxadmin, cnxipmadmin and postgres.

Command Syntax

Code Block

title	OS Account Aging

% set system admin <SYSTEM NAME> accountManagement OSAccountAging
	OSAccountAgingPeriod <7-712 days>
	state <disabled | enabled>

Command Parameters

Caption

0	Table
1	OS Account Aging Parameters
3	OS Account Aging Parameters

Parameter

Length/Range

Description

OSAccountAgingPeriod 7-712 days <period> (default = 30) – The number of days of inactivity before the OS user is disabled.

state

N/A

Enable this flag to apply the account aging period to OS users.

disabled
enabled

(default)

Account Aging

Command Syntax

Code Block

title	Account Aging

% set system admin <SYSTEM NAME> accountManagement accountAging
	accountAgingPeriod <30-180 days>
	state <disabled | enabled>

Command Parameters

Caption

0	Table
1	Account Aging Parameters
3	Account Aging Parameters

Parameter	Length/Range	Description
`accountAgingPeriod`	30-180 days	`<period>` (default = 30) – Use this parameter to specify the number of days to elapse, after which the account is locked if left unused

ount expiration duration, in days,

for accounts other than OS management users.

state

N/A

Set flag to "enabled" to enable account aging system-wide.

disabled
enabled (default)

Account Removal

Use this parameter to configure the account removal period.

Command Syntax

Code Block

title	Account Removal

% set system admin <SYSTEM NAME> accountManagement accountRemoval
	accountRemovalPeriod <60-360 days>
	state <disabled | enabled>

Command Parameters

Caption

0	Table
1	Brute Force Attack Parameters
3	Brute Force Attack Parameters

Parameter

Length/Range

Description

accountRemovalPeriod 60-360 days <period> – The number of days to elapse for an unused user account before it is automatically (default = 270 days).

state

N/A

Administrative state of this feature.

disabled (default)
enabled

NOTE: Refer to Local Authentication - CLI to enable/disable this feature for a specific user.

Brute Force Attack

Configuration for defense against brute force OAM password guessing attempts.

Command Syntax

Code Block

title	Brute Force Attack

% set system admin <SYSTEM NAME> accountManagement bruteForceAttack
	allowAutoUnlock <disabled | enabled>
	consecutiveFailedAttemptAllowed <1-10>
	state <disabled | enabled>
	unlockTime <30-3600 seconds>

Command Parameters

Caption

0	Table
1	Brute Force Attack Parameters
3	Brute Force Attack Parameters

Parameter

Length/Range

Description

allowAutoUnlock

N/A

Enable Auto Unlock of an account blocked due to consecutive wrong password attempts.

disabled
enabled (default)

enabled

consecutiveFailedAttemptAllowed

1-10

<number of attempts> (default = 3) – Number of consecutive failed login attempts allowed before account is locked. As a safety measure, the system will not lock out the last/only active Administrator user on

Spacevars

0	product

platform.

state

N/A

Enable/disable defense against brute force OAM password guessing attempts.

disabled
enabled (default)

enabled

unlockTime

30-3600 seconds

<unlock time> (default = 30) – If allowAutoUnlock flag is enabled, this parameter specifies the time (in seconds) to elapse before a locked account automatically unlocks.

NOTE: You must first set state to 'disabled' before changing the value of consecutiveFailedAttemptAllowed.

Brute Force Attack OS

Use this configuration to defend against brute force attacks to Linux OS.

Command Syntax

Code Block

title	Brute Force Attack OS

% set system admin <SYSTEM NAME> accountManagement bruteForceAttackOS
	OSstate <disabled | enabled>
	allowOSAutoUnlock <disabled | enabled>
	consecutiveFailedOSAttemptAllowed <1-10>
	unlockOSTime <30-5400 seconds>

Command Parameters

Caption

0	Table
1	Brute Force Attack Parameters
3	Brute Force Attack Parameters

Parameter

Length/Range

Description

OSstate

N/A

Enable this flag to defend the Linux OS against brute force attacks.

disabled
enabled

disabled

(default)

allowOSAutoUnlock

N/A

Enable this flag to automatically unlock the Linux OS account after a configurable number of seconds set by unlockOSTime parameter.

disabled
enabled

disabled

(default)
`consecutiveFailedOSAttemptAllowed`	1-10	`<Number of failed attempts>` (default = 3) – Number of consecutive failed login attempts allowed before account is locked.
`unlockOSTime`	30-5400 seconds	`< time interval>` (default = 30 seconds) – Time interval after which the disabled Linux OS account will automatically unlock.

Max Sessions

Command Syntax

Code Block

title	Max Sessions

% set system admin <SYSTEM NAME> accountManagement maxSessions <1-5>

Command Parameters

Caption

0	Table
1	Max Sessions Parameters
3	Max Sessions Parameters

Parameter	Length/Range	Description
`maxSessions`	1-5	Maximum number of simultaneous sessions allowed per user (default = 2).

Password Aging

Password expiration related configuration.

Command Syntax

Code Block

title	Password Aging

% set system admin <SYSTEM NAME> accountManagement passwordAging
	OSstate <disabled | enabled>
	passwordAgingPeriod <1-365 days>
	passwordExpiryWarningPeriod <3-14 days>
	passwordMinimumAge <1-365 days> 
	state <disabled | enabled>

Command Parameters

Caption

0	Table
1	Password Aging Parameters
3	Password Aging Parameters

Parameter	Length/Range	Description
`OSstate`	N/A	Enable/disable password aging for OS users. `disabled` `enabled` (default)
`passwordAgingPeriod`	1-365 days	`<number of days>` (default = 90)`– The number of days to elapse, after which a password expires.`
`passwordExpiryWarningPeriod`	3-14 days	`<number of days>` (default = 12) – The number of days prior to the password expiry date on which the user receives a warning to change the password.
`passwordMinimumAge`	1-365 days	`<number of days>` (default = 1) – Specify the number of days to elapse before a password is changeable by a non-Administrator user.
`state`	N/A	Use this flag to enable/disable `passwordAging` feature. `disabled` `enabled` (default)

Session Idle Timeout

Session idle timeout related configuration.

Command Syntax

Code Block

title	Session Idle Timeout

% set system admin <SYSTEM NAME> accountManagement sessionIdleTimeout
	idleTimeout <1-120>
	state <disabled | enabled>

Command Parameters

Caption

0	Table
1	Session Idle Timeout
3	Session Idle Timeout

Parameter

Length/Range

Description

idleTimeout

1-120 minutes

<number of minutes> (default = 10) – The amount of idle time, in minutes, to elapse before ending a session due to inactivity.

state

N/A

To use this feature, set this flag to "enabled".

disabled
enabled (default)

SFTP Admin

Login Enabled

Removed

The SFTP Admin account has been removed.

Related EMA Note

Info

title	Note Regarding EMA

If only keys (no password) are injected for the admin CLI user, then passwordLoginSupport is disabled by default. If standalone EMA access is required then enable it and use the generated password to invoke the EMA. There is no need to enable passwordLoginSupport if the EMA is accessed via the EMS.

Related EMS Note

Info
As sftpadmin is removed, the EMS uses an alternate CLI account in its Administrator group (like admin) for the SBC registration. There is no Cloud SBC impact because it uses emssftp. Refer to the Security and Security Best Practices sections in the current EMS documentation.

Command Example

This

Use this flag to enable/disable the sftpadmin login. The default value is "true" (enabled).

Command Syntax

Code Block
% set system admin <admin-name> accountManagement sftpadminLoginEnabled <false \| true>

Command Parameters

Caption

0	Table
1	SFTP Admin Login Enabled Parameter
3	SFTP Admin Login Enabled Parameter

Parameter

Description

sftpadminLoginEnabled

Use this flag to enable/disable sftpadmin login.

false – sftpadmin login is disabled.
true (default) – sftpadmin login is enabled.

Command Example

The following example uses the Account Management feature to accomplish the following actions:

Allows a locked account to unlock after five minutes
Enables
Spacevars
0 product
to defend against brute force attacks
Sets the number of consecutive failed attempts to "3"

Code Block

language	none

% set system admin MYSBC accountManagement bruteForceAttack state enabled allowAutoUnlock enabled consecutiveFailedAttemptAllowed 3 unlockTime 300

% show system admin MYSBC accountManagement bruteForceAttack
state                           enabled;
consecutiveFailedAttemptAllowed 3;
allowAutoUnlock                 enabled;
unlockTime                      300;

Pagebreak

Space shortcuts

Page tree

Versions Compared

Old Version 4

New Version Current

Key

OS Account Aging

Command Syntax

Command Parameters

Account Aging

Command Syntax

Command Parameters

Account Removal

Command Syntax

Command Parameters

Brute Force Attack

Command Syntax

Command Parameters

Brute Force Attack OS

Command Syntax

Command Parameters

Max Sessions

Command Syntax

Command Parameters

Password Aging

Command Syntax

Command Parameters

Session Idle Timeout

Command Syntax

Command Parameters

SFTP Admin

Removed

Related EMA Note

Related EMS Note

Command Example

Command Syntax

Command Parameters

Command Example