Use this object to manage account and password-related configurations. For password rules configuration, refer to Password Rules - CLI.
OS Account Aging
To minimize the possibility of an unauthorized user compromising inactive OS user accounts (root/linuxadmin/sftpadmin/rss)account, configure this parameter to specify the number of days of OS account inactivity (OSAccountAgingPeriod
) before the account is automatically disabled.
Info |
---|
|
These users are exempted from OS account aging: root, linuxadmin, cnxipmadmin and postgres. |
Command Syntax
Code Block |
---|
|
% set system admin <SYSTEM NAME> accountManagement OSAccountAging
OSAccountAgingPeriod <7-712 days>
state <disabled | enabled> |
Command Parameters
Caption |
---|
0 | Table |
---|
1 | OS Account Aging Parameters |
---|
3 | OS Account Aging Parameters |
---|
|
Parameter | Length/Range | Description |
---|
OSAccountAgingPeriod | 7-712 days | <period> (default = 30) – The number of days of inactivity before the OS user is disabled. | state | N/A | Enable this flag to apply the account aging period to OS users. |
|
Account Aging
Command Syntax
Code Block |
---|
|
% set system admin <SYSTEM NAME> accountManagement accountAging
accountAgingPeriod <30-180 days>
state <disabled | enabled> |
Command Parameters
Caption |
---|
0 | Table |
---|
1 | Account Aging Parameters |
---|
3 | Account Aging Parameters |
---|
|
Parameter | Length/Range | Description |
---|
accountAgingPeriod | 30-180 days | <period> (default = 30) – Use this parameter to specify the number of days to elapse, after which the account is locked if left unused
| ount expiration duration, in days, for accounts other than OS management users. | state | N/A | Set flag to "enabled" to enable account aging system-wide. disabled enabled (default)
|
|
Account Removal
Use this parameter to configure the account removal period.
Command Syntax
Code Block |
---|
|
% set system admin <SYSTEM NAME> accountManagement accountRemoval
accountRemovalPeriod <60-360 days>
state <disabled | enabled> |
Command Parameters
Caption |
---|
0 | Table |
---|
1 | Brute Force Attack Parameters |
---|
3 | Brute Force Attack Parameters |
---|
|
Parameter | Length/Range | Description |
---|
accountRemovalPeriod | 60-360 days | <period> – The number of days to elapse for an unused user account before it is automatically (default = 270 days). | state | N/A | Administrative state of this feature. disabled (default)enabled
NOTE: Refer to Local Authentication - CLI to enable/disable this feature for a specific user. |
|
Brute Force Attack
Configuration for defense against brute force OAM password guessing attempts.
Command Syntax
Code Block |
---|
|
% set system admin <SYSTEM NAME> accountManagement bruteForceAttack
allowAutoUnlock <disabled | enabled>
consecutiveFailedAttemptAllowed <1-10>
state <disabled | enabled>
unlockTime <30-3600 seconds> |
Command Parameters
Caption |
---|
0 | Table |
---|
1 | Brute Force Attack Parameters |
---|
3 | Brute Force Attack Parameters |
---|
|
Parameter | Length/Range | Description |
---|
allowAutoUnlock | N/A | Enable Auto Unlock of an account blocked due to consecutive wrong password attempts. disabled enabled (default)
|
enabled | consecutiveFailedAttemptAllowed | 1-10 | <number of attempts> (default = 3) – Number of consecutive failed login attempts allowed before account is locked. As a safety measure, the system will not lock out the last/only active Administrator user on platform. | state | N/A | Enable/disable defense against brute force OAM password guessing attempts. disabled enabled (default)
|
enabled unlockTime | 30-3600 seconds | <unlock time> (default = 30) – If allowAutoUnlock flag is enabled, this parameter specifies the time (in seconds) to elapse before a locked account automatically unlocks.
NOTE: You must first set state to 'disabled ' before changing the value of consecutiveFailedAttemptAllowed . |
|
Brute Force Attack OS
Use this configuration to defend against brute force attacks to Linux OS.
Command Syntax
Code Block |
---|
title | Brute Force Attack OS |
---|
|
% set system admin <SYSTEM NAME> accountManagement bruteForceAttackOS
OSstate <disabled | enabled>
allowOSAutoUnlock <disabled | enabled>
consecutiveFailedOSAttemptAllowed <1-10>
unlockOSTime <30-5400 seconds> |
Command Parameters
Caption |
---|
0 | Table |
---|
1 | Brute Force Attack Parameters |
---|
3 | Brute Force Attack Parameters |
---|
|
Parameter | Length/Range | Description |
---|
OSstate | N/A | Enable this flag to defend the Linux OS against brute force attacks. |
disabled | allowOSAutoUnlock | N/A | Enable this flag to automatically unlock the Linux OS account after a configurable number of seconds set by unlockOSTime parameter. |
disabled | consecutiveFailedOSAttemptAllowed | 1-10 | <Number of failed attempts> (default = 3) – Number of consecutive failed login attempts allowed before account is locked.
| unlockOSTime | 30-5400 seconds | < time interval> (default = 30 seconds) – Time interval after which the disabled Linux OS account will automatically unlock.
|
|
Max Sessions
Command Syntax
Code Block |
---|
|
% set system admin <SYSTEM NAME> accountManagement maxSessions <1-5> |
Command Parameters
Caption |
---|
0 | Table |
---|
1 | Max Sessions Parameters |
---|
3 | Max Sessions Parameters |
---|
|
Parameter | Length/Range | Description |
---|
maxSessions | 1-5 | Maximum number of simultaneous sessions allowed per user (default = 2). |
|
Password Aging
Password expiration related configuration.
Command Syntax
Code Block |
---|
|
% set system admin <SYSTEM NAME> accountManagement passwordAging
OSstate <disabled | enabled>
passwordAgingPeriod <1-365 days>
passwordExpiryWarningPeriod <3-14 days>
passwordMinimumAge <1-365 days>
state <disabled | enabled> |
Command Parameters
Caption |
---|
0 | Table |
---|
1 | Password Aging Parameters |
---|
3 | Password Aging Parameters |
---|
|
Parameter | Length/Range | Description |
---|
OSstate | N/A | Enable/disable password aging for OS users. disabled enabled (default)
| passwordAgingPeriod | 1-365 days | <number of days> (default = 90) – The number of days to elapse, after which a password expires.
| passwordExpiryWarningPeriod | 3-14 days | <number of days> (default = 12) – The number of days prior to the password expiry date on which the user receives a warning to change the password.
| passwordMinimumAge | 1-365 days | <number of days> (default = 1) – Specify the number of days to elapse before a password is changeable by a non-Administrator user. | state | N/A | Use this flag to enable/disable passwordAging feature. disabled enabled (default)
|
|
Session Idle Timeout
Session idle timeout related configuration.
Command Syntax
Code Block |
---|
title | Session Idle Timeout |
---|
|
% set system admin <SYSTEM NAME> accountManagement sessionIdleTimeout
idleTimeout <1-120>
state <disabled | enabled> |
Command Parameters
Caption |
---|
0 | Table |
---|
1 | Session Idle Timeout |
---|
3 | Session Idle Timeout |
---|
|
Parameter | Length/Range | Description |
---|
idleTimeout | 1-120 minutes | <number of minutes> (default = 10) – The amount of idle time, in minutes, to elapse before ending a session due to inactivity.
| state | N/A | To use this feature, set this flag to "enabled". disabled enabled (default)
|
|
SFTP Admin
Login EnabledRemoved
The SFTP Admin account has been removed.
Info |
---|
|
If only keys (no password) are injected for the admin CLI user, then passwordLoginSupport is disabled by default. If standalone EMA access is required then enable it and use the generated password to invoke the EMA. There is no need to enable passwordLoginSupport if the EMA is accessed via the EMS. |
Info |
---|
As sftpadmin is removed, the EMS uses an alternate CLI account in its Administrator group (like admin) for the SBC registration. There is no Cloud SBC impact because it uses emssftp. Refer to the Security and Security Best Practices sections in the current . |
Command Example
This
Use this flag to enable/disable the sftpadmin login. The default value is "true" (enabled).
Command Syntax
Code Block |
---|
% set system admin <admin-name> accountManagement sftpadminLoginEnabled <false | true> |
Command Parameters
Caption |
---|
0 | Table |
---|
1 | SFTP Admin Login Enabled Parameter |
---|
3 | SFTP Admin Login Enabled Parameter |
---|
|
| |
---|
sftpadminLoginEnabled | Use this flag to enable/disable sftpadmin login. false – sftpadmin login is disabled.true (default) – sftpadmin login is enabled.
|
|
Command Example
The following example uses the Account Management feature to accomplish the following actions:
- Allows a locked account to unlock after five minutes
- Enables to defend against brute force attacks
- Sets the number of consecutive failed attempts to "3"
Code Block |
---|
|
% set system admin MYSBC accountManagement bruteForceAttack state enabled allowAutoUnlock enabled consecutiveFailedAttemptAllowed 3 unlockTime 300
% show system admin MYSBC accountManagement bruteForceAttack
state enabled;
consecutiveFailedAttemptAllowed 3;
allowAutoUnlock enabled;
unlockTime 300; |