You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 5
Next »
Use this object to manage account and password-related configurations. For password rules configuration, refer to Password Rules - CLI.
OS Account Aging
To minimize the possibility of an unauthorized user compromising inactive OS user accounts (root / linuxadmin / rss), configure this parameter to specify the number of days of OS account inactivity (OSAccountAgingPeriod
) before the account is automatically disabled.
Command Syntax
% set system admin <SYSTEM NAME> accountManagement OSAccountAging
OSAccountAgingPeriod <7-712 days>
state <disabled | enabled>
Command Parameters
OS Account Aging Parameters
Parameter | Length/Range | Description |
---|
OSAccountAgingPeriod | 7-712 days | <period> (default = 30) – The number of days of inactivity before the OS user is disabled. |
state | N/A | Enable this flag to apply the account aging period to OS users. |
Account Aging
Command Syntax
% set system admin <SYSTEM NAME> accountManagement accountAging
accountAgingPeriod <30-180 days>
state <disabled | enabled>
Command Parameters
Parameter | Length/Range | Description |
---|
accountAgingPeriod | 30-180 days | <period> (default = 30) – Use this parameter to specify the number of days to elapse, after which the account is locked if left unused ount expiration duration, in days, for accounts other than OS management users.
|
state | N/A | Set flag to "enabled" to enable account aging system-wide. disabled enabled (default)
|
Account Removal
Use this parameter to configure the account removal period.
Command Syntax
% set system admin <SYSTEM NAME> accountManagement accountRemoval
accountRemovalPeriod <60-360 days>
state <disabled | enabled>
Command Parameters
Brute Force Attack Parameters
Parameter | Length/Range | Description |
---|
accountRemovalPeriod | 60-360 days | <period> – The number of days to elapse for an unused user account before it is automatically (default = 270 days). |
state | N/A | Administrative state of this feature. disabled (default)enabled
NOTE: Refer to Local Authentication - CLI to enable/disable this feature for a specific user. |
Brute Force Attack
Configuration for defense against brute force OAM password guessing attempts.
Command Syntax
% set system admin <SYSTEM NAME> accountManagement bruteForceAttack
allowAutoUnlock <disabled | enabled>
consecutiveFailedAttemptAllowed <1-10>
state <disabled | enabled>
unlockTime <30-3600 seconds>
Command Parameters
Brute Force Attack Parameters
Parameter | Length/Range | Description |
---|
allowAutoUnlock | N/A | Enable Auto Unlock of an account blocked due to consecutive wrong password attempts. disabled (default)enabled
|
consecutiveFailedAttemptAllowed | 1-10 | <number of attempts> (default = 3) – Number of consecutive failed login attempts allowed before account is locked. As a safety measure, the system will not lock out the last/only active Administrator user on
Unable to show "metadata-from": No such page "_space_variables" platform. |
state | N/A | Enable/disable defense against brute force OAM password guessing attempts. disabled (default) enabled
|
unlockTime | 30-3600 seconds | <unlock time> (default = 30) – If allowAutoUnlock flag is enabled, this parameter specifies the time (in seconds) to elapse before a locked account automatically unlocks.
NOTE: You must first set state to 'disabled ' before changing the value of consecutiveFailedAttemptAllowed . |
Brute Force Attack OS
Use this configuration to defend against brute force attacks to Linux OS.
Command Syntax
% set system admin <SYSTEM NAME> accountManagement bruteForceAttackOS
OSstate <disabled | enabled>
allowOSAutoUnlock <disabled | enabled>
consecutiveFailedOSAttemptAllowed <1-10>
unlockOSTime <30-5400 seconds>
Command Parameters
Brute Force Attack Parameters
Parameter | Length/Range | Description |
---|
OSstate | N/A | Enable this flag to defend the Linux OS against brute force attacks. enabled disabled (default)
|
allowOSAutoUnlock | N/A | Enable this flag to automatically unlock the Linux OS account after a configurable number of seconds set by unlockOSTime parameter. enabled disabled (default)
|
consecutiveFailedOSAttemptAllowed | 1-10 | <Number of failed attempts> (default = 3) – Number of consecutive failed login attempts allowed before account is locked.
|
unlockOSTime | 30-5400 seconds | < time interval> (default = 30 seconds) – Time interval after which the disabled Linux OS account will automatically unlock.
|
Max Sessions
Command Syntax
% set system admin <SYSTEM NAME> accountManagement maxSessions <1-5>
Command Parameters
Parameter | Length/Range | Description |
---|
maxSessions | 1-5 | Maximum number of simultaneous sessions allowed per user (default = 2). |
Password Aging
Password expiration related configuration.
Command Syntax
% set system admin <SYSTEM NAME> accountManagement passwordAging
OSstate <disabled | enabled>
passwordAgingPeriod <1-365 days>
passwordExpiryWarningPeriod <3-14 days>
passwordMinimumAge <1-365 days>
state <disabled | enabled>
Command Parameters
Password Aging Parameters
Parameter | Length/Range | Description |
---|
OSstate | N/A | Enable/disable password aging for OS users. disabled enabled (default)
|
| 1-365 days | <number of days> (default = 90) – The number of days to elapse, after which a password expires.
|
passwordExpiryWarningPeriod | 3-14 days | <number of days> (default = 12) – The number of days prior to the password expiry date on which the user receives a warning to change the password.
|
passwordMinimumAge | 1-365 days | <number of days> (default = 1) – Specify the number of days to elapse before a password is changeable by a non-Administrator user. |
state | N/A | Use this flag to enable/disable passwordAging feature. disabled enabled (default)
|
Session Idle Timeout
Session idle timeout related configuration.
Command Syntax
% set system admin <SYSTEM NAME> accountManagement sessionIdleTimeout
idleTimeout <1-120>
state <disabled | enabled>
Command Parameters
Parameter | Length/Range | Description |
---|
idleTimeout | 1-120 minutes | <number of minutes> (default = 10) – The amount of idle time, in minutes, to elapse before ending a session due to inactivity.
|
state | N/A | To use this feature, set this flag to "enabled". disabled enabled (default)
|
SFTP Admin Removed
The SFTP Admin account has been removed.
Command Example
The following example uses the Account Management feature to accomplish the following actions:
% set system admin MYSBC accountManagement bruteForceAttack state enabled allowAutoUnlock enabled consecutiveFailedAttemptAllowed 3 unlockTime 300
% show system admin MYSBC accountManagement bruteForceAttack
state enabled;
consecutiveFailedAttemptAllowed 3;
allowAutoUnlock enabled;
unlockTime 300;