Exadata Server는 password 및 authentication policy 의 변경 및 기타 보안 설정을 위해 host_access_control tool 을 이용할 것을 권장하고 있다.
Exadata Database Machine Security Guide for Oracle Exadata - https://docs.oracle.com/en/engineered-systems/exadata-databasemachine/dbmsq/managing-password-and-authentication-policies.html
. . .
3.4 Managing Password and Authentication Policies
Each Oracle Exadata server contains the host_access_control utility (/opt/oracle.cellos/host_access_control), which provides simple interfaces to view and modify the password and authentication policies.
Oracle recommends using the host_access_control utility to view and modify the password and authentication policies. You may perform customizations outside the scope of the host_access_control utility at your own cost and risk.
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control
Usage: [-q|--quiet] command [argument]
command is one of:
access - User access from hosts, networks, etc.
access-ilomweb - Control overall access from the ILOM Web Remote Console device (tty1)
access-export - Export access rules to a file
access-import - Import access rules via a supplied file
account-disable - Account disable days after password expiration
apply-defaults - Apply either secure or factory defaults for some settings
audit-rules - Import audit rules via a supplied file
auditd-options - Options for auditd
banner - Login banner management
fips-mode - Kernel FIPS mode control
grub-password - GRUB password control
idle-timeout - Shell and SSH client idle timeout control
ilom-configure - ILOM settings control
ilom-password - ILOM root user password control
kernel-dump - kdump (kernel dump file creation) control
maint-password - Diagnostic ISO shell and Rescue password control
nfs-server - Control the nfs-server and rpcbind services and sockets
pam-auth - PAM authentication settings: pam_faillock deny and unlock_time, password strength, and password history values
password-aging - Adjust current users' password aging
password-policy - Adjust the system's password age policies
rootssh - Root user SSH access control
selinux - Configuration for SELinux
session-limit - Limit the number of allowed concurrent sessions
ssh-access - Allow or deny user and group SSH access
sshciphers - SSH cipher support control
ssh-hostkeys - SSH server HostKey control
ssh-kexalgos - SSHD server KexAlgorithms
ssh-listen - Control the SSHD service optional ListenAddress entries
ssh-macs - SSH supported MACs
ssh-maxsessions - SSH MaxSessions control
ssh-moduli - Trim out short SSH moduli
ssh-pwauth - Control the sshd PawwordAuthentication setting
ssh-service - Control the SSHD service and active connections
ssh-x11forward - Control the SSHD X11Forwarding setting
sudo - User privilege control through sudo
sudodeny - Manage the Exadata sudo users deny list
capture-service - Maintenance command: capture the configured state of the given service, storing the setting in persistent storage.
get-runtime - Maintenance command: import system configuration settings, storing them in host_access_control parameter settings files.
restore - Maintenance command: reapply settings previously set by this utility, as in after an upgrade
(command help by using --help after command (no help with restore command))
The optional -q|--quiet option is used for silent/noprompting for use with cellcli and must be the first arg.
=========================================================================
간단하게만 나와서 무식하게 Exadata 의 내부 접근관리 Tool 인 host_access_control 의 세부옵션에 대해 하나씩 다 확인해 봄.
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control access
usage: host_access_control [-h] [-s] [-a] [-r] [-u username] [-o list]
[--close] [--open]
User/Host Access Control
optional arguments:
-h, --help show this help message and exit
-s, --status Display current access rules
-a, --add Add (or replace) an allow rule for a user at origins
-r, --remove Remove an allow rule for a user
-u username, --user username
user for access. Must be a valid username to the local
system
-o list, --origins list
Comma separated list (no spaces) of origins for access
from. hostnames, networks, domains, etc. ALL for
unrestricted. Console and ILOM devices (ttyS0, tty1)
already included. Valid IPV4 and IPV6 host and network
formats are supported Examples: IPV4 host ip addr:
10.100.200.3 IPV4 network-cidr: 10.0.0.0/8 IPV4
network-bitmask: 10.0.0.0/255.0.0.0 IPV6 host ip addr:
fe80::0202:b3ff:fe1e:8329 IPV6 network addr:
2001:cdba:9abc::5678 IPV6 network-cidr:
2001:db8:a0b:12f0::1/64 hostname: foo.bar.org dns
domain: .foo.bar.org (See access.conf manpage)
--close Set or reset all access rules to a mostly closed
access ruleset
--open Set or reset all access rules to an open access
ruleset
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control access-ilomweb
usage: host_access_control [-h] [-s] [-l] [-u]
ILOM Web Console Access Control
optional arguments:
-h, --help show this help message and exit
-s, --status Disable ILOM Web console access
-l, --lock Disable ILOM Web console access
-u, --unlock Do not disable the ILOM Web Console access
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control access-export
usage: host_access_control [-h] [-f EXPORT_FILE]
Export Exadata Host Access Rules to a file.
optional arguments:
-h, --help show this help message and exit
-f EXPORT_FILE, --file EXPORT_FILE
Export Exadata Host Access Rules to the specified
file. (Specify the full, absolute file path)
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control access-import
usage: host_access_control [-h] [-f IMPORT_FILE]
Import a file into the Exadata Host Access Rules.
optional arguments:
-h, --help show this help message and exit
-f IMPORT_FILE, --file IMPORT_FILE
Import the given file into Exadata Host Access Rules.
(Specify the full, absolute file path)
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control account-disable
usage: host_access_control [-h] [-d DAYS] [--defaults] [--secdefaults] [-s]
Description - Inactive Account Disable Days Control:
Sets or gets the INACTIVE parameter in /etc/default/useradd,
which is the number of days after a password expires until
the account is permanently disabled. A value of 0 (**)
disables the account as soon as the password has expired,
and a value of -1 disables the feature.
(**Exadata secure default)
optional arguments:
-h, --help show this help message and exit
-d DAYS, --days DAYS The number of days before expiring an account. Input
limited to -1 or from 0 to 36500, -1 disables, 0
disables immediately.
--defaults Set useradd INACTIVE parameter to 35, *Exadata factory
default value
--secdefaults Set useradd INACTIVE parameter to **Exadata secure
default value
-s, --status Display current INACTIVE parameter setting
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control apply-defaults
usage: host_access_control [-h] [--strict_compliance_only] [--defaults]
[--status] [--info]
Apply secure default settings for several commands
optional arguments:
-h, --help show this help message and exit
--strict_compliance_only
apply secure defaults for each supported command
--defaults apply factory defaults for each supported command
--status get --status for each supported command
--info list commands supported by this control and an
explanation for settings applied with the apply-
defaults command
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control audit-rules
[2025-05-07 17:37:05 +0900] [WARNING] [IMG-SEC-0029] Command is not permitted on this system. audit-rules is not authorized.
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control auditd-options
usage: host_access_control [-h] [-p string] [-a string] [--defaults] [-s]
Auditd options control -
This control is to set options for auditd.
See the auditd.conf (5) manpage for details.
The "exec" action must be followed by a /path-to-script enclosed in quotes:
"exec /usr/local/bin/script"
The script must exist or auditd service will fail to start.
--space_left_action and --admin_space_left_action options may be combined
A reboot is required to effect this change.
optional arguments:
-h, --help show this help message and exit
-p string, --space_left_action string
set the action for space_left_action, ignore, syslog,
rotate, email, exec, suspend, single, halt.
-a string, --admin_space_left_action string
set the action for admin_space_left_action, ignore,
syslog, rotate, email, exec, suspend, single, halt.
--defaults Set auditd options to Exadata default values:
--space_left_action EMAIL --admin_space_left_action
SUSPEND
-s, --status Display the current settings for this control.
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control banner
usage: host_access_control [-h] [-f IMPORT_FILE] [-r] [-s]
Import or Remove a login banner.
optional arguments:
-h, --help show this help message and exit
-f IMPORT_FILE, --file IMPORT_FILE
Will import the given file into: /etc/issue,
/etc/issue.net, and /etc/motd (Specify the absolute
file path)
-r, --remove Remove the current login banner (if any)
-s, --status Display current login banner (if any)
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control fips-mode
usage: host_access_control [-h] [-e] [-d] [-s] [--info]
kernel FIPS mode control -
NOTE:
FOR SSH/SSHD FIPS compliance,
run the "host_access_controlsh-macs --secdefaults" command
optional arguments:
-h, --help show this help message and exit
-e, --enable enable kernel FIPS mode
-d, --disable disable kernel FIPS mode
-s, --status display the current kernel FIPS mode
--info information regarding enabling kernel FIPS mode
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control grub-password
New GRUB password:
[2025-05-07 17:38:13 +0900] [WARNING] [IMG-SEC-002F] Program exit from KeyboardInterrupt
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control idle-timeout
usage: host_access_control [-h] [-c CLIENT] [-i CLIENTALIVEINTERVAL]
[-m CLIENTALIVECOUNTMAX] [-l SHELL]
[-t STOPIDLESESSIONSEC] [--defaults] [-s]
Idle Timeout Settings Control
optional arguments:
-h, --help show this help message and exit
-c CLIENT, --client CLIENT
SSH client idle timeout. Option retained for backwards
compatibility. Number of seconds of inactivity on an
ssh connection before the connection is terminated.
Sets ClientAliveCountMax to 1 and ClientAliveInterval
to the given --client value. Input is limited from 0
to 31557600 (one year) (*Exadata factory default is
600 (10m))
-i CLIENTALIVEINTERVAL, --clientaliveinterval CLIENTALIVEINTERVAL
ClientAliveInterval, SSH client idle timeout. Number
of seconds of inactivity before a message is sent to
request a response from the client. Input is limited
from 0 (disabled) to 31557600 (one year) (*Exadata
factory default is 600 (10m))
-m CLIENTALIVECOUNTMAX, --clientalivecountmax CLIENTALIVECOUNTMAX
ClientAliveCountMax, SSH client idle timeout. The
number of client alive messages which may be sent
without sshd receiving any messages back from the
client. Input is limited from 0 to 100000 (*Exadata
factory default is 1)
-l SHELL, --shell SHELL
Shell idle timeout. Number of seconds of no input
before the shell will terminate. Input is limited to 0
or from 300 to 31557600 (one year) (*Exadata factory
default is 14400 (4h))
-t STOPIDLESESSIONSEC, --stopidlesessionsec STOPIDLESESSIONSEC
systemd-logind StopIdleSessionSec. Number of seconds
of idle time before a session is terminated. Input is
limited to the word infinity, or from 60 to 9999999
(*Exadata factory default is infinity)
--defaults Set all idle-timeout values to *Exadata factory
defaults
-s, --status Display current idle timeout settings
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control ilom-configure
usage: host_access_control [-h] [--get GET] [--set SET [SET ...]]
ILOM configuration controls.
optional arguments:
-h, --help show this help message and exit
--get GET Show a supported ILOM parameter value.
--set SET [SET ...] Set a supported ILOM parameter value.
Supported ILOM parameters:
cli-timeout [argument] (int), value in minutes from 0 to 1440
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control ilom-password
New ILOM root user password:
[2025-05-07 17:39:08 +0900] [WARNING] [IMG-SEC-002F] Program exit from KeyboardInterrupt
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control kernel-dump
[2025-05-07 17:39:30 +0900] [WARNING] [IMG-SEC-0029] Command is not permitted on this system. kernel-dump is not authorized.
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control maint-password
usage: host_access_control [-h] [-d] [-r] [-p PW_VARIABLE] [--reset]
Set or update the diagnostic shell or rescue password.
optional arguments:
-h, --help show this help message and exit
-d, --diag Set or update the Diagnostic Shell password
-r, --rescue Set or update the Rescue password
-p PW_VARIABLE, --pass PW_VARIABLE
Optionally supply a password (via a variable). (export
EXADATA_RESCUE_PASSWORD='password') Specify the
variable name only, no $ (--pass
EXADATA_RESCUE_PASSWORD). If --pass is not supplied, a
password input prompt will be presented. Permitted
passwords are 8-16 alphanumeric characters
--reset Reset the Diagnostic Shell and Rescue passwords to
Factory Defaults
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control nfs-server
usage: host_access_control [-h] [-e] [-d] [-s]
Description - Enable or disable the NFS Server services. This command will
operate on each of the following units: nfs-server.service, rpcbind.service,
rpcbind.socket. Besides enabling or disabling the units it will unmask and
mask the units. Masking of the NFS Server units is a security precaution.
optional arguments:
-h, --help show this help message and exit
-e, --enable Enable/Unmask NFS Server services and socket
-d, --disable Disable/Mask NFS Server services and socket
-s, --status Current NFS Server services and socket setting
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control pam-auth
usage: host_access_control [-h] [-d DENY] [-i INTERVAL] [-l UNLOCK_TIME]
[-p list] [-q PWQUALITY] [-r REMEMBER] [-e ENFORCE]
[--defaults] [--secdefaults] [-s]
PAM Authentication Settings Control
optional arguments:
-h, --help show this help message and exit
-d DENY, --deny DENY Number of consecutive failed login attempts
within {interval} before an account will be locked.
Input is limited to from 1 to 10.
This is the pam_faillock deny parameter.
*Exadata factory default is 3
-i INTERVAL, --interval INTERVAL
The number of seconds during which the
consecutive authentication failures must happen for the user account to be
locked out.
***Note: Setting to 0 disables LOCKING.
This is the pam_faillock fail_interval parameter.
*Exadata factory default is 900 (15 minutes)
-l UNLOCK_TIME, --lock UNLOCK_TIME
Number of seconds (integer) an account will be
locked due to {deny} failed login attempts within {interval}.
Input is limited to from 0 to 31557600 (one year).
***Note: Setting to 0 disables LOCKING by setting
interval to 0. This is for compatibility with the
older pam_tally2 method and this control.
This is the pam_faillock unlock_time parameter
*Exadata factory default is 900 (15m)
-p list, --passwdqc list
FOR SYSTEMS RUNNING ON LESS THAN OL7
Comma separated set of 5 values: N0,N1,N2,N3,N4
defining the minimum allowed length for different
types of password/passphrases. Each subsequent number
is required to be no larger than the preceding one
The keyword "disabled" can be used to disallow
passwords of a given kind regardless of their length.
Passwords must use three character classes. Character
classes for passwords are digits, lowercase letters,
uppercase letters, and other characters. Minimum
password length is 12 characters when using three
character classes. Minimum password length is 8
characters when using four character classes.
*Exadata factory default is 5,5,5,5,5
**Exadata secure default is disabled,disabled,16,12,8
(refer to the pam_passwdqc manpage for details)
-q PWQUALITY, --pwquality PWQUALITY
FOR SYSTEMS RUNNING ON OL7 AND GREATER
1. EITHER A SINGLE Integer, ranging from 6 to 40,
defining the minimum allowed password length. Other
values are defaulted as noted below by the Exadata
defaults.
All classes will be required for password changes as
well as other checks enforced for lengths >7. For
lengths <8, class requirements are not used.
*Exadata factory default is:
minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1
difok=8 maxrepeat=3 maxclassrepeat=4
**Exadata secure default is:
minlen=15 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1
difok=8 maxrepeat=3 maxclassrepeat=4
2. OR A COMMA SEPARATED LIST, representing values for:
minlen dcredit ucredit lcredit ocredit difok maxrepeat
maxclassrepeat minclass maxsequence gecoscheck
That is an 11 integer, comma separated list.
To set a default value for an option, use -8888. That
option will not be set.
Example: 40,-1,-1,-1,-1,8,3,4,0,-8888,-8888
Example: 8,-1,-1,-1,-1,8,3,4,0,0,0
Example: 15,-1,-1,-1,-1,8,3,4,0,0,0
(refer to the pam_pwquality manpage for details)
-r REMEMBER, --remember REMEMBER
The last n passwords to remember for password
change history.
Valid range is an integer from 0 to 1000.
*Exadata factory default is 5
-e ENFORCE, --enforce ENFORCE
Enforce for the root account the password
history and password quality settings.
"set" to add the enforce_for_root option.
"unset" to remove the enforce_for_root option.
This setting is NOT an Exadata default or secure default.
--defaults Set all pam-auth values to *Exadata factory defaults
--secdefaults Set all pam-auth values to **Exadata secure defaults
-s, --status Display current PAM authentication settings
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control password-aging
usage: host_access_control [-h] [-s] [-u USER] [--defaults] [--secdefaults]
[--policy] [-M int] [-m int] [-W int]
Description - Password Aging Control:
Sets or displays the current password aging for interactive user accounts.
For defining the password aging policy (used for account creation) use the
password-policy command.
optional arguments:
-h, --help show this help message and exit
-s, --status Display current user password aging
-u USER, --user USER A valid interactive user's username
--defaults Set all password-aging values to *Exadata factory
defaults for all interactive users
--secdefaults Set all password-aging values to **Exadata secure
defaults for all interactive users
--policy Set all password-aging values to the aging policy as
defind by the password-policy command (or
/etc/login.defs) for all interactive users
-M int, --maxdays int
Maximum number of days a password may be used. Input
limited to from 1 to 99999.
-m int, --mindays int
Minimum number of days allowed between password
changes. Input limited to from 0 to 99999, 0 for
anytime.
-W int, --warndays int
Number of days warning given before a password
expires. Input limited to from 0 to 99999.
Any option but --defaults, --secdefaults, and --status may be combined.
( *Exadata factory default values)
(**Exadata secure default values)
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control password-policy
usage: host_access_control [-h] [-s] [--defaults]
[--PASS_MAX_DAYS PASS_MAX_DAYS]
[--PASS_MIN_DAYS PASS_MIN_DAYS]
[--PASS_MIN_LEN PASS_MIN_LEN]
[--PASS_WARN_AGE PASS_WARN_AGE]
Description - Password Aging Policy Control:
Defines and displays the password aging policies for new account creation.
For active passord aging use the password-aging command.
optional arguments:
-h, --help show this help message and exit
-s, --status Display current password age settings
--defaults Set all password-policy values to *Exadata factory
defaults
--PASS_MAX_DAYS PASS_MAX_DAYS
Maximum number of days a password may be used. Input
limited to -1 or from 1 to 36500, -1 disables.
--PASS_MIN_DAYS PASS_MIN_DAYS
Minimum number of days allowed between password
changes. Input limited to -1 or from 1 to 36500, -1
disables.
--PASS_MIN_LEN PASS_MIN_LEN
Minimum acceptable password length. Input limited to
from 8 to 30.
--PASS_WARN_AGE PASS_WARN_AGE
Number of days warning given before a password
expires. Input limited to -1 or from 0 to 90. -1
disables.
Any option but --defaults and --status may be combined.
(*Exadata factory default values)
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control rootssh
usage: host_access_control [-h] [-l] [-u] [-k] [--defaults] [--secdefaults]
[-s]
SSH PermitRootLogin Control
optional arguments:
-h, --help show this help message and exit
-l, --lock Disable root SSH access (**Exadata secure default)
-u, --unlock Enable root SSH access (*Exadata factory default)
-k, --key Enable root SSH access, but disable password authentication
for root (keys allowed)
--defaults Set value for root ssh access to *Exadata factory default
--secdefaults Set value for root ssh access to **Exadata secure default
-s, --status current root SSH access
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control selinux
usage: host_access_control [-h] [-e] [-p] [-d] [-r] [-c] [-s]
SELinux configured state control
optional arguments:
-h, --help show this help message and exit
-e, --enforcing set the SELinux state to enforcing
-p, --permissive set the SELinux state to permissive
-d, --disabled set the SELinux state to disabled
-r, --relabel Relabel filesystems online. A reboot is not required
-c, --config Display the configured SELinux state
-s, --status Display the current SELinux status
This control is to set the desired SELinux state.
See the selinux(8) manpage for details.
A reboot is required to effect changes.
[root@db01 oracle.cellos]# ./host_access_control session-limit
usage: host_access_control [-h] [-l LIMIT] [--defaults] [--secdefaults] [-s]
Description - Session Limits (maxlogins) Control:
Sets or gets the '* hard maxlogins' parameter in /etc/security/limits.conf,
which is the maximum number of logins for all users,
(this limit does not apply to user with uid=0)
( *Exadata CELL factory default, 10)
( *Exadata DB factory default, 1000)
(**Exadata secure default, 10)
optional arguments:
-h, --help show this help message and exit
-l LIMIT, --limit LIMIT
The number of allowed concurrent login sessions. Input
limited to -1 (no limit) or from 0 to 10000.
--defaults Set maxlogins parameter to *Exadata factory default
value
--secdefaults Set maxlogins parameter to **Exadata secure default
value
-s, --status Display current maxlogins parameter setting
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control ssh-access
usage: host_access_control [-h] [-a] [-d] [-u USER] [-g GROUP] [-e] [-s]
Description:
Adds allow or deny rules to the SSH server configuration.
The --erase option REMOVES all access rules. --allow or --deny
OVERWRITES existing rules.
NOTE: No option will disturb Match Blocks.
See sshd_config(5) for more information on
AllowUsers, DenyUsers, AllowGroups, DenyGroups
NOTE: For controlling SSH access to the root account, use the
`host_access_control rootssh` command
optional arguments:
-h, --help show this help message and exit
-a, --allow Allow one or more users or groups SSH access.
-d, --deny Deny one or more users or groups SSH access.
-u USER, --user USER Comma separated list of usernames (no spaces). The
username may be local or take the form USER@HOST. See
PATTERNS in ssh_config(5) for more information on
username patterns. NOTE: No input verification is done
to validate actual usernames.
-g GROUP, --group GROUP
Comma separated list of groupnames (no spaces). See
PATTERNS in ssh_config(5) for more information on
groupname patterns. NOTE: No input verification is
done to validate actual groupnames.
-e, --erase Remove the configured SSH allow and deny access rules.
-s, --status Display the configured SSH allow or deny access rules.
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control sshciphers
usage: host_access_control [-h] [-r] [-c] [-b] [-e] [-d] [-p list]
[--defaults] [-s]
SSH cipher control
optional arguments:
-h, --help show this help message and exit
-r, --server Applies to the SSH server configuration
-c, --client Applies to the system-wide SSH client configuration
-b, --both Applies to both the SSH server and system-wide SSH
client configurations
-e, --enable Enable support for the given cipher list
-d, --disable Disable support for the given cipher list
-p list, --ciphers list
Comma-separated list (no spaces) of ciphers the action
applies to. Must be one or more of:
aes256-ctr,aes192-ctr,aes128-ctr
--defaults Apply the *Exadata factory default configuration for
this control
-s, --status Display the current SSH Cipher settings
*Exadata factory default: aes256-ctr,aes192-ctr,aes128-ctr
for both server and client
Example:
sshciphers --server --disable --ciphers aes128-ctr
sshciphers --both --disable --ciphers aes128-ctr,aes192-ctr,aes256-ctr
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control ssh-hostkeys
usage: host_access_control [-h] [-a] [-r] [-k list] [--defaults] [-s]
SSH HostKeys control
optional arguments:
-h, --help show this help message and exit
-a, --add Add given HostKey entries to the SSHD configuration
-r, --remove Remove given HostKey entries from the SSHD
configuration
-k list, --hostkeys list
Comma-separated list (no spaces) of HostKeys files the
action applies to.
--defaults Apply the *Exadata default configuration for this
control
-s, --status Display the current SSH HostKey entries
*Exadata default: /etc/ssh/ssh_host_rsa_key,/etc/ssh/ssh_host_ecdsa_key
Example:
ssh-hostkeys --remove --hostkeys /etc/ssh/ssh_host_rsa_key
ssh-hostkeys --add --hostkeys \
/etc/ssh/ssh_host_ecdsa_key,/etc/ssh/ssh_host_rsa_key
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control ssh-kexalgos
usage: host_access_control [-h] [-e] [-d] [-k list] [--defaults] [-s] [--info]
SSHD KexAlgorithms control
optional arguments:
-h, --help show this help message and exit
-e, --enable Enable support for the given KexAlgorithm list
-d, --disable Disable support for the given KexAlgorithm list
-k list, --kexalgos list
Comma-separated list (no spaces) of KexAlgorithms the
action applies to. Supprted KexAlgorithms are shown
with the --info option.
--defaults Apply the *Exadata default configuration for this
control
-s, --status Display the current SSH KexAlgorithms settings
--info Display the supported KexAlgorithms by the SSH Server
*Exadata default:
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
Example:
ssh-kexalgos --disable --kexalgos ecdh-sha2-nistp521
ssh-kexalgos --enable --kexalgos
diffie-hellman-group14-sha256,diffie-hellman-group16-sha512
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control ssh-listen
usage: host_access_control [-h] [-a] [-r] [--ipaddr list] [-s]
ssh-listen control
optional arguments:
-h, --help show this help message and exit
-a, --add Add given IPv4 or IPv6 address(es) to the sshd_config
optional ListenAddress entries
-r, --remove Remove given IPv4 or IPv6 address(es) from the sshd_config
optional ListenAddress entries
--ipaddr list Specify one or more comma separated IPv4 or IPv6 addresses
example: 10.100.200.3,192.168.220.12,2001:cdba:9abc::5678
-s, --status Configured sshd_config ListenAddress entries
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control ssh-macs
usage: host_access_control [-h] [-r] [-c] [-b] [-e] [-d] [-m list]
[--defaults] [--secdefaults] [-s] [--info]
SSH MACs control
optional arguments:
-h, --help show this help message and exit
-r, --server Applies to the SSH server configuration
-c, --client Applies to the system-wide SSH client configuration
-b, --both Applies to both the SSH server and system-wide SSH
client configurations
-e, --enable Enable support for the given MAC list
-d, --disable Disable support for the given MAC list
-m list, --macs list Comma-separated list (no spaces) of MACs the action
applies to. Supprted MACs are shown with the --info
option.
--defaults Apply the *Exadata default configuration for this
control
--secdefaults Apply the **Exadata secure default configuration for
this control
-s, --status Display the current SSH MACs settings
--info Display the supported MACs by the SSH Server
*Exadata default: hmac-sha2-512,hmac-sha2-256,hmac-sha1 for both server and client
**Exadata secure default: hmac-sha2-512,hmac-sha2-256 for both server and client
Example:
ssh-macs --server --disable --macs hmac-sha1
ssh-macs --both --disable --macs hmac-sha2-512,hmac-sha2-256
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control ssh-maxsessions
usage: host_access_control [-h] [-n NUMBER] [--defaults] [-s]
SSHD MaxSessions Control
optional arguments:
-h, --help show this help message and exit
-n NUMBER, --number NUMBER
MaxSessions. The maximum number of open sessions
permitted per network connection. The Exadata default
is 10.
--defaults Set value for SSH maximum sessions to the Exadata
factory default
-s, --status Show the current SSH maximum sessions setting
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control ssh-moduli
usage: host_access_control [-h] [-t] [-s]
SSHD moduli trim control
optional arguments:
-h, --help show this help message and exit
-t, --trim Trim out short (<2048) sshd moduli from /etc/ssh/moduli. There
is no undo or restore from this action. A one-time original
backup is saved to
/etc/exadata/security/keepfiles/sshd_moduli.orig
-s, --status Print the status of configured short sshd moduli.
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control ssh-pwauth
usage: host_access_control [-h] [-d] [-e] [--defaults] [-s]
SSHD PasswordAuthentication Control
optional arguments:
-h, --help show this help message and exit
-d, --disable Disable SSH password authenticated access
-e, --enable Enable SSH password authenticated access (*Exadata factory
default)
--defaults Set value for SSH password authenticated access to the
*Exadata factory default
-s, --status Show the current SSH password authenticated access setting
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control ssh-service
usage: host_access_control [-h] [-e] [-d] [-k] [-s]
SSH service control
optional arguments:
-h, --help show this help message and exit
-e, --enable Enable SSH service (*Exadata default)
-d, --disable Disable SSH service
-k, --disable-kill Disable SSH service AND terminate all active sessions
-s, --status Current SSH service setting
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control ssh-x11forward
usage: host_access_control [-h] [-d] [-e] [--defaults] [-s]
SSH X11Forwarding Control
optional arguments:
-h, --help show this help message and exit
-d, --disable disable SSHD X11Forwarding (*Exadata factory default)
-e, --enable enable SSHD X11Forwarding
--defaults Set value for X11Forward to *Exadata factory default
-s, --status current SSH X11Forward setting
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control sudo
usage: host_access_control [-h] [-a] [-r] [-u username] [-t username] [-n]
[-s]
sudoers rules control
optional arguments:
-h, --help show this help message and exit
-a, --add Add a sudo rule for user to privilege escalate to
t(arget)user
-r, --remove Remove sudo rule(s) for user (if no --tuser specified
then all rules for --user will be removed)
-u username, --user username
Source user for privilege escalation. User will be
created if not found.
-t username, --tuser username
Target user to privilege escalate to. Must be a valid
username to the local system.
-n, --nopasswd Add the NOPASSWD: option to added rule.
-s, --status Display sudo rules for user
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control sudodeny
usage: host_access_control [-h] [-a] [-r] [-s] [-u list]
sudo users deny list control
optional arguments:
-h, --help show this help message and exit
-a, --add Add one or more usernames to the sudoer users deny
list
-r, --remove Remove one or more usernames from the sudoer users
deny list
-s, --status Display if one or more usernames are on the sudo user
deny list
-u list, --user list Comma separated list of usernames (no spaces). The
usernames need not be existing users on the system.
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control capture-service
usage: host_access_control [-h] [--service SYSTEM_SERVICE]
capture-service control
optional arguments:
-h, --help show this help message and exit
--service SYSTEM_SERVICE
Capture the given service configured state for use
with the restore command. (only .service units are
supported for systemd)
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control get-runtime
[2025-05-07 17:48:10 +0900] [INFO] [IMG-SEC-0043] Get runtime complete
=========================================================================
[root@db01 oracle.cellos]# ./host_access_control restore
[2025-05-07 17:49:18 +0900] [INFO] [IMG-SEC-0003] Restore complete
