Oracle Cloud Infrastructure Documentation

Security Configurations Require Credential Rotation after 90 days

The default security configuration for the Oracle Linux 6.9 and 7.4 images released between December 18, 2017 and April 5, 2018 requires that credential rotation occur within 90 days. If you do not rotate credentials in the 90 day time frame, access to the instance will be denied.

Oracle Linux images launched April 6, 2018 and later do not have this default security configuration.

Perform the steps below to modify the default security configuration for instances based on Oracle Linux 6.9 and 7.4 images released between December 18, 2017 and April 5, 2018.

Modify the Configuration for Instances You Can Access

If you are able to access your instances, run the following shell script to remove the 90-day credential rotation that was enabled by default.

if [ "$EUID" -ne 0 ]
    then echo "Please run under sudo, or as root"
    exit 1
fi

if [[ $( grep -c "Maipo" /etc/redhat-release ) -gt 0 ]]
    # Oracle Linux 7
    then CMD_PREFIX=/usr
else
    CMD_PREFIX=""
fi

# Fix existing users
if [[ $( $CMD_PREFIX/bin/grep -c ":90:7:90:" /etc/shadow ) -gt 0 ]]; then
    echo "Fixing affected users"
    $CMD_PREFIX/bin/sed -i.bkp 's/:90:7:90:/:99999:7::/g' /etc/shadow
fi

# Change the defaults from useradd: /etc/default/useradd
if [[ $( $CMD_PREFIX/bin/egrep -c "^INACTIVE=90" /etc/default/useradd ) -gt 0 ]]; then
    echo "Fixing useradd defaults"
    $CMD_PREFIX/bin/sed -i.bkp '/INACTIVE=90/d' /etc/default/useradd
    $CMD_PREFIX/bin/sed -i.bkp2 's/#INACTIVE=-1/INACTIVE=-1/g' /etc/default/useradd
fi

# Change the PAM defaults for new users
if [[ $( $CMD_PREFIX/bin/egrep -c "^PASS_MAX_DAYS 90" /etc/login.defs ) -gt 0 ]]; then
    echo "Fixing PAM defaults"
    $CMD_PREFIX/bin/sed -i.bkp '/PASS_MAX_DAYS 90/d' /etc/login.defs
    $CMD_PREFIX/bin/sed -i.bkp2 's/#PASS_MAX_DAYS\s*99999/PASS_MAX_DAYS 99999/g' /etc/login.defs
fi

Recovery Steps for Instances Where Access Is Denied

If access to the instance is denied, and you are unable to log in, do not terminate the instance. You will need to perform the recovery steps applicable to the Oracle Linux version to regain access, see one of the following topics: