About local user accountsManaging local user accounts refers to the tasks of creating, viewing, modifying, and deleting user accounts that reside on the BIG-IP® system. Show
The BIG-IP system stores local user accounts (including user names, passwords, and user roles) in a local user-account database. When a user logs into the BIG-IP system using one of these locally-stored accounts, the BIG-IP system checks the account to determine the user role assigned to that user account for each partition to which the user has access. For example, suppose you grant local user jsmith access to partitions A and B, and in the process, assign her a role of Manager for partition A and a role of Operator for partition B. This means that user jsmith can create, modify, and delete several types of local traffic objects that reside in partition A, but in partition B, she is restricted to enabling and disabling nodes, pool members, virtual servers, and virtual addresses. For user rjones, you can grant him access to the same partitions A and B, but assign him the roles of Certificate Manager and Guest, respectively. For user rjones, this means that with respect to partition A, he can fully manage digital certificates that reside in that partition, but he has no permission to manage other types of objects in the partition. For objects in partition B, he has read access only. Displaying a list of local user accountsBefore performing this task, ensure that you have a role of Administrator or that you have a role of User Manager for the relevant partition. Using the BIG-IP® Configuration utility, you can display a list of existing local user accounts. If the user role assigned to your account is Administrator, you can view any user account on the BIG-IP® system, in any partition. If the user role assigned to your account is User Manager, you can view any user account in any partition to which you have access on the BIG-IP system.
Creating a local user accountTo perform this task, you must have the Administrator or User Manager user role assigned to your user account. Note that if the user role assigned to your account is User Manager, you can only create a user account in the partitions to which you have access. You perform this task to create a local user account for BIG-IP ®administrative users. Note: User accounts on the BIG-IP® system are case-sensitive. Thus, the system treats user accounts such as JONES and Jones as two separate user accounts. Note, however, that certain user names, such as admin, are reserved, and are therefore exempt from case-sensitivity. For example, you cannot create a user account named Admin, aDmin, or ADMIN.
After you perform this task, a user account exists on the BIG-IP system that assigns one or more roles, each corresponding to a partition on the system. The task also grants some level of terminal access, either tmsh or Bash shell access. Viewing the properties of a local user accountBefore performing this task, ensure that you have a user role of Administrator or that you have a role of User Manager for the relevant partition. Using the BIG-IP® Configuration utility, you can view the properties of an individual account.
Modifying the properties of a local user accountBefore performing this task, ensure that you have a user role of Administrator or that you have a role of User Manager for the relevant partition. Using the BIG-IP® Configuration utility, you can modify the properties of an existing local user account, other than the root account. Warning: If you change a role on a user account while the user is logged into the system through the Traffic Management Shell (tmsh), the BIG-IP system terminates the user's tmsh session when the user subsequently issues another tmsh command.
Deleting a local user accountBefore performing this task, ensure that you have a user role of Administrator or that you have a role of User Manager for the relevant partition. When you delete a local user account, you remove it permanently from the local user-account database on the BIG-IP system. If the account you are using has the Administrator or User Manager user role, you can delete other local user accounts. A user with the Administrator role can delete any user account on the BIG-IP® system in any partition. A user with the User Manager role can delete user accounts on the BIG-IP system in only those partitions to which she has access. Note: You cannot delete the admin user account, nor can you delete the user account with which you are logged in. Warning: The Administrator user role provides access to the BIG-IP system prompt. If another user with the Administrator user role is currently logged in to the system and you delete the user account, the user can still run commands at the BIG-IP system command prompt until he or she logs off of the system.
Properties of a local BIG-IP system user accountThis table lists and describes the properties that define a local BIG-IP user account.
About secure password policy configurationThe BIG-IP® system includes an optional administrative feature: a security policy for creating passwords for local BIG-IP system user accounts. A secure password policy ensures that BIG-IP system users who have local user accounts create and maintain passwords that are as secure as possible. The secure password policy feature includes two distinct types of password restrictions: Enforcement restrictionsThese are, specifically, character restrictions that you can enable or disable. They consist of the minimum password length and the required character types (numeric, uppercase, lowercase, and other kinds of characters). When enabled, the BIG-IP system never enforces restrictions on user accounts that have the Administrator role assigned to them. Consequently, a user with Administrator permissions does not need to adhere to these restrictions when either changing his or her own password, or changing the passwords of other user accounts.Policy restrictionsThese restrictions represent the minimum and maximum lengths of time that passwords can be in effect. Also included in this type of policy restriction are the number of days prior to password expiration that users are warned, and the number of previous passwords that the BIG-IP system should store, to prevent users from re-using former passwords. These restrictions are always enabled, although using the default values provides a minimal amount of restriction.Passwords for remotely-stored user accounts are not subject to this password policy, but might be subject to a separate password policy defined on the remote system. Configuration settings for a secure password policyThis table lists and describes the settings for a password policy.
Configuring a password policy for administrative usersUse this procedure to require BIG-IP® system users to create strong passwords and to specify the maximum number of BIG-IP login failures that the system allows before the user is denied access. Important: You must have the user role of Administrator assigned to your account to configure this feature.
User authentication lockoutWhen you configure the password policy restrictions for user accounts, you can configure the number of failed authentication attempts that a user can perform before the user is locked out of the system. If a user becomes locked out, you can remove the lock to re-enable access for the user. Unlocking a user accountBefore performing this task, you must have an Administrator user role or have a User Manager role with access to the partition containing the locked user account. If a user exceeds the number of failed login attempts that the password policy allows, the BIG-IP system locks the user account. You can perform this task to unlock the account.
After you perform this task, the user can attempt to log in to the BIG-IP system. Which item or file represents the location of local user account information?Most of the user account information is stored in the passwd file.
What is it called when you obtain administrative privileges from a normal user account?What is it called when you obtain administrative privileges from a normal user account? Privilege escalation.
Which of the following involves overwriting all of the information on a drive?Drive wiping: This is the act of overwriting all information on a drive. Drive wiping, which is covered in National Institute of Standards and Technology (NIST) 800-88 and U.S. Department of Defense (DoD) 5200.28, allows a drive to be reused.
Which of the following ports does ssh operate on?An SSH server, by default, listens on the standard Transmission Control Protocol (TCP) port 22.
|