Unlock the admin user account: unlock admin
Reset the cli user password: store user password
Generate a new layout for a role based on a user layout: generate-role-layout
Use the following commands to control user passwords, as follows:
store password disable - Set the number of days after which an inactive account will be disabled.
store password expiration - Set the number of days after which a password will expire.
store password validation - Enable or disable the hardened password validation rules.
Use the account lockout commands to disable a Guardium user account after one or more failed login attempts. Use these commands to:
Enable or disable the feature. See store account lockout.
Set the maximum number of login failures allowed an account within a given time interval. See store account strike count and store account strike interval.
Set the maximum number of failures allowed an account for the life of the Guardium appliance. See store account strike max.
To unlock the admin user account in the event it becomes locked, see the unlock admin command description.
After a Guardium user account has been disabled, it can be enabled from the Guardium portal, and only by users with the accessmgr role, or the admin user.
Enable account lockout, lock an account after 5 login failures within 10 minutes, and set the maximum number of failures allowed to 999.
store account lockout on
store account strike count 5
store account strike interval 10
store account strike max 999
If the admin user account is locked, use the unlock admin command to unlock it.
If account lockout is enabled, setting the strike count or strike max to zero does NOT disable that type of check. On the contrary, it means that after just one failure the user account will be disabled!
Enables (on) or disables (off) the automatic account lockout feature, which disables a user account after a specified number of login failures.
store account lockout <on | off>
show account lockout
Sets the number of failed login attempts (n) in the configured strike interval before disabling the account.
store account strike count <n>
show account strike count
Sets the number of seconds (n) during which the configured number of failed login attempts must occur in order to disable the account.
store account strike interval <n>
show account strike interval
Sets the maximum number (n) of failed login attempts to be allowed for an account over the life of the server, before the account is disabled.
store account strike max <n>
show account strike max
Sets the number of days of inactivity, after which user accounts will be disabled. When set to 0 (zero), no accounts will be disabled by inactivity. At installation, the default value is zero. You must restart the GUI after changing this setting (see restart gui).
store password disable <days>
show password disable
Sets the age (in days) for user password expiration. When set to 0 (zero), the password never expires. For any other value, the account user must reset the password the first time they log in after the current password has expired. The default value is 90. You must restart the GUI after changing this setting.
store password expiration <days>
show password expiration
Turns password validation on or off. The default value is on. You must restart the GUI after changing this setting.
When password validation is enabled, the password must be eight or more characters in length, and must include at least one uppercase alphabetic character (A-Z), one lowercase alphabetic character (a-z), one digit (0-9), and one special character from the table below. When disabled (not recommended), any length or combination of characters is allowed.
store password validation <on | off>
show password validation
|
@ |
Commercial at sign |
|
# |
Number sign |
|
$ |
Dollar sign |
|
% |
Percent sign |
|
^ |
Circumflex accent (carat) |
|
& |
Ampersand |
|
. |
Full stop (Period) |
|
; |
Semicolon |
|
! |
Exclamation mark |
|
- |
Hyphen (minus) |
|
+ |
Plus sign |
|
= |
Equals sign |
|
_ |
Low line (underscore) |
Use this command to reset the cli user password. To simplify the support process, we suggest that you keep the cli user password assigned initially by Guardium. There is no way to retrieve the cli user password once it is set. If you lose this password, contact Guardium Support to have it reset.
User Account, Password and Authentication CLI Commands
You will be prompted to enter the current password, and then the new password (twice). None of the password values you enter on the keyboard will display on the screen.
The cli user password requirements differ from the requirements for user passwords. The cli user password must be at least six characters in length, and must contain at least one each of the following types of characters:
Digits (0-9)
Lowercase alphabetic characters (a-z)
Uppercase alphabetic characters (A-Z)
Use this command to enable the Guardium admin user account after it has been disabled. This command does not reset the admin user account password.
unlock admin
The following commands display or control the type of authentication used.
Use this command to reset the type of authentication used for login to the Guardium appliance, to SQL_GUARD (i.e. Guardium authentication, the default).
Optional authentication methods (LDAP or Radius, for example) can be configured and enabled from the administrator portal, but not from the CLI.
store auth SQL_GUARD
show auth