Professional Documents
Culture Documents
3
Copyright
Oracle
2012, Oracle
its affiliates.
All reserved.
rights
Copyright
2012,
and/or and/or
its affiliates.
All rights
reserved.
Agenda
g
Deployment and Configuration
Secure Configuration Scripts
Top 10: 1-5
Top 10: 6-10
Top 10: Bonus
Credit Card Encryption
Deployment and
Configuration
database options)
Guidelines are based upon
p current p
patch levels
11.5.10 and up 12.0.6 and up 12.1.2 and up
Please raise an SR with support against the Guides if you feel there
are problems
bl
or omissions
i i
with
ith th
the advice
d i
8
Secure Configuration
g
Scripts
p
Current State vs Recommendations
ERRORS Likely vulnerable to issues
WARNINGS Likely violating Secure Config Guidelines
Run
R anywhere
h
Scripts attempt to identify code level when required
Any supported version of EBS
Any supported version of the DB
Secure Config
g Scripts
p
Packaged as SQL and Shell scripts
EBSSecConfigChecks.sql runs all (12) other SQL scripts
Compiles them into a single report
Script
S i t comments
t often
ft have
h
hints
hi t for
f resolution
l ti
EBSCheckModSecurity.sh shell script
Ongoing Health
Health Checks
Checks to ensure critical security functionality
Run them early and often
Once you have a baseline check for diffs
Top Ten
11
12
13
1. Profile Settings
g
Note 946372.1 Secure Configuration of E-Business Suite Profiles
Check script - EBSCheckProfilesMissing.sql
Reports on missing profiles
14
Missing
g Profiles
Note 946372.1 Secure Configuration of E-Business Suite Profiles
Check script - EBSCheckProfilesMissing.sql
Server Security (discussed in detail later)
FND_SECURITY_FILETYPE_RESTRICT_DFLT /
FND_DISABLE_ANTISAMY_FILTER
Introduced with January 2012 CPU
15
Profiles Configuration
g
Errors
Note 946372.1 Secure Configuration of E-Business Suite Profiles
Check settings of critical profile options
FND Validation Level
Error
E
Error
16
Profiles Configuration
g
Warnings
g
Note 946372.1 Secure Configuration of E-Business Suite Profiles
Check settings of profile warnings
FND Diagnostics
No
Utilities Diagnostics
No
Personalize
P
li S
Self-service
lf
i D
Defn
f
N
No
17
2. Default Passwords
E-Business Suite User Passwords
Check script - EBSCheckUserPasswords.sql
Checks EBS User passwords for default passwords
18
2. Default Passwords
Database Passwords
Check script - EBSCheckDBPasswords.sql
Checks User and DB passwords
accounts
The Secure Configuration Guide Appendix C lists each user and
provides advice
19
3. Secure APPLSYSPUB
Change password
Only in R12
Must run AutoConfig to populate the change to configuration files
APPLSYSPUB password
d mustt always
l
be
b uppercase
20
3. Secure APPLSYSPUB
SCG - REVOKE UNNECESSARY GRANTS GIVEN TO APPLSYSPUB
Check script - EBSCheckApplsyspubPrivs.sql
Check privileges
Fix privs:
Run $FND_TOP/patch/115/sql/afpubfix.sql
$
21
22
Server Security
y feature
Sample DBC file created by AdminAppServer or AdminDesktop
GWYUID=APPLSYSPUB/PUB
GUEST USER PWD GUEST/ORACLE
GUEST_USER_PWD=GUEST/ORACLE
FNDNAM=APPS
APPL_SERVER_ID=AC70BE2E89CAC15F64235254236135131826220
TWO TASK PROD
TWO_TASK=PROD
DB_PORT=1521
DB_HOST=pdb1213.example.com
APPS JDBC URL=jdbc\:oracle\:thin\:@(DESCRIPTION\= (ADDRESS\=
APPS_JDBC_URL=jdbc\:oracle\:thin\:@(DESCRIPTION\=
(PROTOCOL\=tcp)(HOST\=pdb1213.example.com)(PORT\=1521)))(CONNEC
T_DATA\=(SERVICE_NAME\=PROD)))
JDBC\:oracle jdbc maxCachedBufferSize=358400
JDBC\:oracle.jdbc.maxCachedBufferSize=358400
23
Using
g AdminDesktop
p
Use AdminDesktop to create DBC files for non-EBS nodes
Non-EBS nodes are BPEL and WebService nodes
Create the DBC file on an EBS AppTier node
Create it to be IP Address specific
Maintain
M i t i mode
d 600 while
hil creating
ti and
d copying
i tto th
the recipient
i i t node
d
24
5. Implement
p
IP address restrictions
387859.1: Using AutoConfig to Manage System Configurations
Use a whitelist of IP addresses
Profile: Allow Restricted (FND_SQLNET_ACCESS)
Tells autoconfig to automate this when run on the DB server
$TNS_ADMIN/sqlnet.ora:
tcp.validnode_checking = YES
tcp.invited_nodes
tcp invited nodes = ( X
X.X.X.X,
X X X hostname
hostname, ... )
25
5. Implement
p
IP address restrictions
387859.1: Using AutoConfig to Manage System Configurations
No automated check via scripts
Manual check from a node not in white list
Should get a hang up:
bash$
$ telnet ebs.example.com 4443
Trying 115.X.X.X...
Connected to ebs.example.com
E
Escape
character
h
t is
i '^]
Connection closed by foreign host.
26
Layer (SSL)
8. Move
M
Off off Client/Server
Cli t/S
Components
9 Secure Configuration of Attachments
9.
10. Turn on ModSecurity
27
28
1493091.1)
29
30
9. Secure Configuration
g
of Attachments
Check script Part of the profile checks
File Upload Limits for Attachments
Attachments file type validation
Tag scanning of HTML Attachments
31
File Upload
p
Limits for Attachments
Note 604458.1 - How to Limit The Attachment File Size?
Allowing unlimited attachment sizes can allow for a Denial of Service
attack (DOS)
Profile: Upload File Size Limit (UPLOAD_FILE_SIZE_LIMIT)
Limits
Li it th
the maximum
i
Att
Attachment
h
t file
fil size
i th
thatt can b
be uploaded
l d d
Specified in KB (e.g. 2000KB)
32
33
Tag
g scanning
g of HTML Attachments
Note 1357849.1 - Security Configuration Mechanism in Attachments
Delivered as part of January 2012 CPU
Tag scanning of HTML Attachments
OWASP Antisamy allows a specific (white list) of HTML tags
Profile: FND: Disable Antisamy Filter
False (default / recommended) sanitize HTML pages
34
Tag
g scanning
g of HTML Attachments
Note 1357849.1 - Security Configuration Mechanism in Attachments
Warning: Antisamy scan requires the character set to be known:
Can cause character set issues for binary attachments
Fix (patch14141465) will use meta tag or
attachments
35
ModSecurity
M dS
it - Web
W bA
Application
li ti Fi
Firewallll apache
h module
d l
Part of iAS 1.0.2.2 and OHS 10.1.3
Automatically configured
ModSecurity blocks bad requests (black list) can also white list
Null bytes, directory crawling, URL encoding, UTF-8 encoding
Stops obviously bad requests early
36
37
38
3. Enhanced Hashing
Defends against brute forcing of hashes
Concurrent program to rehash
Patch 13114025:R12.IBY.B
39
40
41
pages
43
44