milton estrada, tusc

2

Best Security Practices For Oracle E-Business

11i

Milton Estrada – Senior Consultant

Application Practice

3

Milton Estrada TUSC

(800) 755-TUSC

4

Agenda

• Overview• Oracle TNS Listener Security• Oracle Database Security• Oracle Application Tier Security• E-Business Suite Security• Desktop Security• Operating Environment Security

5

Overview

In today’s environment, a properly secured computing infrastructure is critical. When securing the infrastructure, a balance must be struck between risk of exposure, cost of security and value of the information protected.

Each organization determines its own correct balance. To that end, this document describes security measures that will be put in place for securing Oracle E-Business Suite.

6

Overview

7

Oracle TNS Listener Security

• Valid Node Checking– To enable Valid Node Checking, set

the following parameters in $TNS_ADMIN/sqlnet.ora: • tcp.validnode_checking = YES• tcp.invited_nodes = ( X.X.X.X,

hostname, ... )

• Specify Connection Timeout– CONNECT_TIMEOUT_$ORACLE_SID = 10

8


• Enable TNS Listener Password– $lsnrctl– LSNRCTL> set current_listener $ORACLE_SID– LSNRCTL> change_password– LSNRCTL> set password– LSNRCTL> save_config– $ echo "ADMIN_RESTRICTIONS_DBLSNR =

ON" >> listener.ora– LSNRCTL> set current_listener $ORACLE_SID– LSNRCTL> set password– LSNRCTL> reload

9


• Enable Admin Restrictions– ADMIN_RESTRICTIONS_$ORACLE_SID=ON

• Enable TNS Listener Logging– LOG_STATUS = ON– LOG_DIRECTORY_$ORACLE_SID =

$TNS_ADMIN– LOG_FILE_$ORACLE_SID =

$ORACLE_SID

10

Oracle Database Security

• Disable XDB– *.dispatchers='(PROTOCOL=TCP)

(SERVICE=sidXDB)‘

• Remove OS Trusted Login– REMOTE_OS_AUTHENT=FALSE

11


• Implement two or more profiles for password management

Password Parameters Application

Profile Administrator

Profile FAILED_LOGIN_ATTEMPTS Unlimited 5 PASSWORD_LIFE_TIME Unlimited 90 PASSWORD_REUSE_TIME 180 180 PASSWORD_REUSE_MAX Unlimited Unlimited PASSWORD_LOCK_TIME Unlimited 7 PASSWORD_GRACE_TIME Unlimited 14 PASSWORD_VERIFY_FUNCTION Recommended Recommended

12


• Change default installation password

•Default database administration schemas•Schemas belonging to optional database features neither used nor patched by E-Business Suite•Schemas belonging to optional database features used but not patched by E-Business Suite•Schemas belonging to optional database features used and patched by E-Business Suite•Schemas common to all E-Business Suite products•Schemas associated with specific E-Business Suite products

•If 11.5.9 or 11.5.10 Apply patch 4745998 to enable ALLORACLE parameter to FNDCPASS

13


• Restrict access to SQL trace files– _TRACE_FILES_PUBLIC=FALSE

• Remove OS trusted roles– REMOTE_OS_ROLES=FALSE

14


• Limit file system access within PL/SQL– UTL_FILE_DIR = <dir1>,<dir2>,<dir3>...– Avoid:– UTL_FILE_DIR = *

• Limit Directory Access– O7_DICTIONARY_ACCESSIBILITY = FALSE

15


• Configure DB for Auditing– AUDIT_TRAIL = OS– AUDIT_FILE_DEST = ‘audit_file_diectory’

• Audit DB connections– SQL> audit session;

• Audit DB Schema Changes– SQL> audit user;

16

Oracle Application Tier Security

• Remove Application Server Banner– Set ServerSignature off– Set ServerTokens Prod

17


• Restrict MOD_PLSQL Web Administration

– <Location /pls/admin_>– Order deny,allow– Deny from all– # Uncommenting next line allows selected

hosts to use the admin page– # Allow from localhost <list of TRUSTED IPs>– </Location>

18


• Configure Logging– Oracle Application Server respects

Apache’s logging parameters. When activated, the server logs data about who has accessed the system, when and the nature of the requested operation. At a minimum, log server access.

19

E-Business Suite Security

• Set Workflow Notification Mailer SEND_ACCESS_KEY to N

• Use SSL (HTTPS) Between Browser and Web Server • Use Terminal Services for Client-Server Programs

20


• Change Passwords for seeded Application User Accounts

Account Product/Purpose Change

Disable

ANONYMOUS FND/AOL – Anonymous for non-logged users

Y Y

APPSMGR Routine maintenance via concurrent requests

Y Y

ASGADM Mobile gateway related products

Y N

ASGUEST Sales Application guest user Y N

AUTOINSTALL AD Y Y

CONCURRENT MANAGER FND/AOL: Concurrent Manager

Y Y

FEEDER SYSTEM AD – Supports data from feeder system

Y Y

GUEST Guest application user Y N

21


• Tighten Logon and Session Profile Options

Profile Option Name Recommendation SIGNON_PASSWORD_LENGTH 8 SIGNON_PASSWORD_HARD_TO_GUESS Yes SIGNON_PASSWORD_NO_REUSE 180 ICX_SESSION_TIMEOUT 30

22


• Create New User Accounts Safely• Create Shared Responsibilities instead of Shared

Accounts• Configure Concurrent Manager for Safe

Authentication• Activate Server Security• Setup Server Security• Review GUEST User Responsibilities• Review Users with Administrative Responsibilities • Limit Access to Security Related Forms

23


• Set other Security Related Profile Options

Profile Option Suggest

AuditTrail:Activate Yes

Concurrent:Report Access Level User

FND:Diagnostics No

Sign-on:Notification Yes

Utilities:Diagnostics No

24


• Restrict Responsibilities by Web Server Trust Level

– administrative– normal– External

• Set SIGN-ON Audit Level

– APPLSYS.FND_LOGINS– APPLSYS.FND_LOGIN_RESPONSIBILITIES– APPLSYS.FND_LOGIN_RESP_FORMS

25


• Monitor System Activity with OAM• Retrieve Audit Records Using Reports

– Sign-on Audit Concurrent Requests– Sign-on Audit Forms– Sign-on Audit Responsibilities– Sign-on Audit Unsuccessful Logins– Sign-on Audit Users

26

Desktop Security

• Update browser• Turn off auto-complete in Internet

Explorer• Set policy for unattended PC

sessions

27

Operating Environment Security

• Cleanup file ownership and access• Cleanup file permissions• Eliminate Telnet connections• Eliminate FTP connections• Verify Network configuration

28

Questions and Answers

QA

29

Copyright Information

• Neither TUSC or the authors guarantee this document to be error-free. Please provide comments/questions to: [email protected]

• TUSC © 2006. This document cannot be reproduced without expressed written consent from an officer of TUSC

• www.tusc.com

mailto:[email protected]

30

References

• Best Practices for Securing Oracle E-Business Suite/Oracle Corporation Version 3.0.2

• Oracle Metalink• Oracle Technology Network (OTN)

31

More Info

• Other good references that I use are:– http://metalink.oracle.com– http://oraclepartnernetwork.oracle.com– http://otn.oracle.com– http://tahiti.oracle.com– http://technet.oracle.com– http://www.google.com– http://www.ioug.org– http://www.orafaq.org– http://www.tusc.com– http://www.odtug.com

32

TUSC Contact Information

Milton Estrada (TUSC Senior Consultant) [email protected]

George Frederick (TUSC Sales Executive) [email protected]

630-960-2909

TUSC377 E. Butterfield Road

Suite 100Lombard, IL 60148

www.tusc.com

milton estrada, tusc

Documents

cost of security

security measures

security related forms

best security practices

os audit

audit responsibilities

audit level

lsnrctl lsnrctl