1 copyright © 2012, oracle and/or its affiliates. all ... · mos note 457166.1 - fndcpass utility...

The Top 10 (Free) Things You Can Do to Secure YourYou Can Do to Secure Your Oracle E-Business Suite Instance

Eric BingApplications Product SecurityApplications Product Security


The following is intended to outline our general product direction It is intended for information purposes only anddirection. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any f t f ti lit d ib d f O l ' d tfeatures or functionality described for Oracle's products remains at the sole discretion of Oracle.

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.3 3 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

Agendag

Deployment and Configuration Secure Configuration Scripts Top 10: 1-5 Top 10: 6-10 Top 10: Bonus

Credit Card Encryption– Credit Card Encryption E-Business Suite template for Data Masking Pack


Deployment and ConfigurationConfiguration


Secure E-Business Suite Deploymentp y

General EBS advice– Stay current with patching

Apply Critical Patch Updates (CPUs) + Security Alerts P t h S t U d t (PSU ) ti f t h t k– Patch Setup Update (PSUs) are an option for techstack

Apply most recent maintenance pack (yes, security improves as well)– Follow our recommendations for secure deploymentp y

Secure Configuration Guide for Oracle E-Business Suite Oracle E-Business Suite Configuration in a DMZ

Note: Follow this if deploying any parts of EBS to the Internet


Note: Follow this if deploying any parts of EBS to the Internet

E-Business Suite Secure Configuration Guides(previously known as “Best Practice” documents)

Release 11i, MOS Note 189367.1

Release 12, MOS Note 403537.1


E-Business Suite Secure Configuration Guidesg

Advice for security-related “switches” to set/verify Many recommendations automated via AutoConfig and Oracle

Application Manager (OAM)Ad i l id d f ti l it l t d d t ( h Advice also provided for optional security related products (such as database options) Guidelines are based upon current patch levelsp p

– 11.5.10 and up – 12.0.6 and up – 12.1.2 and up Please raise an SR with support against the Guides if you feel there

bl i i ith th d i


are problems or omissions with the advice

Secure Configuration Scriptsg p

Current State vs Recommendations– ERRORS – Likely vulnerable to issues– WARNINGS – Likely violating Secure Config Guidelines

R h Run anywhere– Scripts attempt to identify code level when required– Any supported version of EBSAny supported version of EBS– Any supported version of the DB


Secure Config Scriptsg p

Packaged as SQL and Shell scripts– EBSSecConfigChecks.sql – runs all (12) other SQL scripts

Compiles them into a single reportS i t t ft h hi t f l ti Script comments often have hints for resolution

– EBSCheckModSecurity.sh – shell script Ongoing “Health Checks” to ensure critical security functionalityOngoing Health Checks to ensure critical security functionality

– Run them early and often…– Once you have a baseline check for diffs


Roadmap: Online Dashboard with alerts

Top Ten


What makes the “Top 10” cut?p

Most common issues seen at customer sites

Biggest bang for the buck

Not as well known / new features Least effort Applicable to many releases Free


Top 10: Items 1-5

1. Check Profile Settings1. Check Profile Settings2. Change Default Passwords 3 Secure APPLSYSPUB3. Secure APPLSYSPUB4. Activate Server Security5 Implement IP address restrictions5. Implement IP address restrictions


1. Profile Settingsg

Check script - EBSCheckProfilesMissing.sql

Note 946372.1 “Secure Configuration of E-Business Suite Profiles”

– Reports on missing profiles Check script - EBSCheckProfileErrors.sql

– Reports on configuration errors Check script - EBSCheckProfileWarnings.sql

– Reports on configuration warnings– Reports on configuration warnings


Missing Profilesg

Check script - EBSCheckProfilesMissing.sql


Server Security (discussed in detail later)FND_SERVER_SEC / FND_SERVER_IP_SEC missing:

– Patch#12715586:R12.FND.A delivers these missing profiles for R12.0.4+– Patch#12715586:R12.FND.B delivers these missing profiles for R12.1.1+

Attachments Secure Configuration (discussed later) Attachments Secure Configuration (discussed later)FND_SECURITY_FILETYPE_RESTRICT_DFLT / FND_DISABLE_ANTISAMY_FILTER


– Introduced with January 2012 CPU

Profiles – Configuration Errorsg

Check settings of critical profile options


– FND Validation Level Error– FND Function Validation Level Error

F k V lid ti L l E– Framework Validation Level Error– Restrict Text Input Y– Attachments Secure Configuration (discussed later)g ( )

“Validation Level” Profiles will be removed in 12.2


Profiles – Configuration Warningsg g

Check settings of profile warnings


– FND Diagnostics No– Utilities Diagnostics No

P li S lf i D f N– Personalize Self-service Defn No– Attachments Secure Configuration (discussed later)


2. Default Passwords

Check script - EBSCheckUserPasswords.sql

E-Business Suite User Passwords

– Checks EBS User passwords for default passwords Secure seeded application accounts, end date, and change password See the Secure Configuration Guide

– Oracle E-Business Suite Security / Authentication


2. Default Passwords

Check script - EBSCheckDBPasswords.sql

Database Passwords

– Checks User and DB passwordsselect * from dba_users_with_defpwd (11g only)

Fi i Fix using: – AFPASSWD / FNDCPASS – APPS controlled accounts

– Password / alter user… - for non-APPS controlled accounts

The Secure Configuration Guide – Appendix C lists each user and provides advice


3. Secure APPLSYSPUB

Change password– Only in R12– Must run AutoConfig to populate the change to configuration files

APPLSYSPUB d t l b– APPLSYSPUB password must always be uppercase(even if Case Sensitive Passwords have been turned on)


3. Secure APPLSYSPUB

Check script - EBSCheckApplsyspubPrivs.sql

SCG - REVOKE UNNECESSARY GRANTS GIVEN TO APPLSYSPUB

– Check privileges Fix privs:

$– Run $FND_TOP/patch/115/sql/afpubfix.sql


4. Activate Server Securityy

Check script - EBSCheckServerSecurity.sql

Secure Config Guide - ACTIVATE SERVER SECURITY

select 'Server Security is on’from FND_NODESwhere server address = '*' and server id='SECURE'where server_address = and server_id= SECURE

Switch “Server Security” to SECURE modey System Administrators Guide, Administering Server Security


“Server Security” featurey

GWYUID=APPLSYSPUB/PUB GUEST USER PWD GUEST/ORACLE

Sample DBC file created by AdminAppServer or AdminDesktop

GUEST_USER_PWD=GUEST/ORACLE FNDNAM=APPS APPL_SERVER_ID=AC70BE2E89CAC15F…64235254236135131826220 TWO TASK PRODTWO_TASK=PROD DB_PORT=1521 DB_HOST=pdb1213.example.com APPS JDBC URL=jdbc\:oracle\:thin\:@(DESCRIPTION\= (ADDRESS\=APPS_JDBC_URL=jdbc\:oracle\:thin\:@(DESCRIPTION\= (ADDRESS\= (PROTOCOL\=tcp)(HOST\=pdb1213.example.com)(PORT\=1521)))(CONNECT_DATA\=(SERVICE_NAME\=PROD))) JDBC\:oracle jdbc maxCachedBufferSize=358400


JDBC\:oracle.jdbc.maxCachedBufferSize=358400

Using AdminDesktopg p

Non-EBS nodes are BPEL and WebService nodes

Use AdminDesktop to create DBC files for non-EBS nodes

– Create the DBC file on an EBS AppTier node– Create it to be IP Address specific

M i t i d 600 hil ti d i t th i i t d– Maintain mode 600 while creating and copying to the recipient node Documented in Note: 974949.1 "AppsDataSource, Java Authentication

and Authorization Service, and Utilities for Oracle E-Business Suite".,


5. Implement IP address restrictionsp

Use a whitelist of IP addresses

387859.1: Using AutoConfig to Manage System Configurations…

Profile: Allow Restricted (FND_SQLNET_ACCESS)– Tells autoconfig to automate this when run on the DB server

$TNS_ADMIN/sqlnet.ora:– tcp.validnode_checking = YES– tcp invited nodes = ( X X X X hostname )– tcp.invited_nodes = ( X.X.X.X, hostname, ... )


5. Implement IP address restrictionsp

No automated check via scripts

387859.1: Using AutoConfig to Manage System Configurations…

Manual check from a node not in white list – Should get a hang up:

$bash$ telnet ebs.example.com 4443Trying 115.X.X.X...Connected to ebs.example.comE h t i '^]‘Escape character is '^]‘Connection closed by foreign host.


Top 10: Items 6-10

6. Migrate to Password Hashing7. Enable Application Tier Secure Socket

Layer (SSL)M Off f Cli t/S8. Move Off of Client/Server Components

9 Secure Configuration of Attachments9. Secure Configuration of Attachments10. Turn on ModSecurity


6. Migrate Oracle Applications User Passwords to Non-Reversible Hash Password

Check script - EBSCheckHashedPasswords.sql

MOS Note 457166.1 - FNDCPASS Utility New Feature…

select 'Hashed passwords are not on' "Password Mode" from dual where FND_WEB_SEC.GET_PWD_ENC_MODE is null; Switch to hashed passwords for applications users Note 457166 1 Switch to hashed passwords for applications users Note 457166.1

– FNDCPASS apps/apps 0 Y system/manager USERMIGRATE SHA1

Upgrade any desktop clients FNDPUB DLL/Libraries – Discoverer, Configurator, Desktop ADI…– Or even better, replace these with their web variant


7. Enable SSL/TLS for web listener

Check script - EBSCheckSSL.sql

Note 376700.1 Enabling SSL for Oracle Applications Release 12

– Checks via FND_WEB_CONFIG.PROTOCOL Enable SSL (https) for web listener Avoid weak ciphers and protocols (<128 bit & SSLv2) Using Telnet Mobile Web Apps?

Mechanism for securing MWA Telnet communication via Stunnel (Note– Mechanism for securing MWA Telnet communication via Stunnel (Note 1493091.1)


8. Move off of client/server componentsp

End User PCs should not have a direct DB connection Switch to equivalent Web components when possible

– Desktop ADI -> Web ADI and Report Manager Put client/server components on a secured server (Note 277535.1)

– Windows Server Terminal Services– Secure Global Desktop– Secure Global Desktop

Users should not be able to access the DBC file directly


9. Secure Configuration of Attachmentsg

Check script – Part of the profile checks File Upload Limits for Attachments Attachments file type validation Tag scanning of HTML Attachments


File Upload Limits for Attachmentsp

Allowing unlimited attachment sizes can allow for a Denial of Service

Note 604458.1 - How to Limit The Attachment File Size?

attack (DOS) Profile: Upload File Size Limit (UPLOAD_FILE_SIZE_LIMIT)

Li it th i Att h t fil i th t b l d d– Limits the maximum Attachment file size that can be uploaded– Specified in KB (e.g. 2000KB)


Attachments File Type Validationyp

Delivered as part of January 2012 CPU

Note 1357849.1 - Security Configuration Mechanism in Attachments

Profile: Attachment File Upload Restriction Default– Yes (default): Blacklist behavior – Disallow types marked as ‘N’– No (recommended): Whitelist behavior – Only allow types marked as ‘Y’

Attachments file type validationNew column - FND MIME TYPES ALLOW FILE UPLOAD – values N & YNew column FND_MIME_TYPES. ALLOW_FILE_UPLOAD values N & YConfigured by default as a “black list”


Tag scanning of HTML Attachmentsg g

Delivered as part of January 2012 CPU


Tag scanning of HTML Attachments OWASP Antisamy – allows a specific (white list) of HTML tags Profile: FND: Disable Antisamy Filter

– False (default / recommended) – sanitize HTML pages

The document you uploaded has been modified to remove restricted tags. Please check the document and replace it if necessary.


Tag scanning of HTML Attachmentsg g

Warning: Antisamy scan requires the character set to be known:


Can cause character set issues for binary attachments– Fix (patch14141465) will use meta tag or

FND NATIVE CLIENT ENCODINGFND_NATIVE_CLIENT_ENCODING

Need to take this patch up if you see character set issues in binary p p y yattachments


10. Ensure ModSecurity is ony

Check script - EBSCheckModSecurity.sh– Usage: EBSCheckModSecurity.sh https://ebs.example.com:4443– Shell script – not included in EBSSecConfigChecks.sql

M dS it W b A li ti Fi ll h d l ModSecurity - Web Application Firewall apache module– Part of iAS 1.0.2.2 and OHS 10.1.3– Automatically configuredAutomatically configured

ModSecurity blocks “bad” requests (black list) – can also white list– Null bytes, directory crawling, URL encoding, UTF-8 encoding


– Stops “obviously bad” requests early

Top 10: Bonus

11. Encrypt Credit Card Data 12. Separation of Duties: Review Access

To “Sensitive Administrative Pages”


11. Credit Card Encryptionyp

Check script - EBSCheckCCEncryption.sql 1. Checks whether credit cards are encrypted in ‘Immediate’ mode

– Info on encryption - Payments User Implementation guide. – For more info on PA-DSS compliance - Note 981033.1 .


11. Credit Card Encryptionyp

Check script - EBSCheckCCEncryption.sql

New features

2. Checks Supplemental Credit Card Data Encryption– Encrypts expiration date and card holder name– MOS Note 981033.1 - 'Payments 12.1.2 Release Notes'

3. Enhanced Hashing– Defends against brute forcing of hashes– Defends against brute forcing of hashes– Concurrent program to rehash– Patch 13114025:R12.IBY.B


12. Sensitive Administrator Functionalityy

Security Administrator

Note 1334930.1 “Sensitive Administrative Pages in Oracle EBS”

– Control of access to pages and profiles Administrator / Developer Functionality

Pages / profiles which allow for Application Development at Runtime– Pages / profiles which allow for Application Development at Runtime SQL fragments, HTML fragments, OS commands

– Should be disabled, controlled, and audited in production environments Flexfield definitions Forms and Framework personalization…

– Designed-in SQL injections or XSS injections


g j j


Identifies new categories of sensitive functionality:


– Oracle Forms-based Forms Controlled by Function Security (~40)– HTML Pages Controlled by Function Security (~25)– Pages and Forms Controlled by Profile Options (3)Pages and Forms Controlled by Profile Options (3)– Pages Controlled by JTF Roles and Permissions (3)



Check Script: EBSCheckSensitivePageAccess.sql


– Not called by default from EBSSecConfigChecks.sql– SQL scripts drive off of page and form names (not functions)

Sl b t i k t f ti th t i l d th– Slower, but ensures we pick up custom functions that include these Reduce and eliminate access to these pages by admins in production Use Fine Grained Auditing to audit the tables associated with theseUse Fine Grained Auditing to audit the tables associated with these

pages


1 copyright © 2012, oracle and/or its affiliates. all ... · mos note 457166.1 - fndcpass utility...

Documents