1 oracle ebs r12 - security best practices for securing oracle ebs r12
TRANSCRIPT
1
Oracle EBS R12 - SecurityOracle EBS R12 - Security
Best Practices for Securing Oracle EBS R12
2
AgendaAgenda
Overview Oracle TNS Listener Security Oracle Database Security Oracle Application Tier Security E-Business Suite Security Desktop Security Operating Environment Security Q&A
3
OverviewOverview
In today’s environment, a properly secured computing infrastructure is critical. When securing the infrastructure, a balance must be struck between risk of exposure, cost of security and value of the information protected.
Each organization determines its own correct balance. To that end, this presentation describes security measures that will be put in place for securing Oracle E-Business Suite R12.
4
Overview - ContinuedOverview - Continued
5
Oracle TNS Listener SecurityOracle TNS Listener Security
Enable “Validate Node Checking” tcp.validnode_checking = YEStcp.invited_nodes = ( X.X.X.X, hostname, ... )tcp.excluded_nodes = ( hostname, X.X.X.X, ... )
Specify Connection TimeoutCONNECT_TIMEOUT_$ORACLE_SID = 10
Enable TNS Listener Password$lsnrctlLSNRCTL> set current_listener $ORACLE_SIDLSNRCTL> change_passwordLSNRCTL> set passwordLSNRCTL> save_config$ echo "ADMIN_RESTRICTIONS_DBLSNR = ON" >> listener.oraLSNRCTL> set current_listener $ORACLE_SIDLSNRCTL> set passwordLSNRCTL> reload
Enable Admin RestrictionsADMIN_RESTRICTIONS_$ORACLE_SID=ON
Enable TNS Listener LoginLOG_STATUS = ONLOG_DIRECTORY_$ORACLE_SID = $TNS_ADMINLOG_FILE_$ORACLE_SID = $ORACLE_SID
6
Oracle Database SecurityOracle Database Security
Disable XDBdispatchers='(PROTOCOL=TCP) (SERVICE=sidXDB)'
Remove OS trusted loginREMOTE_OS_AUTHENT=FALSE
Implement two or more profiles for password management
Password Parameters
Application Profile
Administrator Profile
FAILED_LOGIN_ATTEMPTS Unlimited 5
PASSWORD_LIFE_TIME Unlimited 90
PASSWORD_REUSE_TIME 180 180
PASSWORD_REUSE_MAX Unlimited Unlimited
PASSWORD_LOCK_TIME Unlimited 7
PASSWORD_GRACE_TIME Unlimited 14
PASSWORD_VERIFY_FUNCTION
Recommended Recommended
7
Oracle Database Security - Oracle Database Security - ContinuedContinued Change default installation passwords
Default database administration schemasSchemas belonging to optional database features neither used nor patched by E-Business SuiteSchemas belonging to optional database features used but not patched by E-Business SuiteSchemas belonging to optional database features used and patched by E-Business SuiteSchemas common to all E-Business Suite productsSchemas associated with specific E-Business Suite products
Restrict Access to SQL trace files_TRACE_FILES_PUBLIC=FALSE
Remove OS trusted rolesREMOTE_OS_ROLES=FALSE
Limit file system access within PL/SQLAvoid: UTL_FILE_DIR = *
Limit dictionary accessO7_DICTIONARY_ACCESSIBILITY = FALSE
Configure DB for AuditingAUDIT_TRAIL = OSAUDIT_FILE_DEST = /u01/logs/db/audit
Audit DB ConnectionsSQL> audit session;
Audit DB schema changesSQL> audit user;
8
Oracle Application Tier SecurityOracle Application Tier Security
Remove Application Server BannerSet ServerSignature offSet ServerTokens Prod
Protect Administrative Web Pages<Location "uri-to-protect">Order deny,allowDeny from allAllow from localhost <list of TRUSTED IPs></Location>
Disable Test Pages <Location ~ "^/fcgi-bin/echo.*$"> Order deny,allow Deny from all </Location>
Configure Logging
9
E-Business Suite Security - E-Business Suite Security - ContinuedContinued Change Passwords for Seeded Application User Accounts
Account Product/Purpose Change Disable
ANONYMOUS FND/AOL – Anonymous for non-logged users
Y Y
APPSMGR Routine maintenance via concurrent requests
Y Y
ASGADM Mobile gateway related products Y N
ASGUEST Sales Application guest user Y N
AUTOINSTALL AD Y Y
CONCURRENT MANAGER FND/AOL: Concurrent Manager Y Y
FEEDER SYSTEM AD – Supports data from feeder system Y Y
GUEST Guest application user Y N
10
E-Business Suite Security - E-Business Suite Security - ContinuedContinued Consider Using Single Sign-On (SSO)
Refer to ML Doc ID 376811.1
Create New User Accounts Safely Create Shared Responsibilities Instead of Share Accounts Configure Concurrent Manager for Safe Authentication Activate Server Security Tighten Logon and Session Profile Options
30ICX_SESSION_TIMEOUT
180SIGNON_PASSWORD_NO_REUSE
YesSIGNON_PASSWORD_HARD_TO_GUESS
8SIGNON_PASSWORD_LENGTH
RecommendationProfile Option Name
11
Desktop SecurityDesktop Security
Configure BrowserRefer to ML Doc ID 389422.1
Update Browser Turn off Browser Auto Complete Set Policy for Unattended PC Sessions
12
Operating Environment Operating Environment SecuritySecurity Cleanup file ownership and access Cleanup file permissions Eliminate Telnet connections Eliminate FTP connections Verify Network configuration
13
QA
14
Copyright InformationCopyright Information
Neither TUSC or the authors guarantee this document to be error-free. Please provide comments/questions to: [email protected]
TUSC © 2006. This document cannot be reproduced without expressed written consent from an officer of TUSC
www.tusc.com
15
ReferencesReferences
Best Practices for Securing Oracle E-Business Suite/Oracle Corporation Version 3.0.2
Oracle Metalink Oracle Technology Network (OTN)