![Page 1: Copyright © 2012 Splunk Inc. Splunking PeopleSoft Marquis Montgomery Security Architect/Team Lead, Corporate Security](https://reader036.vdocuments.us/reader036/viewer/2022081513/56649dc45503460f94ab7329/html5/thumbnails/1.jpg)
Copyright © 2012 Splunk Inc.
Splunking PeopleSoft
Marquis Montgomery
Security Architect/Team Lead, Corporate Security
![Page 2: Copyright © 2012 Splunk Inc. Splunking PeopleSoft Marquis Montgomery Security Architect/Team Lead, Corporate Security](https://reader036.vdocuments.us/reader036/viewer/2022081513/56649dc45503460f94ab7329/html5/thumbnails/2.jpg)
AGENDA
What is PeopleSoft?
Realistic PeopleSoft architectures
Limitations we’re trying to mitigate
Use cases & how we do it
How you can do it
![Page 3: Copyright © 2012 Splunk Inc. Splunking PeopleSoft Marquis Montgomery Security Architect/Team Lead, Corporate Security](https://reader036.vdocuments.us/reader036/viewer/2022081513/56649dc45503460f94ab7329/html5/thumbnails/3.jpg)
PeopleSoft vs PeopleToolsPeopleSoft Version– Denoted by module with two numbers (HCM 9.1, SA 8.9)
PeopleTools Version– Denoted with three numbers (8.53.11)– [major release] . [minor release] . [dot release]
3
![Page 4: Copyright © 2012 Splunk Inc. Splunking PeopleSoft Marquis Montgomery Security Architect/Team Lead, Corporate Security](https://reader036.vdocuments.us/reader036/viewer/2022081513/56649dc45503460f94ab7329/html5/thumbnails/4.jpg)
Basic ArchitecturePeopleSoft Internet Architecture (PIA) v8– Also called Pure Internet Architecture
3-tier vs 2-tier– 3-tier via the web (web, app, db)– 2-tier via Application Designer (app, db)
4
![Page 5: Copyright © 2012 Splunk Inc. Splunking PeopleSoft Marquis Montgomery Security Architect/Team Lead, Corporate Security](https://reader036.vdocuments.us/reader036/viewer/2022081513/56649dc45503460f94ab7329/html5/thumbnails/5.jpg)
Realistic Architecture
![Page 6: Copyright © 2012 Splunk Inc. Splunking PeopleSoft Marquis Montgomery Security Architect/Team Lead, Corporate Security](https://reader036.vdocuments.us/reader036/viewer/2022081513/56649dc45503460f94ab7329/html5/thumbnails/6.jpg)
PeopleSoft in the Enterprise
6
PRD
DEV
TST
STG
![Page 7: Copyright © 2012 Splunk Inc. Splunking PeopleSoft Marquis Montgomery Security Architect/Team Lead, Corporate Security](https://reader036.vdocuments.us/reader036/viewer/2022081513/56649dc45503460f94ab7329/html5/thumbnails/7.jpg)
PeopleSoft LimitationsGeneric ID’s used (and often required) for application maintenance– ‘VP1’ level ID in the application– SYSADM at the database tier (App -> DB)
Row level auditing within the application is expensiveLimited (or no) security information from Oracle about vulnerabilitiesMany versions of PSFT and PTools, long upgrade cycle & patching quarterly not always possibleWidely distributed system with lots of log sources
7
![Page 8: Copyright © 2012 Splunk Inc. Splunking PeopleSoft Marquis Montgomery Security Architect/Team Lead, Corporate Security](https://reader036.vdocuments.us/reader036/viewer/2022081513/56649dc45503460f94ab7329/html5/thumbnails/8.jpg)
WebLogic Use Cases1) Table of IP to web requests (Time, IP, GET/POST, response code)2) Breakdown by response code (200, 404, 304, etc)3) URL history per IP4) Portions of the app accessed the most (pageletname)5) No app server available / no available application server
domain / Jolt session pool6) IB connector errors (free form search / troubleshooting)7) DetectCSRF8) Untrusted Server Certificate chain
8
![Page 9: Copyright © 2012 Splunk Inc. Splunking PeopleSoft Marquis Montgomery Security Architect/Team Lead, Corporate Security](https://reader036.vdocuments.us/reader036/viewer/2022081513/56649dc45503460f94ab7329/html5/thumbnails/9.jpg)
Application Server Use Cases1) All errors, notices, & warnings2) Authentication failures3) Authentication succeeded4) Guest activity5) LDAP Errors & failures6) New auth token7) password encryption notices8) password expired9) switch user attempt10) Invalid user / pwd over threshold alert
9
![Page 10: Copyright © 2012 Splunk Inc. Splunking PeopleSoft Marquis Montgomery Security Architect/Team Lead, Corporate Security](https://reader036.vdocuments.us/reader036/viewer/2022081513/56649dc45503460f94ab7329/html5/thumbnails/10.jpg)
Database Server Use Cases1) Authentication success2) Authentication failure3) Drops, alters, rollbacks, commits
DBA activity4) DBA activity (depending on logging)
Sensitive data selects (National ID field)
10
![Page 11: Copyright © 2012 Splunk Inc. Splunking PeopleSoft Marquis Montgomery Security Architect/Team Lead, Corporate Security](https://reader036.vdocuments.us/reader036/viewer/2022081513/56649dc45503460f94ab7329/html5/thumbnails/11.jpg)
WebLogic Log Sources
11
Log name Contents
1. Access Client IP, date & time, URL request, response code
2. Servlets Debug & troubleshooting information from clients, some security alerts (CSRF)
3. Stderr Error messages related to the webservers
![Page 12: Copyright © 2012 Splunk Inc. Splunking PeopleSoft Marquis Montgomery Security Architect/Team Lead, Corporate Security](https://reader036.vdocuments.us/reader036/viewer/2022081513/56649dc45503460f94ab7329/html5/thumbnails/12.jpg)
BEA Tuxedo Log Sources
12
Log name Contents
1. Appsrv Username@IP, authentication success / fail,
2. Tuxlog App server restart activity, Tuxedo version
3. Tuxaccess # of clients on app server, logon / logoff activity, username, client IP
4. Watchsrv PID, current state, version, domains booted
![Page 13: Copyright © 2012 Splunk Inc. Splunking PeopleSoft Marquis Montgomery Security Architect/Team Lead, Corporate Security](https://reader036.vdocuments.us/reader036/viewer/2022081513/56649dc45503460f94ab7329/html5/thumbnails/13.jpg)
Let’s see how it looks
DEMO13
![Page 14: Copyright © 2012 Splunk Inc. Splunking PeopleSoft Marquis Montgomery Security Architect/Team Lead, Corporate Security](https://reader036.vdocuments.us/reader036/viewer/2022081513/56649dc45503460f94ab7329/html5/thumbnails/14.jpg)
How you can do itWebLogic– http://docs.oracle.com/cd/E12840_01/wls/docs103/logging/config_logs.html– http://docs.oracle.com/cd/E12840_01/wls/docs103/ConsoleHelp/taskhelp/loggi
ng/EnableAndConfigureHTTPLogs.html
PeopleSoft App Server– http://docs.oracle.com/cd/E12531_01/tuxedo100/ada/admon.html
Oracle DB– http://docs.oracle.com/cd/E11882_01/network.112/e16543/auditing.htm
14
![Page 15: Copyright © 2012 Splunk Inc. Splunking PeopleSoft Marquis Montgomery Security Architect/Team Lead, Corporate Security](https://reader036.vdocuments.us/reader036/viewer/2022081513/56649dc45503460f94ab7329/html5/thumbnails/15.jpg)
How you can do itSplunk PeopleSoft TA– http://splunk-base.splunk.com/apps/58502/ta-peoplesoft_architecture
CedarCrestone Oracle 10G TA– http://splunk-base.splunk.com/apps/58501/ta-cedarcrestone_oracle_10g
CedarCrestone Oracle 11G TA– http://splunk-base.splunk.com/apps/58500/ta-cedarcrestone_oracle_11g
15