Ebs Security Top 10 Tips 1906570 (1)
-
Upload
srinivas-ellendula -
Category
Documents
-
view
32 -
download
3
description
Transcript of Ebs Security Top 10 Tips 1906570 (1)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.1
The Top 10 (Free) Things You Can Do to Secure YourYou Can Do to Secure Your Oracle E-Business Suite Instance
Eric BingApplications Product SecurityApplications Product Security
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.2
The following is intended to outline our general product direction It is intended for information purposes only anddirection. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any f t f ti lit d ib d f O l ' d tfeatures or functionality described for Oracle's products remains at the sole discretion of Oracle.
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.3 3 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Agendag
Deployment and Configuration Secure Configuration Scripts Top 10: 1-5 Top 10: 6-10 Top 10: Bonus
Credit Card Encryption– Credit Card Encryption E-Business Suite template for Data Masking Pack
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.4
Deployment and ConfigurationConfiguration
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.5
Secure E-Business Suite Deploymentp y
General EBS advice– Stay current with patching
Apply Critical Patch Updates (CPUs) + Security Alerts P t h S t U d t (PSU ) ti f t h t k– Patch Setup Update (PSUs) are an option for techstack
Apply most recent maintenance pack (yes, security improves as well)– Follow our recommendations for secure deploymentp y
Secure Configuration Guide for Oracle E-Business Suite Oracle E-Business Suite Configuration in a DMZ
Note: Follow this if deploying any parts of EBS to the Internet
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.6
Note: Follow this if deploying any parts of EBS to the Internet
E-Business Suite Secure Configuration Guides(previously known as “Best Practice” documents)
Release 11i, MOS Note 189367.1
Release 12, MOS Note 403537.1
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.7
E-Business Suite Secure Configuration Guidesg
Advice for security-related “switches” to set/verify Many recommendations automated via AutoConfig and Oracle
Application Manager (OAM)Ad i l id d f ti l it l t d d t ( h Advice also provided for optional security related products (such as database options) Guidelines are based upon current patch levelsp p
– 11.5.10 and up – 12.0.6 and up – 12.1.2 and up Please raise an SR with support against the Guides if you feel there
bl i i ith th d i
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.8
are problems or omissions with the advice
Secure Configuration Scriptsg p
Current State vs Recommendations– ERRORS – Likely vulnerable to issues– WARNINGS – Likely violating Secure Config Guidelines
R h Run anywhere– Scripts attempt to identify code level when required– Any supported version of EBSAny supported version of EBS– Any supported version of the DB
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.9
Secure Config Scriptsg p
Packaged as SQL and Shell scripts– EBSSecConfigChecks.sql – runs all (12) other SQL scripts
Compiles them into a single reportS i t t ft h hi t f l ti Script comments often have hints for resolution
– EBSCheckModSecurity.sh – shell script Ongoing “Health Checks” to ensure critical security functionalityOngoing Health Checks to ensure critical security functionality
– Run them early and often…– Once you have a baseline check for diffs
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.10
Roadmap: Online Dashboard with alerts
Top Ten
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.11
What makes the “Top 10” cut?p
Most common issues seen at customer sites
Biggest bang for the buck
Not as well known / new features Least effort Applicable to many releases Free
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.12
Top 10: Items 1-5
1. Check Profile Settings1. Check Profile Settings2. Change Default Passwords 3 Secure APPLSYSPUB3. Secure APPLSYSPUB4. Activate Server Security5 Implement IP address restrictions5. Implement IP address restrictions
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.13
1. Profile Settingsg
Check script - EBSCheckProfilesMissing.sql
Note 946372.1 “Secure Configuration of E-Business Suite Profiles”
– Reports on missing profiles Check script - EBSCheckProfileErrors.sql
– Reports on configuration errors Check script - EBSCheckProfileWarnings.sql
– Reports on configuration warnings– Reports on configuration warnings
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.14
Missing Profilesg
Check script - EBSCheckProfilesMissing.sql
Note 946372.1 “Secure Configuration of E-Business Suite Profiles”
Server Security (discussed in detail later)FND_SERVER_SEC / FND_SERVER_IP_SEC missing:
– Patch#12715586:R12.FND.A delivers these missing profiles for R12.0.4+– Patch#12715586:R12.FND.B delivers these missing profiles for R12.1.1+
Attachments Secure Configuration (discussed later) Attachments Secure Configuration (discussed later)FND_SECURITY_FILETYPE_RESTRICT_DFLT / FND_DISABLE_ANTISAMY_FILTER
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.15
– Introduced with January 2012 CPU
Profiles – Configuration Errorsg
Check settings of critical profile options
Note 946372.1 “Secure Configuration of E-Business Suite Profiles”
– FND Validation Level Error– FND Function Validation Level Error
F k V lid ti L l E– Framework Validation Level Error– Restrict Text Input Y– Attachments Secure Configuration (discussed later)g ( )
“Validation Level” Profiles will be removed in 12.2
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.16
Profiles – Configuration Warningsg g
Check settings of profile warnings
Note 946372.1 “Secure Configuration of E-Business Suite Profiles”
– FND Diagnostics No– Utilities Diagnostics No
P li S lf i D f N– Personalize Self-service Defn No– Attachments Secure Configuration (discussed later)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.17
2. Default Passwords
Check script - EBSCheckUserPasswords.sql
E-Business Suite User Passwords
– Checks EBS User passwords for default passwords Secure seeded application accounts, end date, and change password See the Secure Configuration Guide
– Oracle E-Business Suite Security / Authentication
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.18
2. Default Passwords
Check script - EBSCheckDBPasswords.sql
Database Passwords
– Checks User and DB passwordsselect * from dba_users_with_defpwd (11g only)
Fi i Fix using: – AFPASSWD / FNDCPASS – APPS controlled accounts
– Password / alter user… - for non-APPS controlled accounts
The Secure Configuration Guide – Appendix C lists each user and provides advice
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.19
3. Secure APPLSYSPUB
Change password– Only in R12– Must run AutoConfig to populate the change to configuration files
APPLSYSPUB d t l b– APPLSYSPUB password must always be uppercase(even if Case Sensitive Passwords have been turned on)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.20
3. Secure APPLSYSPUB
Check script - EBSCheckApplsyspubPrivs.sql
SCG - REVOKE UNNECESSARY GRANTS GIVEN TO APPLSYSPUB
– Check privileges Fix privs:
$– Run $FND_TOP/patch/115/sql/afpubfix.sql
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.21
4. Activate Server Securityy
Check script - EBSCheckServerSecurity.sql
Secure Config Guide - ACTIVATE SERVER SECURITY
select 'Server Security is on’from FND_NODESwhere server address = '*' and server id='SECURE'where server_address = and server_id= SECURE
Switch “Server Security” to SECURE modey System Administrators Guide, Administering Server Security
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.22
“Server Security” featurey
GWYUID=APPLSYSPUB/PUB GUEST USER PWD GUEST/ORACLE
Sample DBC file created by AdminAppServer or AdminDesktop
GUEST_USER_PWD=GUEST/ORACLE FNDNAM=APPS APPL_SERVER_ID=AC70BE2E89CAC15F…64235254236135131826220 TWO TASK PRODTWO_TASK=PROD DB_PORT=1521 DB_HOST=pdb1213.example.com APPS JDBC URL=jdbc\:oracle\:thin\:@(DESCRIPTION\= (ADDRESS\=APPS_JDBC_URL=jdbc\:oracle\:thin\:@(DESCRIPTION\= (ADDRESS\= (PROTOCOL\=tcp)(HOST\=pdb1213.example.com)(PORT\=1521)))(CONNECT_DATA\=(SERVICE_NAME\=PROD))) JDBC\:oracle jdbc maxCachedBufferSize=358400
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.23
JDBC\:oracle.jdbc.maxCachedBufferSize=358400
Using AdminDesktopg p
Non-EBS nodes are BPEL and WebService nodes
Use AdminDesktop to create DBC files for non-EBS nodes
– Create the DBC file on an EBS AppTier node– Create it to be IP Address specific
M i t i d 600 hil ti d i t th i i t d– Maintain mode 600 while creating and copying to the recipient node Documented in Note: 974949.1 "AppsDataSource, Java Authentication
and Authorization Service, and Utilities for Oracle E-Business Suite".,
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.24
5. Implement IP address restrictionsp
Use a whitelist of IP addresses
387859.1: Using AutoConfig to Manage System Configurations…
Profile: Allow Restricted (FND_SQLNET_ACCESS)– Tells autoconfig to automate this when run on the DB server
$TNS_ADMIN/sqlnet.ora:– tcp.validnode_checking = YES– tcp invited nodes = ( X X X X hostname )– tcp.invited_nodes = ( X.X.X.X, hostname, ... )
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.25
5. Implement IP address restrictionsp
No automated check via scripts
387859.1: Using AutoConfig to Manage System Configurations…
Manual check from a node not in white list – Should get a hang up:
$bash$ telnet ebs.example.com 4443Trying 115.X.X.X...Connected to ebs.example.comE h t i '^]‘Escape character is '^]‘Connection closed by foreign host.
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.26
Top 10: Items 6-10
6. Migrate to Password Hashing7. Enable Application Tier Secure Socket
Layer (SSL)M Off f Cli t/S8. Move Off of Client/Server Components
9 Secure Configuration of Attachments9. Secure Configuration of Attachments10. Turn on ModSecurity
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.27
6. Migrate Oracle Applications User Passwords to Non-Reversible Hash Password
Check script - EBSCheckHashedPasswords.sql
MOS Note 457166.1 - FNDCPASS Utility New Feature…
select 'Hashed passwords are not on' "Password Mode" from dual where FND_WEB_SEC.GET_PWD_ENC_MODE is null; Switch to hashed passwords for applications users Note 457166 1 Switch to hashed passwords for applications users Note 457166.1
– FNDCPASS apps/apps 0 Y system/manager USERMIGRATE SHA1
Upgrade any desktop clients FNDPUB DLL/Libraries – Discoverer, Configurator, Desktop ADI…– Or even better, replace these with their web variant
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.28
7. Enable SSL/TLS for web listener
Check script - EBSCheckSSL.sql
Note 376700.1 Enabling SSL for Oracle Applications Release 12
– Checks via FND_WEB_CONFIG.PROTOCOL Enable SSL (https) for web listener Avoid weak ciphers and protocols (<128 bit & SSLv2) Using Telnet Mobile Web Apps?
Mechanism for securing MWA Telnet communication via Stunnel (Note– Mechanism for securing MWA Telnet communication via Stunnel (Note 1493091.1)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.29
8. Move off of client/server componentsp
End User PCs should not have a direct DB connection Switch to equivalent Web components when possible
– Desktop ADI -> Web ADI and Report Manager Put client/server components on a secured server (Note 277535.1)
– Windows Server Terminal Services– Secure Global Desktop– Secure Global Desktop
Users should not be able to access the DBC file directly
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.30
9. Secure Configuration of Attachmentsg
Check script – Part of the profile checks File Upload Limits for Attachments Attachments file type validation Tag scanning of HTML Attachments
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.31
File Upload Limits for Attachmentsp
Allowing unlimited attachment sizes can allow for a Denial of Service
Note 604458.1 - How to Limit The Attachment File Size?
attack (DOS) Profile: Upload File Size Limit (UPLOAD_FILE_SIZE_LIMIT)
Li it th i Att h t fil i th t b l d d– Limits the maximum Attachment file size that can be uploaded– Specified in KB (e.g. 2000KB)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.32
Attachments File Type Validationyp
Delivered as part of January 2012 CPU
Note 1357849.1 - Security Configuration Mechanism in Attachments
Profile: Attachment File Upload Restriction Default– Yes (default): Blacklist behavior – Disallow types marked as ‘N’– No (recommended): Whitelist behavior – Only allow types marked as ‘Y’
Attachments file type validationNew column - FND MIME TYPES ALLOW FILE UPLOAD – values N & YNew column FND_MIME_TYPES. ALLOW_FILE_UPLOAD values N & YConfigured by default as a “black list”
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.33
Tag scanning of HTML Attachmentsg g
Delivered as part of January 2012 CPU
Note 1357849.1 - Security Configuration Mechanism in Attachments
Tag scanning of HTML Attachments OWASP Antisamy – allows a specific (white list) of HTML tags Profile: FND: Disable Antisamy Filter
– False (default / recommended) – sanitize HTML pages
The document you uploaded has been modified to remove restricted tags. Please check the document and replace it if necessary.
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.34
Tag scanning of HTML Attachmentsg g
Warning: Antisamy scan requires the character set to be known:
Note 1357849.1 - Security Configuration Mechanism in Attachments
Can cause character set issues for binary attachments– Fix (patch14141465) will use meta tag or
FND NATIVE CLIENT ENCODINGFND_NATIVE_CLIENT_ENCODING
Need to take this patch up if you see character set issues in binary p p y yattachments
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.35
10. Ensure ModSecurity is ony
Check script - EBSCheckModSecurity.sh– Usage: EBSCheckModSecurity.sh https://ebs.example.com:4443– Shell script – not included in EBSSecConfigChecks.sql
M dS it W b A li ti Fi ll h d l ModSecurity - Web Application Firewall apache module– Part of iAS 1.0.2.2 and OHS 10.1.3– Automatically configuredAutomatically configured
ModSecurity blocks “bad” requests (black list) – can also white list– Null bytes, directory crawling, URL encoding, UTF-8 encoding
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.36
– Stops “obviously bad” requests early
Top 10: Bonus
11. Encrypt Credit Card Data 12. Separation of Duties: Review Access
To “Sensitive Administrative Pages”
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.37
11. Credit Card Encryptionyp
Check script - EBSCheckCCEncryption.sql 1. Checks whether credit cards are encrypted in ‘Immediate’ mode
– Info on encryption - Payments User Implementation guide. – For more info on PA-DSS compliance - Note 981033.1 .
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.38
11. Credit Card Encryptionyp
Check script - EBSCheckCCEncryption.sql
New features
2. Checks Supplemental Credit Card Data Encryption– Encrypts expiration date and card holder name– MOS Note 981033.1 - 'Payments 12.1.2 Release Notes'
3. Enhanced Hashing– Defends against brute forcing of hashes– Defends against brute forcing of hashes– Concurrent program to rehash– Patch 13114025:R12.IBY.B
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.39
12. Sensitive Administrator Functionalityy
Security Administrator
Note 1334930.1 “Sensitive Administrative Pages in Oracle EBS”
– Control of access to pages and profiles Administrator / Developer Functionality
Pages / profiles which allow for Application Development at Runtime– Pages / profiles which allow for Application Development at Runtime SQL fragments, HTML fragments, OS commands
– Should be disabled, controlled, and audited in production environments Flexfield definitions Forms and Framework personalization…
– Designed-in SQL injections or XSS injections
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.40
g j j
12. Sensitive Administrator Functionalityy
Identifies new categories of sensitive functionality:
Note 1334930.1 “Sensitive Administrative Pages in Oracle EBS”
– Oracle Forms-based Forms Controlled by Function Security (~40)– HTML Pages Controlled by Function Security (~25)– Pages and Forms Controlled by Profile Options (3)Pages and Forms Controlled by Profile Options (3)– Pages Controlled by JTF Roles and Permissions (3)
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.41
12. Sensitive Administrator Functionalityy
Check Script: EBSCheckSensitivePageAccess.sql
Note 1334930.1 “Sensitive Administrative Pages in Oracle EBS”
– Not called by default from EBSSecConfigChecks.sql– SQL scripts drive off of page and form names (not functions)
Sl b t i k t f ti th t i l d th– Slower, but ensures we pick up custom functions that include these Reduce and eliminate access to these pages by admins in production Use Fine Grained Auditing to audit the tables associated with theseUse Fine Grained Auditing to audit the tables associated with these
pages
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.43
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.44