Oracle EBS R12 - Security
Download
Report
Transcript Oracle EBS R12 - Security
Oracle EBS R12 - Security
Best Practices for Securing
Oracle EBS R12
1
Agenda
Overview
Oracle TNS Listener Security
Oracle Database Security
Oracle Application Tier Security
E-Business Suite Security
Desktop Security
Operating Environment Security
Q&A
2
Overview
In today’s environment, a properly secured computing
infrastructure is critical. When securing the infrastructure, a
balance must be struck between risk of exposure, cost of
security and value of the information protected.
Each organization determines its own correct balance. To
that end, this presentation describes security measures
that will be put in place for securing Oracle E-Business
Suite R12.
3
Overview - Continued
4
Oracle TNS Listener Security
Enable “Validate Node Checking”
tcp.validnode_checking = YES
tcp.invited_nodes = ( X.X.X.X, hostname, ... )
tcp.excluded_nodes = ( hostname, X.X.X.X, ... )
Specify Connection Timeout
CONNECT_TIMEOUT_$ORACLE_SID = 10
Enable TNS Listener Password
$lsnrctl
LSNRCTL> set current_listener $ORACLE_SID
LSNRCTL> change_password
LSNRCTL> set password
LSNRCTL> save_config
$ echo "ADMIN_RESTRICTIONS_DBLSNR = ON" >> listener.ora
LSNRCTL> set current_listener $ORACLE_SID
LSNRCTL> set password
LSNRCTL> reload
Enable Admin Restrictions
ADMIN_RESTRICTIONS_$ORACLE_SID=ON
Enable TNS Listener Login
LOG_STATUS = ON
LOG_DIRECTORY_$ORACLE_SID = $TNS_ADMIN
LOG_FILE_$ORACLE_SID = $ORACLE_SID
5
Oracle Database Security
Disable XDB
dispatchers='(PROTOCOL=TCP) (SERVICE=sidXDB)'
Remove OS trusted login
REMOTE_OS_AUTHENT=FALSE
Implement two or more profiles for password management
Password Parameters
Application Profile
Administrator Profile
FAILED_LOGIN_ATTEMPTS
Unlimited
5
PASSWORD_LIFE_TIME
Unlimited
90
PASSWORD_REUSE_TIME
180
180
PASSWORD_REUSE_MAX
Unlimited
Unlimited
PASSWORD_LOCK_TIME
Unlimited
7
PASSWORD_GRACE_TIME
Unlimited
14
Recommended
Recommended
PASSWORD_VERIFY_FUNCTION
6
Oracle Database Security - Continued
Change default installation passwords
Restrict Access to SQL trace files
Remove OS trusted roles
Limit file system access within PL/SQL
Limit dictionary access
Configure DB for Auditing
Audit DB Connections
Audit DB schema changes
Default database administration schemas
Schemas belonging to optional database features neither used nor patched by E-Business Suite
Schemas belonging to optional database features used but not patched by E-Business Suite
Schemas belonging to optional database features used and patched by E-Business Suite
Schemas common to all E-Business Suite products
Schemas associated with specific E-Business Suite products
_TRACE_FILES_PUBLIC=FALSE
REMOTE_OS_ROLES=FALSE
Avoid: UTL_FILE_DIR = *
O7_DICTIONARY_ACCESSIBILITY = FALSE
AUDIT_TRAIL = OS
AUDIT_FILE_DEST = /u01/logs/db/audit
SQL> audit session;
SQL> audit user;
7
Oracle Application Tier Security
Remove Application Server Banner
Set ServerSignature off
Set ServerTokens Prod
Protect Administrative Web Pages
<Location "uri-to-protect">
Order deny,allow
Deny from all
Allow from localhost <list of TRUSTED IPs>
</Location>
Disable Test Pages
<Location ~ "^/fcgi-bin/echo.*$">
Order deny,allow
Deny from all
</Location>
Configure Logging
8
E-Business Suite Security - Continued
Change Passwords for Seeded Application User Accounts
Account
Product/Purpose
Change
Disable
ANONYMOUS
FND/AOL – Anonymous for non-logged users
Y
Y
APPSMGR
Routine maintenance via concurrent requests
Y
Y
ASGADM
Mobile gateway related products
Y
N
ASGUEST
Sales Application guest user
Y
N
AUTOINSTALL
AD
Y
Y
CONCURRENT MANAGER
FND/AOL: Concurrent Manager
Y
Y
FEEDER SYSTEM
AD – Supports data from feeder system
Y
Y
GUEST
Guest application user
Y
N
9
E-Business Suite Security - Continued
Consider Using Single Sign-On (SSO)
Refer to ML Doc ID 376811.1
Create New User Accounts Safely
Create Shared Responsibilities Instead of Share Accounts
Configure Concurrent Manager for Safe Authentication
Activate Server Security
Tighten Logon and Session Profile Options
Profile Option Name
SIGNON_PASSWORD_LENGTH
Recommendation
8
SIGNON_PASSWORD_HARD_TO_GUESS
Yes
SIGNON_PASSWORD_NO_REUSE
180
ICX_SESSION_TIMEOUT
30
10
Desktop Security
Configure Browser
Refer to ML Doc ID 389422.1
Update Browser
Turn off Browser Auto Complete
Set Policy for Unattended PC Sessions
11
Operating Environment Security
Cleanup file ownership and access
Cleanup file permissions
Eliminate Telnet connections
Eliminate FTP connections
Verify Network configuration
12
QA
13
Copyright Information
Neither TUSC or the authors guarantee this document to be errorfree. Please provide comments/questions to: [email protected]
TUSC © 2006. This document cannot be reproduced without
expressed written consent from an officer of TUSC
www.tusc.com
14
References
Best Practices for Securing Oracle E-Business Suite/Oracle
Corporation Version 3.0.2
Oracle Metalink
Oracle Technology Network (OTN)
15