Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Transcription

1 1

2 The Top 10 (Free) Things You Can Do to Secure Your Oracle E-Business Suite Instance Eric Bing, Erik Graversen Applications Product Security 2

3 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle. 3 Copyright 3 Copyright 2012, Oracle 2012, Oracle and/or and/or its affiliates. its affiliates. All rights All reserved. rights reserved.

4 Agenda Deployment and Configuration Secure Configuration Scripts Top 10: 1-5 Top 10: 6-10 Top 10: Bonus Credit Card Encryption E-Business Suite template for Data Masking Pack 4

5 Deployment and Configuration 5

6 Secure E-Business Suite Deployment General EBS advice Stay current with patching Apply Critical Patch Updates (CPUs) + Security Alerts Patch Setup Update (PSUs) are an option for techstack Apply most recent maintenance pack (yes, security improves as well) Follow our recommendations for secure deployment Secure Configuration Guide for Oracle E-Business Suite Oracle E-Business Suite Configuration in a DMZ Note: Follow this if deploying any parts of EBS to the Internet 6

7 E-Business Suite Secure Configuration Guides (previously known as Best Practice documents) Release 11i, MOS Note Release 12, MOS Note

8 E-Business Suite Secure Configuration Guides Advice for security-related switches to set/verify Many recommendations automated via AutoConfig and Oracle Application Manager (OAM) Advice also provided for optional security related products (such as database options) Guidelines are based upon current patch levels and up and up and up Please raise an SR with support against the Guides if you feel there are problems or omissions with the advice 8

9 Secure Configuration Scripts Current State vs Recommendations ERRORS Likely vulnerable to issues WARNINGS Likely violating Secure Config Guidelines Run anywhere Scripts attempt to identify code level when required Any supported version of EBS Any supported version of the DB 9

10 Secure Config Scripts Packaged as SQL and Shell scripts EBSSecConfigChecks.sql runs all (12) other SQL scripts Compiles them into a single report Script comments often have hints for resolution EBSCheckModSecurity.sh shell script Ongoing Health Checks to ensure critical security functionality Run them early and often Once you have a baseline check for diffs Roadmap: Online Dashboard with alerts 10

11 Top Ten 11

12 What makes the Top 10 cut? Biggest bang for the buck Most common issues seen at customer sites Not as well known / new features Least effort Applicable to many releases Free 12

13 Top 10: Items Check Profile Settings 2. Change Default Passwords 3. Secure APPLSYSPUB 4. Activate Server Security 5. Implement IP address restrictions 13

14 1. Profile Settings Note Secure Configuration of E-Business Suite Profiles Check script - EBSCheckProfilesMissing.sql Reports on missing profiles Check script - EBSCheckProfileErrors.sql Reports on configuration errors Check script - EBSCheckProfileWarnings.sql Reports on configuration warnings 14

15 Missing Profiles Note Secure Configuration of E-Business Suite Profiles Check script - EBSCheckProfilesMissing.sql Server Security (discussed in detail later) FND_SERVER_SEC / FND_SERVER_IP_SEC missing: Patch# :R12.FND.A delivers these missing profiles for R Patch# :R12.FND.B delivers these missing profiles for R Attachments Secure Configuration (discussed later) FND_SECURITY_FILETYPE_RESTRICT_DFLT / FND_DISABLE_ANTISAMY_FILTER Introduced with January 2012 CPU 15

16 Profiles Configuration Errors Note Secure Configuration of E-Business Suite Profiles Check settings of critical profile options FND Validation Level Error FND Function Validation Level Error Framework Validation Level Error Restrict Text Input Y Attachments Secure Configuration (discussed later) Validation Level Profiles will be removed in

17 Profiles Configuration Warnings Note Secure Configuration of E-Business Suite Profiles Check settings of profile warnings FND Diagnostics No Utilities Diagnostics No Personalize Self-service Defn No Attachments Secure Configuration (discussed later) 17

18 2. Default Passwords E-Business Suite User Passwords Check script - EBSCheckUserPasswords.sql Checks EBS User passwords for default passwords Secure seeded application accounts, end date, and change password See the Secure Configuration Guide Oracle E-Business Suite Security / Authentication 18

19 2. Default Passwords Database Passwords Check script - EBSCheckDBPasswords.sql Checks User and DB passwords select * from dba_users_with_defpwd (11g only) Fix using: AFPASSWD / FNDCPASS APPS controlled accounts Password / alter user - for non-apps controlled accounts The Secure Configuration Guide Appendix C lists each user and provides advice 19

20 3. Secure APPLSYSPUB Change password Only in R12 Must run AutoConfig to populate the change to configuration files APPLSYSPUB password must always be uppercase (even if Case Sensitive Passwords have been turned on) 20

21 3. Secure APPLSYSPUB SCG - REVOKE UNNECESSARY GRANTS GIVEN TO APPLSYSPUB Check script - EBSCheckApplsyspubPrivs.sql Check privileges Fix privs: Run $FND_TOP/patch/115/sql/afpubfix.sql 21

22 4. Activate Server Security Secure Config Guide - ACTIVATE SERVER SECURITY Check script - EBSCheckServerSecurity.sql select 'Server Security is on from FND_NODES where server_address = '*' and server_id='secure' Switch Server Security to SECURE mode System Administrators Guide, Administering Server Security 22

23 Server Security feature Sample DBC file created by AdminAppServer or AdminDesktop GWYUID=APPLSYSPUB/PUB GUEST_USER_PWD=GUEST/ORACLE FNDNAM=APPS APPL_SERVER_ID=AC70BE2E89CAC15F TWO_TASK=PROD DB_PORT=1521 DB_HOST=pdb1213.example.com (ADDRESS\= (PROTOCOL\=tcp)(HOST\=pdb1213.example.com)(PORT\=1521)))(CONNEC T_DATA\=(SERVICE_NAME\=PROD))) JDBC\:oracle.jdbc.maxCachedBufferSize=

24 Using AdminDesktop Use AdminDesktop to create DBC files for non-ebs nodes Non-EBS nodes are BPEL and WebService nodes Create the DBC file on an EBS AppTier node Create it to be IP Address specific Maintain mode 600 while creating and copying to the recipient node Documented in Note: "AppsDataSource, Java Authentication and Authorization Service, and Utilities for Oracle E-Business Suite". 24

25 5. Implement IP address restrictions : Using AutoConfig to Manage System Configurations Use a whitelist of IP addresses Profile: Allow Restricted (FND_SQLNET_ACCESS) Tells autoconfig to automate this when run on the DB server $TNS_ADMIN/sqlnet.ora: tcp.validnode_checking = YES tcp.invited_nodes = ( X.X.X.X, hostname,... ) 25

26 5. Implement IP address restrictions : Using AutoConfig to Manage System Configurations No automated check via scripts Manual check from a node not in white list Should get a hang up: bash$ telnet ebs.example.com 4443 Trying 115.X.X.X... Connected to ebs.example.com Escape character is '^] Connection closed by foreign host. 26

27 Top 10: Items Migrate to Password Hash 7. Enable Application Tier Secure Socket Layer (SSL) 8. Move Off of Client/Server Components 9. Secure Configuration of Attachments 10. Turn on ModSecurity 27

28 6. Migrate Oracle Applications User Passwords to Non-Reversible Hash Password MOS Note FNDCPASS Utility New Feature Check script - EBSCheckHashedPasswords.sql select 'Hashed passwords are not on' "Password Mode" from dual where FND_WEB_SEC.GET_PWD_ENC_MODE is null; Switch to hashed passwords for applications users Note FNDCPASS apps/apps 0 Y system/manager USERMIGRATE SHA1 Upgrade any desktop clients FNDPUB DLL/Libraries Discoverer, Configurator, Desktop ADI Or even better, replace these with their web variant 28

29 7. Enable SSL/TLS for web listener Note Enabling SSL for Oracle Applications Release 12 Check script - EBSCheckSSL.sql Checks via FND_WEB_CONFIG.PROTOCOL Enable SSL (https) for web listener Avoid weak ciphers and protocols (<128 bit & SSLv2) Using Telnet Mobile Web Apps? Mechanism for securing MWA Telnet communication via Stunnel (Note ) 29

30 8. Move off of client/server components End User PCs should not have a direct DB connection Switch to equivalent Web components when possible Desktop ADI -> Web ADI and Report Manager Put client/server components on a secured server (Note ) Windows Server Terminal Services Secure Global Desktop Users should not be able to access the DBC file directly 30

31 9. Secure Configuration of Attachments Check script Part of the profile checks File Upload Limits for Attachments Attachments file type validation Tag scanning of HTML Attachments 31

32 File Upload Limits for Attachments Note How to Limit The Attachment File Size? Allowing unlimited attachment sizes can allow for a Denial of Service attack (DOS) Profile: Upload File Size Limit (UPLOAD_FILE_SIZE_LIMIT) Limits the maximum Attachment file size that can be uploaded Specified in KB (e.g. 2000KB) 32

33 Attachments File Type Validation Note Security Configuration Mechanism in Attachments Delivered as part of January 2012 CPU Profile: Attachment File Upload Restriction Default Yes (default): Blacklist behavior Disallow types marked as N No (recommended): Whitelist behavior Only allow types marked as Y Attachments file type validation New column - FND_MIME_TYPES. ALLOW_FILE_UPLOAD values N & Y Configured by default as a black list 33

34 Tag scanning of HTML Attachments Note Security Configuration Mechanism in Attachments Delivered as part of January 2012 CPU Tag scanning of HTML Attachments OWASP Antisamy allows a specific (white list) of HTML tags Profile: FND: Disable Antisamy Filter False (default / recommended) sanitize HTML pages The document you uploaded has been modified to remove restricted tags. Please check the document and replace it if necessary. 34

35 Tag scanning of HTML Attachments Note Security Configuration Mechanism in Attachments Warning: Antisamy scan requires the character set to be known: Can cause character set issues for binary attachments Fix (patch ) will use meta tag or FND_NATIVE_CLIENT_ENCODING Need to take this patch up if you see character set issues in binary attachments 35

36 10. Ensure ModSecurity is on Check script - EBSCheckModSecurity.sh Usage: EBSCheckModSecurity.sh Shell script not included in EBSSecConfigChecks.sql ModSecurity - Web Application Firewall apache module Part of ias and OHS Automatically configured ModSecurity blocks bad requests (black list) can also white list Null bytes, directory crawling, URL encoding, UTF-8 encoding Stops obviously bad requests early 36

37 Top 10: Bonus 11. Encrypt Credit Card Data 12. Separation of Duties: Review Access To Sensitive Administrative Pages 37

38 11. Credit Card Encryption Check script - EBSCheckCCEncryption.sql 1. Checks whether credit cards are encrypted in Immediate mode Info on encryption - Payments User Implementation guide. For more info on PA-DSS compliance - Note

39 11. Credit Card Encryption New features Check script - EBSCheckCCEncryption.sql 2. Checks Supplemental Credit Card Data Encryption Encrypts expiration date and card holder name MOS Note 'Payments Release Notes' 3. Enhanced Hashing Defends against brute forcing of hashes Concurrent program to rehash Patch :R12.IBY.B 39

40 12. Sensitive Administrator Functionality Note Sensitive Administrative Pages in Oracle EBS Security Administrator Control of access to pages and profiles Administrator / Developer Functionality Pages / profiles which allow for Application Development at Runtime SQL fragments, HTML fragments, OS commands Should be disabled, controlled, and audited in production environments Flexfield definitions Forms and Framework personalization Designed-in SQL injections or XSS injections 40

41 12. Sensitive Administrator Functionality Note Sensitive Administrative Pages in Oracle EBS Identifies new categories of sensitive functionality: Oracle Forms-based Forms Controlled by Function Security (~40) HTML Pages Controlled by Function Security (~25) Pages and Forms Controlled by Profile Options (3) Pages Controlled by JTF Roles and Permissions (3) 41

42 12. Sensitive Administrator Functionality Note Sensitive Administrative Pages in Oracle EBS Check Script: EBSCheckSensitivePageAccess.sql Not called by default from EBSSecConfigChecks.sql SQL scripts drive off of page and form names (not functions) Slower, but ensures we pick up custom functions that include these Reduce and eliminate access to these pages by admins in production Use Fine Grained Auditing to audit the tables associated with these pages 43

43 E-Business Suite template for Data Masking Pack 44

44 What is Data Masking? Production LAST_NAME SSN SALARY AGUILAR ,000 BENSON ,000 Non-Production LAST_NAME SSN SALARY ANSKEKSL ,000 BKJHHEIEDK ,000 What The act of anonymizing customer, financial, or company-confidential data to create new, legible data that retains the data's properties, such as its width, type, and format Why To protect confidential data in nonproduction environments when the data is shared with non-production users without revealing sensitive information 45

45 Oracle E-Business Suite Data Masking Note Using Oracle EBS Template for the Data Masking Pack Oracle E-Business Suite Template for Data Masking Metadata for the Oracle Data Masking Pack Documentation and scripts for the process Replaces EBS Application Management Pack Data Scrambling Masking template is superset of shipped Data Scrambling AMP Data Scrambling still supported No direct migration path planned 46

46 Versions & Licensing Note Using Oracle EBS Template for the Data Masking Pack Included with license for Oracle Data Masking Pack Initial release (May 29 th, 2012) for: E-Business Suite Enterprise Manager 11g ( PSU5) Plus additional EM patch (Patch ) All DB versions E-Business Suite is certified on 47

47 Goals in Application Masking Note Using Oracle EBS Template for the Data Masking Pack De-Identify the data Scramble identifiers of individuals (PII) Name, account, address, location, drivers license Mask sensitive data Mask the data that, if associated with PII, would cause privacy concerns Compensation, Health, Employment Information Maintain Data Validity Don t break the application (when possible ) 48

48 Product Coverage of E-Business Suite Note Using Oracle EBS Template for the Data Masking Pack Around 1000 Columns Includes localizations Impact (based on columns and bugs logged): 60% HCM - Payroll, Employment Details, Personal Info, Localization columns 15% ATG FND users, roles, workflow 10% CRM /TCA Parties data 15% Financials, Lease, Projects, SCM 49

49 Futures Enterprise Manager 12c certification E-Business Suite 12.2 certification EMCLI support Pluggable formats Subsetting of the masks by attribute 52

50 Masking References Note Using Oracle EBS Template for the Data Masking Pack Steven Chan s Blog ATG Live presentation walk through the MOS Note Masking demo Available at the demo grounds 53

51 Secure Configuration References Note Secure Configuration Guide for EBS Release 11i Note Secure Configuration Guide for EBS Release 12 Appendix G: Contains Check Scripts Appendix H: Contains pointers to all the Notes discussed Credit card protection: Supplemental Credit Card Data Encryption MOS Note 'Payments Release Notes' Enhanced Hashing Patch :R12.IBY.B 54

52 Q&A 55

53 56