Upload
vasuballa
View
1.916
Download
3
Embed Size (px)
Citation preview
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Managing Oracle E-Business Suite Auditing and Security
Eric Bing, Senior Director, Applications Product Security Elke Phelps, Senior Principal Product Manager, Applications Technology Group Oracle E-Business Suite Development Oracle
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Program Agenda
Follow Secure Deployment & Configuration Guidelines
Understand and Setup Auditing and Logging
Overview of New Security Features
Review Security Roadmap
1
2
3
4
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Program Agenda
Follow Secure Deployment & Configuration Guidelines
Understand and Setup Auditing and Logging
Overview of New Security Features
Review Security Roadmap
1
2
3
4
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Stay current with patching
Follow secure deployment recommendations
Configure SSL/TLS
Follow Secure Deployment & Configuration Guidelines
A
B
C
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Stay current with patching
Follow secure deployment recommendations
Configure SSL/TLS
Follow Secure Deployment & Configuration Guidelines
A
B
C
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
How to Deploy Oracle E-Business Suite Securely
• Apply Critical Patch Updates (CPUs) + Security Alerts
– Critical Patch Advisory Page
http://www.oracle.com/technetwork/topics/security/alerts-086861.htm
– Patch Setup Update (PSUs) are an option for the database • PSUs include CPUs + other database recommended patches
• EBS customers may apply either CPUs or PSUs for the DB
• As of 12c only PSUs will be released
• Apply latest maintenance pack or release update pack
– Yes, Oracle E-Business Suite maintenance packs release update packs improve security as well
Stay Current with Patching
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Stay current with patching
Follow secure deployment recommendations
Configure SSL/TLS
Follow Secure Deployment & Configuration Guidelines
A
B
C
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
How to Deploy Oracle E-Business Suite Securely
• Secure Configuration Guide for Oracle E-Business Suite – Previously known as “Best Practice” documents
– Release 11i, MOS Doc ID 189367.1
– Release 12.1, MOS Doc ID 403537.1
– Release 12.2, Security Administration Guide, Secure Configuration Chapter
• Oracle E-Business Suite Configuration in a DMZ – Follow this guide if your Oracle E-Business environment is internet accessible
– Release 11i, MOS Note 287176.1
– Release 12.1., MOS Note 380490.1
– Release 12.2., MOS Note 1375670.1
Follow Secure Deployment Recommendations
New
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Secure Configuration Scripts
• Scripts are packaged as SQL and Shell scripts – Check for updated scripts on a periodic basis
– EBSSecConfigChecks.sql – runs all (12) other SQL scripts • Results are compiled into a single report
• Comments in the scripts often contain hints for resolution
– EBSCheckModSecurity.sh
– EBSCheckFormsBlockChar.sh
• You should perform routine configuration “Health Checks” – Create a baseline for your environment
– Run scripts often and compare against your baseline…check for differences
MOS Note 2069190.1, Security Configuration and Auditing Scripts for Oracle E-Business Suite
New
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Secure Configuration Scripts
• New MOS Note with secure configuration scripts
• Key Updates
– General scripting updates for editioning views in EBS 12.2
– New script to check ALLOWED_REDIRECTS, ALLOWED_JSPS, Domain Cookie Scoping
– BNE_ALLOW_NO_SECURITY_RULE – must be set to “N”
– Debug Logging recommendations added
– Warning (but not error) if 'FND_DIAGNOSTICS‘ and related profiles are set at the USER level
– New shell script to check that the Forms character blocking filter is on
Major updates
MOS Note 2069190.1, Security Configuration and Auditing Scripts for Oracle E-Business Suite
New
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Out-of-box security compliance checks for Oracle E-Business Suite
Integration with Enterprise Manager compliance framework
Security compliance violations and trends are generated
Real-time observations of security compliance in your environment
Compliance Rules
Oracle Enterprise Manager: Oracle E-Business Suite Plug-In
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Stay current with patching
Follow secure deployment recommendations
Configure SSL/TLS
Follow Secure Deployment & Configuration Guidelines
A
B
C
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
• Inbound Connections from a client to the Oracle HTTP Server
• Loopback connections from Oracle E-Business Suite to itself
• Outbound connections from Oracle E-Business Suite to External Site(s)
TLS Connections in Oracle E-Business Suite
Intranet User
Internet User
External Site
External Application Node
Internal Application Node
EBS Database
DMZ VPN
16 Oracle Confidential – Internal/Restricted/Highly Restricted
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
• Inbound Connections – Browser access – Forms access – Incoming XML Gateway
message – Mobile access via a
REST service
• Loopback Connections – Workflow notification
emails from Concurrent Manager tier
– Payment call back from database tier
– OAM log viewer
17
• Outbound Connections – Punchout in iProcurement – XML Gateway connection
to a partner application – Payments credit card
processing
Examples of TLS Connections in Oracle E-Business Suite
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
• Changing Protocol from SSL to TLS 1.0
– EBS 11i, 12.1, 12.2 certified
– Recent vulnerabilities addressed • SSL related vulnerabilities
– POODLE, FREAK
• Planning for the SHA-1 to SHA-2 change
– Most Certificate Authorities are no longer issuing SHA-1 certificates
– EBS 11i, 12.1, 12.2 certified
Oracle E-Business Suite Oracle HTTP Server (OHS) Changes Customers are Making to OHS for Inbound Connections
Description MOS Doc ID
Enabling TLS in EBS 11i 123718.1
Enabling TLS in EBS 12 376700.1
Enabling TLS in EBS 12.2 1367293.1
POODLE (& FREAK) 1937646.1
HAProxy for EBS 12.1.3 2012639.1
TLS FAQ 2063486.1
18 Oracle Confidential – Internal/Restricted/Highly Restricted
New
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
HAProxy Certification with Oracle E-Business Suite 12.1.3
• HAProxy may be deployed as a TLS termination point
• TLS 1.2 can be used with HAProxy
• Additional cypher suites can be used with HAProxy
Oracle HTTP Server listener configuration
After deploying HAProxy as a reverse proxy
19 Oracle Confidential – Internal/Restricted/Highly Restricted
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Program Agenda
Follow Secure Deployment & Configuration Guidelines
Understand and Setup Auditing and Logging
Overview of New Security Features
Review Security Roadmap
1
2
3
4
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Auditing and Logging
• Detect suspicious activity and attacks
• Investigate incidents after an attack
• Adhere to compliance standards (SOX, HIPAA, PCI-DSS)
• Implement business process monitoring and controls
• Debug application problems
• Performance monitoring
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Auditing and Logging
• Recent and current activity (monitoring) – Information about what is happening currently in the system – Information about the last activity performed on a specific record or by a specific
session
• Historical activity – Information is similar to recent and current activity that is captured – Information is retained (historical records of activity)
• Unexpected events – Unexpected Errors reported by the application or technology stack – Unexpected errors can include security related activity
Categories
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Auditing and Logging
• External auditors and forensics require “nonrepudiation”
– Need to prevent tampering with records
• Most information is stored in the database or on the local file system
– Recommendation is to move auditing information to a central repository
• Variety of technologies – Oracle Audit Vault and Database Firewall
– Read only DB links / CRON jobs
Securing the Auditing and Logging Records
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Auditing Scripts
• Download EBSAuditScripts.zip (contains multiple SQL scripts)
– Validate audit configuration
– Query audit tables
– Configure database auditing
• Check periodically for updates to EBSAuditScripts.zip
• Refer to the sample scripts in the zip file when you see the following in this presentation: “Audit script: script_name.sql”
MOS Note 2069190.1, Security Configuration and Auditing Scripts for Oracle E-Business Suite
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Oracle E-Business Suite Application
Oracle E-Business Suite Technology Stack
Optional Oracle Technology Integrations
Auditing and Logging Features
A
B
C
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Oracle E-Business Suite Application
Oracle E-Business Suite Technology Stack
Optional Oracle Technology Integrations
Auditing and Logging Features
A
B
C
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Unsuccessful Logins
Debug Logging
Sign-on Audit
Session Auditing
Oracle E-Business Suite Applications Auditing & Logging Features
Oracle E-Business Suite Release 12.2, Security Administration Guide
i
ii
iii
iv
Page Access Tracking
Who Columns
AuditTrail
Database Connection Tagging
v
vi
vii
viii
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Unsuccessful Login Attempts
• Detection of brute forcing of passwords
• Information recorded in APPLSYS.FND_UNSUCCESSFUL_LOGINS
– Date
– User (only if corresponding to a valid username)
– Issue: IP address not captured
• Several options for examining the data
– Report: Signon Audit Unsuccessful Logins
– Auditing script - UnsuccessfulLogins.sql
28
Local login only
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Unsuccessful Login Attempts SQL> select u.user_name,ful.user_id,
to_char(attempt_time,'DD-MON-RRRR HH24:MI:SS') attempt_time
from fnd_unsuccessful_logins ful, fnd_user u
where ful.user_id = u.user_id (+)
order by attempt_time;
USER_NAME USER_ID ATTEMPT_TIME
---------- ---------- -----------------------------
ANONYMOUS -1 01-JUL-2015 02:49:00
SYSADMIN 0 14-SEP-2015 15:31:56
SYSADMIN 0 15-SEP-2015 15:33:16
JFROST 1324 16-SEP-2015 13:25:03
Audit script: UnsuccessfulLogins.sql
29
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Debug Logging
• Often used to diagnose problems in Oracle E-Business Suite
• Profile configuration – FND: Debug Log Enabled "Y“, AFLOG_ENABLED
– FND: Debug Log Level “UNEXPECTED" , AFLOG_LEVEL • Default value is UNEXPECTED
• Minimum level of UNEXPECTED is key for security auditing
• Information is logged to the database by default – Database logging is easier to maintain in a multi-tier environment
– File logging provides protection against logs being modified
Audit script: EBSCheckAuditingSettings.sql
30
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Debug Logging
• Log files should be examined to understand normal production activity
– Important to understand what errors are common
• Some errors are expected even at UNEXPECTED level
• A few examples for Oracle E-Business Suite Debug Log (12.1) include:
– com.evermind.server.http.HttpIOException: Broken pipe
– Parameter 'requestUrl' was null, defaulted to 'APPSHOMEPAGE‘
– Could not load application module 'oracle.apps.fnd.sso.login.server.MainLoginPageAM‘
31
Determining your baseline
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Sign-On Audit
• Track what your users are doing and when they do it
• View quickly online what your users are doing
• Choose who to audit and what type of information to audit
• Set Profile Sign-On:Audit Level (Internal code: SIGNONAUDIT:LEVEL )
– Recommended and default value is “Form” (Internal code - “D”)
• Run Sign-On Audit reports to review logged information
Note: Many of the Sign-On Audit reports are specific to Oracle Forms interfaces
32
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Sign-On Audit - Responsibility Audit Report
User Name Responsibility Name Start Active Time End Active Time
--------- ------------------- ----------------- ---------------
OPERATIONS System Administrator 15-SEP-15 16:01 16-SEP-15 12:23
SYSADMIN System Administrator 20-AUG-15 12:37 20-AUG-15 12:38
33
Forms Only
Report executed as a standard Concurrent Processing Report
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Sign-On Audit - Form Audit Report
User Name Responsibility Name Start Active Time End Active Time Form Name
---------- ------------------- ----------------- --------------- ------------------------------
OPERATIONS System Administrator 16-SEP-15 12:23 16-SEP-15 12:23 Define Application User
OPERATIONS System Administrator 15-SEP-15 16:01 15-SEP-15 16:26 Run Reports
SYSADMIN System Administrator 14-SEP-15 14:42 14-SEP-15 14:42 Update System Profile Values
SYSADMIN System Administrator 16-SEP-15 13:00 Monitor Application Users
34
Forms Only
Report executed as a standard Concurrent Processing Report
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Sign-On Audit - Monitor User Form
35
Forms Only
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Sign-On Audit – Sign-on User Audit Report
• Reports on Forms, JTF and OAF
• Information displayed on report includes the following: –User
–Dates and times
–Oracle Process
36
Report executed as a standard Concurrent Processing Report
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
E-Business Suite Session Auditing
• FND_LOGINS
– All technologies record information here per login / concurrent request
– Login information includes: • User, dates and times
• DB process information
• ICX_SESSIONS – OAF and JTF pages record information here per web context (cookie)
– Session information includes: • User, dates and times
• Last responsibility and function accessed from Home Page
37
Looking beneath the covers
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
E-Business Suite Session Auditing
USER_NAME SESSION_ID COUNTER D START_TIME END_TIME
---------- ---------- ------- - ------------------- -------------------
SYSADMIN 849439764 7 N 2015/08/16 23:50:49 2015/08/17 02:02:42
SYSADMIN 613794284 13 N 2015/08/17 01:53:16 2015/08/17 02:02:42
RESPONSIBILITY_NAME USER_FUNCTION_NAME
------------------------------ ------------------------------
Applications Default Login Page
System Administrator Profile Options
Audit script: SessLoginResponsibilites.sql, LoginSessResponsibilites.sql
38
Session Queries
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Page Access Tracking (PAT)
• Page and Session based information
– Brings together much of the information previously discussed
• Forms, OAF and JTF based applications data is aggregated
• Flows and historical data for users is captured
– Allows drill down to individual page flows
• By default the features is turned off
– Can be turned on for specific applications, responsibilities or users
– Configure via OAM PAT configuration UI Note: This setting is a profile, read the documentation for more information
39
Bringing it all together
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Page Access Tracking (PAT)
• Monitor and Store historical data for power users (Admins)
• Monitor access for sensitive pages
– Security sensitive pages
– Sensitive data access
• Monitor performance problems
• Monitor overall site usage
40
Uses
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Page Access Tracking
41
View by User
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Page Access Tracking
42
View by Date
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Page Access Tracking
43
View by Responsibility
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Page Access Tracking
44
Drill down into a session
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Page Access Tracking
46
Graph view of session
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Page Access Tracking
47
Graph view of session (continued)
…..
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Query the Page Access Tracking Data
DAY SESSIONID USER_NAME TECH_STACKS PAGES_ALL
------------------ ---------- --------------- -------------- ----------
22-OCT-15 682273278 SYSADMIN OAF, FORM 303
18-OCT-15 1304068967 SYSADMIN FORM 1468
18-OCT-15 2109872838 SYSADMIN OAF, FORM 597
Audit script: PAT_sessions_by_user.sql , PAT_sessions_by_date.sql
48
Summary
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Query the Page Access Tracking Data
SESSIONID USERNAME PAGENAME TECH_STACK
---------- --------------- -------------------------------------------------- ----------
682273278 SYSADMIN Home>page:.../framework/navigate/webui/NewHomePG OAF
682273278 SYSADMIN RESP_CHANGE AUDIT
682273278 SYSADMIN FNDRSRUN FORM
RESPNAME DAY
----------------------- -----------
System Administration 22-OCT-2015
System Administration 22-OCT-2015
System Administration 22-OCT-2015
Audit script: PAT_session_flow.sql
49
Session Detail
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Data Changes Tracked with Who Columns
• Data changes are tracked within a record
• Changes are logged to the following columns in most tables:
– CREATION_DATE, Date and Time row was created
– CREATED_BY, Oracle Applications user ID from FND_USER
– LAST_UPDATE_LOGIN, Login ID from FND_LOGINS
– LAST_UPDATE_DATE, Date and Time row as last updated
– LAST_UPDATED_BY, Oracle Applications user ID from FND_USERS
Audit script: ProfileWhoColumnExample.sql
50
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Oracle E-Business Suite AuditTrail
• AuditTrail tracks data changes in Oracle E-Business Suite tables using shadow tables
– Leverages database triggers
– Implement through Oracle E-Business Suite Forms user interface
– Simple to report on audit data joined with reference data
• Oracle Database Auditing overlaps older AuditTrail functionality
– Oracle Database Auditing has better performance
– Integrates with Oracle Audit Vault
– Audit records are more easily secured
51
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Database Connection Tagging
• Oracle E-Business Suite session information is populated in V$SESSION
– Leveraged in database auditing
– Leveraged in Oracle Audit Vault and Database Firewall
• Information in V$SESSION – CLIENT_IDENTIFIER – FND User currently associated with the connection
– For context-insensitive standalone modules such as FNDLOAD or FNDCPASS, the value of CLIENT_IDENTIFIER is set to ‘SYSADMIN’.
– MODULE – Application Module being used
– ACTION – Page or Form
52
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Database Connection Tagging
select to_char(logon_time,'DD-MON-RRRR HH:MI:SS') Logon_date,sid, client_identifier
fnd_user, module,action from v$session where client_identifier = '&fnd_user';
LOGON_DATE SID FND_USER MODULE
------------------- ----- ---------- --------------------------------------------------
16-OCT-2015 05:49:39 50 JFROST e:PER:fwk:per.selfservice.common.server.CommonAM
16-OCT-2015 05:48:41 180 JFROST e::fwk:fnd.framework.service.lookups.server.Look
ACTION
-----------------------------------
PER/EMPLOYEE_DIRECT_ACCESS_V4.0
/
Audit script: v$sesssion_by_Fnd_User.sql
53
Query V$SESSION by FND User
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Database Connection Tagging
SELECT SID, replace(sql.sql_text,chr(10),'') stmt
FROM v$session SES,
V$SQLtext_with_newlines SQL
where SES.SQL_ADDRESS = SQL.ADDRESS (+)
and SES.SQL_HASH_VALUE = SQL.HASH_VALUE (+)
and SES.client_identifier = '&fnd_user'
order by SID, sql.piece asc;
Audit script: v$sesssion_last_sql_by_Fnd_User.sql
54
Retrieve the last SQL run by a specific Oracle E-Business Suite User
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Oracle E-Business Suite Application
Oracle E-Business Suite Technology Stack
Optional Oracle Technology Integrations
Options for Analyzing Security Related Actions
A
B
Oracle E-Business Suite Release 12.2, Security Administration Guide
C
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Applications Technology Stack Auditing & Logging
Oracle HTTP Server Access Log
Oracle HTTP Server Error Log
Oracle HTTPS Log
i
ii
iii
Oracle E-Business Suite Release 12.2, Security Administration Guide
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Oracle HTTP Server Access Log
• All requests processed by OHS
• Location and content are controlled by CustomLog directive in http.conf
• Example from access_log (EBS 12.2):
172.17.122.44 - - [10/Aug/2015:17:53:52 -0400] "GET
/page.jsp?p1=search HTTP/1.0" 200 1197
58
Oracle E-Business Suite 12.2, 12.1
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Oracle HTTP Server Error Log
• Key log file for the Oracle HTTP Server (OHS) • Apache httpd, including ModSecurity, will send diagnostic information
and record any errors that it encounters in processing requests here • Default log file name: – 12.2 - EBS_web_<SID>.log – 12.1 error_log.<timestamp>
• ModSecurity will log whenever it denies a request • Example of a blocked request: [Tue May 12 00:11:45 2015] [error] [cli ent 172.17.121.2] mod_security: Access denied with code 400. Pattern match "\\.\\./" at THE_REQUEST.
[hostname "apps.example.com"] [uri "/P?path=../"] [unique_id VVF9gawReR8AAAVDA2M]
59
Oracle E-Business Suite 12.2 and 12.1
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Oracle HTTPS Logging
• Additional logging occurs when HTTPS is enabled
• Logging directives are defined in ssl.conf
• Default log file name: ssl_request.log
• Sample from log file:
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
[10/Aug/2015:17:53:52 -0400] 172.17.122.44 TLSv1.2
SSL_RSA_WITH_AES_256_GCM_SHA384 "GET / HTTP/1.0" 1197
60
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Database Technology Stack Auditing & Logging
Database listener log
Database alert log
Database auditing
i
ii
iii
Oracle E-Business Suite Release 12.2, Security Administration Guide
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Database Listener Log
• All successful and unsuccessful connection attempts are logged here
• All RELOAD, START, STOP, STATUS, or SERVICES command issued by the Listener Control utility
• Logging is turned on by default in Oracle E-Business Suite 12.1 and 12.2
• Configuration file= LISTENER.ORA – LOG_STATUS = ON
– LOG_DIRECTORY_$ORACLE_SID = $TNS_ADMIN
– LOG_FILE_$ORACLE_SID = $ORACLE_SID
63
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Database Alert Log
• The alert log is an XML file that is a chronological log of messages and errors.
• The alert log includes messages about the following:
– Critical errors (incidents)
– Administrative operations, such as starting up or shutting down the database, recovering the database, creating or dropping a tablespace, and others.
– Errors during automatic refresh of a materialized view
– Other database events
– The values of all initialization parameters that had nondefault values at the time the database and instance start
64
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Database Auditing
• Monitor and record configured database actions
• Configuration file: init.ora –Turn on traditional auditing • AUDIT_TRAIL=DB or OS
• AUDIT_FILE_DEST=[directory]
–Monitor administrative user sessions • SYS_OPERATIONS=true
65
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Database Auditing
• Can alert you to password guessing attacks
• Can alert you to suspicious connections to highly privileged schemas
• Turn on by executing the following statement: SQL> audit create session whenever not successful;
66
Monitor Unsuccessful Database Logins
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Database Auditing
• Audit any changes to the standard Oracle E-Business Suite database schemas or creation of new schemas.
• May alert you to inappropriate or malicious activity.
• Turn on by executing the following statement: SQL> AUDIT USER;
67
Monitor Schema Changes
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
• Create, alter, drop database links
• Create alter, drop public database links
• Create, alter, drop roles
• Create, alter, drop profiles
• Access public synonyms
• Create, alter directory
• Alter system statements
• Alter database statements
• Audit, noaudit sql statements
• Grant, revoke system privileges
68
Database Auditing Statement and Privilege Auditing
Audit script: SystemPrivAuditing.sql
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Database Auditing
• Recommendations for auditing the following categories of tables:
– User
– Responsibilities, roles and privileges
– Security configuration
– Flexfield configuration
– Concurrent manager configuration
69
Object Level Auditing
Audit script: EBSObjectAuditing.sql
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Database Auditing
• Allows detailed conditions to trigger auditing
• Monitors data access based on content
• Audits records based upon specific column conditions or actions
– Accessing a table between 9 p.m. and 6 a.m. or on Saturday and Sunday
– Using an IP address from outside the corporate network
– Selecting or updating a table column
– Modifying a value in a table column
• Creates a more meaningful audit trail
• Excludes unnecessary information that occurs if each table access were recorded
70
Fine-Grained Auditing
Database Security Guide: About Fine-Grained Auditing
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
• Data Changes Tracked with Row Who Columns
• Sign-On Audit
• Session Auditing
• Database connection tagging
• Page Access Tracking
• Oracle E-Business Suite AuditTrail
• Proxy User Auditing
• Apache Access Logs
• Database listener log
• Database alert log
• Database auditing
• Fine-grained auditing
• Unsuccessful logon attempts
• Debug logging
• OHS Apache error logs
• Database listener log
• Database alert log
Auditing and Logging Recent or Current Activity Historical Activity Unexpected Events
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Oracle E-Business Suite Application
Oracle E-Business Suite Technology Stack
Optional Oracle Technology Integrations
Options for Analyzing Security Related Actions
A
B
Oracle E-Business Suite Release 12.2, Security Administration Guide
C
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
• Consolidate database audit trail into secure centralized repository
• Detect and alert on suspicious activities, including privileged users
• Out-of-the box compliance reports for SOX, PCI, and other regulations – For example; privileged user audit,
entitlements, failed logins, regulated data changes
• Integrates with Oracle E-Business Suite security system
Oracle Audit Vault and Database Firewall
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
• Monitor inbound SQL activity in passive mode
• Alert security operations of unexpected activity
• Execute standard or develop custom reports
Oracle Audit Vault and Database Firewall
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Oracle Governance, Risk and Compliance Manager
• Access Governor: Enforce Separation of Duties
– Changes to users' functional abilities
– E-Business Suite integration
• Transaction Governor: Monitor financial transactions executed
• Configuration Governor: Monitor critical configuration changes
• Preventive Governor: Proactively enforces policies
http://www.oracle.com/us/solutions/corporate-governance/overview/index.html
75
Manage financial and regulatory impacts in EBS
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Program Agenda
Follow Secure Deployment & Configuration Guidelines
Understand and Setup Auditing and Logging
Overview of New Security Features
Review Security Roadmap
1
2
3
4
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
• Cookie Domain Scoping
– Provide additional protection for communication between the browser and the Oracle E-Business Suite web tier
– Define the scope for cookie sharing to avoid unnecessary exposure
• Allowed JSPs
– Defines whitelist of allowed JSPs for Oracle E-Business Suite Release 12.2
– Prevents access to JSPs which are not used
– Enables configuration of actively allowed JSPs to avoid unnecessary exposure
77
• Proxy User
– Users can delegate by responsibility or workflow notification type some or all of their access to other users, who can then act on the delegator’s behalf.
– Functionality works seamlessly across all Forms and OA Framework-based Oracle E-Business Suite modules
• Allowed Redirects
– Defines whitelist of allowed redirects for Oracle E-Business Suite 12.2
– Prevents redirects that are not listed as allowed
– Enables configuration of allowed redirects to avoid unnecessary exposure
New Security Features in Oracle E-Business Suite 12.2
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Program Agenda
Follow Secure Deployment & Configuration Guidelines
Understand and Setup Auditing and Logging
Overview of New Security Features
Review Security Roadmap
1
2
3
4
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Security and Auditing Roadmap
• EBS 12.2 New Security Features turned on by default
• Documentation and Scripts
– EBS 12.2 Auditing and Logging Section of Security Administration Guide
– Additional Auditing and Security Configuration Scripts
• Tracking of IP addresses at E-Business Suite session and PAT level
• Database 12c Unified Auditing with Oracle E-Business Suite 12.2
• Certification of TLS 1.2 with Oracle E-Business Suite 12.2
• Oracle E-Business Suite 12.2 Data Masking Template
79
Roadmap
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
E-Business Suite Technology Stack Blog
• Direct from EBS Development
• Latest news
• Certification announcements
• Primers, FAQs, tips
• Desupport reminders
• Latest upgrade recommendations
• Statements of Direction
• Subscribe by email or RSS
blogs.oracle.com/stevenchan
80
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
E-Business Suite: System Management
Join us on Facebook
facebook.com/groups/EBS.SysAdmin
81
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Questions and Answers
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Oracle Confidential – Internal/Restricted/Highly Restricted 83
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Chronological Order
84
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Related Sessions
Monday, October 26, 2015
11:00 a.m. CON8140 - Planning Your Upgrade to Oracle E-Business Suite 12.2 J. Anne Carlson, Senior Director, Product Strategy, Oracle E-Business Suite, Oracle
Moscone West—3022
2:45 p.m. CON8146 - Simplified and Touch-Friendly User Interface in Oracle E-Business Suite Padmaprabodh Ambale, Director, ATG Development, Oracle
Moscone West—3024
4:00 p.m. CON6413 - Oracle E-Business Suite Technology: Latest Features and Roadmap Lisa Parekh, Vice President, Oracle
Moscone West—3002
5:15 p.m. CON8138 - Testing Oracle E-Business Suite Best Practices Prasanti Madireddi, Senior Director, Oracle Jake Westphal, Senior IT Manager - Enterprise Applications, First American
Moscone West—3022
85
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Related Sessions
Tuesday, October 27, 2015
11:00 a.m. GEN6409 - General Session: Oracle E-Business Suite Update, Strategy, and Roadmap Clifford Godwin, Senior Vice President, Oracle
Moscone West—2008
12:15 p.m. CON8128 - Installation, Cloning, and Configuration of Oracle E-Business Suite 12.2 Max Arderius, Senior Principal Product Manager, Oracle
Moscone West—3014
4:00 p.m. CON8133 - Online Patching with Oracle E-Business Suite 12.2 Kevin Hudson, Senior Director, Oracle
Moscone West—3022
5:15 p.m. CON8130 - Migrating and Managing Customizations for Oracle E-Business Suite 12.2 Santiago Bastidas, Senior Principal Product Manager, Oracle
Moscone West—3014
5:15 p.m. CON6410 - Oracle E-Business Suite: Mobile Update, Strategy, and Roadmap Jeanne Lowell, Vice President, EBS Product Strategy, Oracle
Moscone West—3022
86
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Related Sessions
Wednesday, October 28, 2015
11:00 a.m. CON8132 - Oracle E-Business Suite Integration Best Practices Veshaal Singh, Vice President, Oracle
Moscone West—3004
11:00 a.m. CON8127 - Oracle Enterprise Manager 12c Cloud Control for Managing Oracle E-Business Suite 12.2 Angelo Rosado, Senior Principal Product Manager, Oracle
Moscone West—3022
12:15 p.m.
CON8142 - Customer Success Stories: Upgrading to Oracle E-Business Suite 12.2 Andrew McVeagh, Oracle CoE Leader, GE Transportation Terri Noyes, Senior Director, Oracle Musa Ramadhani, Lead Oracle Apps DBA, Gentex Corporation
Moscone West—3004
12:15 p.m. CON8135 - Getting Optimal Performance from Oracle E-Business Suite Samer Barakat, Director, Applications Performance, Oracle
Moscone West—3022
87
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Related Sessions
Wednesday, October 28, 2015
1:45 p.m. CON8143 - Standards-Based Desktop Integration in Oracle E-Business Suite Padmaprabodh Ambale, Director, ATG Development, Oracle
Moscone West—3022
3:00 p.m. CON8134 - Maintenance Strategies for Oracle E-Business Suite Elke Phelps, Senior Principal Product Manager, Oracle
Moscone West—3022
4:15 p.m. CON8145 - Building, Deploying, and Managing Smartphone Apps for Oracle E-Business Suite Vijay Shanmugam, Director, Oracle
Moscone West—3004
88
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Related Sessions
Thursday, October 29, 2015
10:45 a.m. CON8129 - Advanced Architectures for Oracle E-Business Suite Noby Joseph, Architect ATG Development, Oracle Elke Phelps, Senior Principal Product Manager, Oracle
Moscone West—3022
10:45 a.m.
CON8147 - Oracle E-Business Suite 12.2: Customer Panel Steven Chan, Senior Director, Oracle Ravi Ravikoti, Senior Manager, On Semiconductor Corporation Tom Robinette, Executive Director of Business Systems, Exterran Martha Wiegman, Senior Manager - Business Solutions at GE
Moscone West—3004
12:00 p.m. CON8131 - Enabling Oracle E-Business Suite for SOA, Cloud, and Mobile Rekha Ayothi, Principal Product Manager, Oracle
Moscone West—3004
12:00 p.m. CON8136 - Oracle E-Business Suite Technology Certification Primer and Roadmap Steven Chan, Senior Director, Oracle
Moscone West—3022
89
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Related Sessions
Thursday, October 29, 2015
1:15 p.m.
CON8126 - Case Study: Oracle Application Management Suite for Oracle E-Business Suite Sue Gill, Senior Database Administrator, GE Corporate Angelo Rosado, Senior Principal Product Manager, Oracle
Moscone West—3004
1:15 p.m. CON8141 - Technical Upgrade Best Practices for Oracle E-Business Suite 12.2 Samer Barakat, Director, Applications Performance, Oracle Udayan Parvate, Senior Director, EBS Release Engineering, Oracle
Moscone West—3022
2:30 p.m. CON8137 - Managing Oracle E-Business Suite Auditing and Security Eric Bing, Senior Director, Oracle Elke Phelps, Senior Principal Product Manager, Oracle
Moscone West—3004
2:30 p.m. CON8144 - Personalize and Extend Oracle E-Business Suite for Desktops and Tablets Padmaprabodh Ambale, Director, ATG Development, Oracle
Moscone West—3022
90
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Ordered by Theme
91
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Related Sessions
Strategy & Roadmap
Monday Oct 26
4:00 p.m.
CON6413 - Oracle E-Business Suite Technology: Latest Features and Roadmap Lisa Parekh, Vice President, Oracle
Moscone West—3002
Tuesday Oct 27
11:00 a.m.
GEN6409 - General Session: Oracle E-Business Suite Update, Strategy, and Roadmap Clifford Godwin, Senior Vice President, Oracle
Moscone West—2008
Tuesday Oct 27
5:15 p.m.
CON6410 - Oracle E-Business Suite: Mobile Update, Strategy, and Roadmap Jeanne Lowell, Vice President, EBS Product Strategy, Oracle
Moscone West—3022
Thursday Oct 29
12:00 p.m.
CON8136 - Oracle E-Business Suite Technology Certification Primer and Roadmap Steven Chan, Senior Director, Oracle
Moscone West—3022
92
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Related Sessions
Installation & Architecture
Tuesday Oct 27
12:15 p.m.
CON8128 - Installation, Cloning, and Configuration of Oracle E-Business Suite 12.2 Max Arderius, Senior Principal Product Manager, Oracle
Moscone West—3014
Thursday Oct 29
10:45 a.m.
CON8129 - Advanced Architectures for Oracle E-Business Suite Noby Joseph, Architect ATG Development, Oracle Elke Phelps, Senior Principal Product Manager, Oracle
Moscone West—3022
93
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Related Sessions
12.2 Customer Panels
Wednesday Oct 28
12:15 p.m.
CON8142 - Customer Success Stories: Upgrading to Oracle E-Business Suite 12.2 Andrew McVeagh, Oracle CoE Leader, GE Transportation Terri Noyes, Senior Director, Oracle Musa Ramadhani, Lead Oracle Apps DBA, Gentex Corporation
Moscone West—3004
Thursday Oct 29
10:45 a.m.
CON8147 - Oracle E-Business Suite 12.2: Customer Panel Steven Chan, Senior Director, Oracle Ravi Ravikoti, Senior Manager, On Semiconductor Corporation Tom Robinette, Executive Director of Business Systems, Exterran Martha Wiegman, Senior Manager - Business Solutions at GE
Moscone West—3004
94
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Related Sessions
Upgrade
Monday Oct 26
11:00 a.m.
CON8140 - Planning Your Upgrade to Oracle E-Business Suite 12.2 J. Anne Carlson, Senior Director, Product Strategy, Oracle E-Business Suite, Oracle
Moscone West—3022
Thursday Oct 29
1:15 p.m.
CON8141 - Technical Upgrade Best Practices for Oracle E-Business Suite 12.2 Samer Barakat, Director, Applications Performance, Oracle Udayan Parvate, Senior Director, EBS Release Engineering, Oracle
Moscone West—3022
95
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Related Sessions
Patching
Tuesday Oct 27
4:00 p.m.
CON8133 - Online Patching with Oracle E-Business Suite 12.2 Kevin Hudson, Senior Director, Oracle
Moscone West—3022
Wednesday Oct 28
3:00 p.m.
CON8134 - Maintenance Strategies for Oracle E-Business Suite Elke Phelps, Senior Principal Product Manager, Oracle
Moscone West—3022
96
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Related Sessions
Customizations
Tuesday Oct 27
5:15 p.m.
CON8130 - Migrating and Managing Customizations for Oracle E-Business Suite 12.2 Santiago Bastidas, Senior Principal Product Manager, Oracle
Moscone West—3014
97
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Related Sessions
System Management
Wednesday Oct 28
11:00 a.m.
CON8127 - Oracle Enterprise Manager 12c Cloud Control for Managing Oracle E-Business Suite 12.2 Angelo Rosado, Senior Principal Product Manager, Oracle
Moscone West—3022
Thursday Oct 29
1:15 p.m.
CON8126 - Case Study: Oracle Application Management Suite for Oracle E-Business Suite Sue Gill, Senior Database Administrator, GE Corporate Angelo Rosado, Senior Principal Product Manager, Oracle
Moscone West—3004
98
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Related Sessions
Testing
Monday Oct 26
5:15 p.m.
CON8138 - Testing Oracle E-Business Suite Best Practices Prasanti Madireddi, Senior Director, Oracle Jake Westphal, Senior IT Manager - Enterprise Applications, First American
Moscone West—3022
99
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Related Sessions
Usability & Mobility
Monday Oct 26
2:45 p.m.
CON8146 - Simplified and Touch-Friendly User Interface in Oracle E-Business Suite Padmaprabodh Ambale, Director, ATG Development, Oracle
Moscone West—3024
Tuesday Oct 27
5:15 p.m.
CON6410 - Oracle E-Business Suite: Mobile Update, Strategy, and Roadmap Jeanne Lowell, Vice President, EBS Product Strategy, Oracle
Moscone West—3022
Wednesday Oct 28
4:15 p.m.
CON8145 - Building, Deploying, and Managing Smartphone Apps for Oracle E-Business Suite Vijay Shanmugam, Director, Oracle
Moscone West—3004
Thursday Oct 29
2:30 p.m.
CON8144 - Personalize and Extend Oracle E-Business Suite for Desktops and Tablets Padmaprabodh Ambale, Director, ATG Development, Oracle
Moscone West—3022
100
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Related Sessions
Integration
Wednesday Oct 28
11:00 a.m.
CON8132 - Oracle E-Business Suite Integration Best Practices Veshaal Singh, Vice President, Oracle
Moscone West—3004
Thursday Oct 29
12:00 p.m.
CON8131 - Enabling Oracle E-Business Suite for SOA, Cloud, and Mobile Rekha Ayothi, Principal Product Manager, Oracle
Moscone West—3004
101
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Related Sessions
Desktop Integration
Wednesday Oct 28
1:45 p.m.
CON8143 - Standards-Based Desktop Integration in Oracle E-Business Suite Padmaprabodh Ambale, Director, ATG Development, Oracle
Moscone West—3022
102
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Related Sessions
Performance
Wednesday Oct 28
12:15 p.m.
CON8135 - Getting Optimal Performance from Oracle E-Business Suite Samer Barakat, Director, Applications Performance, Oracle
Moscone West—3022
103
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Related Sessions
Security
Thursday Oct 29
2:30 p.m.
CON8137 - Managing Oracle E-Business Suite Auditing and Security Eric Bing, Senior Director, Oracle Elke Phelps, Senior Principal Product Manager, Oracle
Moscone West—3004
104
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Meet the Experts, Demos
105
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Meet the Experts – Technology Stack
106
• Max Arderius, Senior Principal Product Manager
• Samer Barakat, Director, Applications Performance
• George Buzsaki, VP, Application Architecture
• Steven Chan, Senior Director
• Kevin Hudson, Senior Director
• Lisa Parekh, Vice President
• Elke Phelps, Senior Principal Product Manager
• Veshaal Singh, Vice President MTE10252 – Monday, Oct 26, 2015 12:15 p.m.
Moscone West – 3001A
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Meet the Experts – Upgrades Best Practices
107
• John Abraham, Director, Product Management
• Max Arderius, Senior Principal Product Manager
• Samer Barakat, Director, Applications Performance
• Nadia Bendjedou, Senior Director - Product Strategy
• George Buzsaki, VP, Application Architecture
• J. Anne Carlson, Senior Director, Product Strategy
• Kevin Hudson, Senior Director
• Udayan Parvate, Senior Director, EBS Release Engineering
• Elke Phelps, Senior Principal Product Manager
MTE10254 – Tuesday, Oct 27, 2015 5:15 p.m.
Moscone West – 3001A
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Meet the Experts – Extensions for Endeca
108
• Ahmed Ali, Software Development Director
• Anurag Malik, Director, Product Management
• Muhannad Obeidat, Senior Director, Development
MTE10255 – Monday, Oct 26, 2015 4:00 p.m.
Moscone West – 3001A
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Demos
109
• WUL-003– Advanced Architecture and Technology Stack for Oracle E-Business Suite
• WCL-014 - Advanced Architecture and Technology Stack for Oracle E-Business Suite
• WCL-002 - Automated Oracle E-Business Suite Tests Using Oracle Flow Builder
• WCL-015 - End-to-End Management of Oracle E-Business Suite
• WCL-016 - New User Interface Capabilities in Oracle E-Business Suite
• WCL-003 - Oracle E-Business Suite: Technical Upgrade Best Practices
Moscone West – Exhibition Hall Mon, Oct 26: 10:15 a.m. – 6:00 p.m. Tue, Oct 27: 10:15 a.m. – 6:00 p.m. Wed, Oct 28: 10:15 a.m. – 4:15 p.m.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Executive Keynote Cliff Godwin – Senior Vice President Applications Development, Oracle E-Business Suite
“GEN6409 - Oracle E-Business Suite: Update, Strategy and Roadmap”
In this session, hear from Oracle E-Business Suite General Manager Cliff Godwin as he delivers an update on the Oracle E-Business Suite product line. The session covers the value delivered by the current release of Oracle E-Business Suite applications, the momentum, and how Oracle E-Business Suite applications integrate into Oracle’s overall applications strategy. You will come away with an understanding of the value Oracle E-Business Suite applications deliver now and in the future.
110
Day: Tuesday, October 27, 2015 Time: 11:00 AM – 11:45 AM Location: Moscone West—2008