Stephen Kost's E-Business Suite Security Blog
Several clients and partners have asked for this checklist lately. Posting it for those who may find it useful:
- If possible ask for the following:
- System diagram
- All URLs – WebLogic, Enterprise Manager and OBIEE
- Ask about load balancer and reverse proxy
- WebLogic accounts and passwords for both /EM and /Console
- TNSNAMES info and DB accounts and passwords for WebLogic repository database
- Ideally O/S accounts and passwords for server supporting WebLogic – will need for WLST scripts
- Request copy of config.xml file for each environment. If o/s accounts are surrendered these can be easily obtained.
- Network probe
- NMAP scan for WebLogic and OBIEE ports 7001, 9701 and 9703. Suggest scanning 9700 – 9710. Also NMAP scan for Oracle networking 1521 (default). Suggest scanning 1520-1530
- Check WebLogic and OBIEE specific URLs. For public facing, use Google. For internal construct URLs using information gathered from NMAP:
Administration Server Console
Enterprise Manager Console
Enterprise Manager Agent
Oracle Discoverer Viewer
If external Google: intitle:"WebLogic Server" intitle:"Console Login" inurl:console –site:targetdomain.com
Look for: analytics/saw.dll
e.g. if external Google: Inurl: analytics/saw.dll –site:targetdomain.com
- Inventory the databases associated with WebLogic. Issue the following from the repository databases:
- SELECT * FROM SYSTEM.SCHEMA_VERSION_REGISTRY$;
- SELECT * FROM PRODUCT_COMPONENT_VERSION;
- Read and analyze the primary WebLogic configurations. The primary config file is the /domains/DOMAIN_NAME/config/config.xml
- Get server information, suggest running WLST scripts for – Google several good examples: ‘wlst script list servers and information’
- Get WebLogic user information, suggest running WLST scripts for – Google several good examples: ‘wlst script list users’
- For OBIEE authentication will first be done by WebLogic. WebLogic will determine who can access OBIEE. WebLogic groups may or may not then drive authorization. Older OBIEE solutions also might internally authenticate within the repository (RDP). Overall security authorization within OBIEE can be at control at various levels; Catalog/Presentation, RPD and within the data sources or a combination of everything. There can also be no security/authorization e.g. authentication by WebLogic to use OBIEE and then handoff to a PUBLIC / generic OBIEE report.
A question we have answered a few times in the last few months is whether or not, and if so, how easy do Database Activity Monitoring (DAM) tools such as IBM Guardium support ERP platforms such as the Oracle E-Business Suite, PeopleSoft and SAP. The answer is yes; DAM tools can support ERP systems. For example, IBM Guardium has out-of-the-box policies for both the E-Business Suite and SAP – see figures one and two below.
There are many advantages to deploying a DAM solution to protect your ERP platform, the first being additional defense-in-depth for one of your most critical assets. You can read more here ( Integrigy Guide to Auditing and Logging in Oracle E-Business Suite) about Integrigy’s recommendations for database security programs. DAM solutions allow for complex reporting as well as 24x7 monitoring and easy relaying of alerts to your SIEM (e.g. Splunk or ArcSight).
Deploying DAM solutions to protect your SAP, PeopleSoft or E-Business Suite is a not-plug-and-play exercise. IBM Guardium’s out-of-the-box policies for the E-Business Suite require configuration to be of any value – see figure three below. The out-of-the-box DAM policies are a good starting point and Integrigy rarely sees them implemented as is. Integrigy also highly recommends, if at all possible, to complete a sensitive data discovery project prior to designing your initial DAM policies. Such projects greatly help to define requirements as well as offer opportunities for data clean up.
Overall, to design and implement an initial set of Guardium policies for the E-Business Suite (or any other ERP package) is usually a few weeks of effort depending on your size and complexity.
If you have any questions, please contact us at firstname.lastname@example.orgFigure 1- Seeded Guardium Policies for EBS and SAP
Figure 2- Guardium E-Business Suite PCI Policy
Figure 3- Example of Blank Configuration
Tags: AuditingOracle E-Business SuiteIBM Guardium