Professional Documents
Culture Documents
Stephen Kost
Integrigy Corporation
Integrigy Corporation
Phil Reimann
Director of Business Development
Integrigy Corporation
Agenda
Best Practices
Overview
2
EBS Privileged
Accounts
Q&A
4
Logging
Auditing &
Monitoring
About Integrigy
ERP Applications
Databases
Products
AppSentry
Services
Validates
Security
AppDefend
Verify
Security
Ensure
Compliance
Security Assessments
Oracle EBS, OBIEE, Databases,
Sensitive Data, Penetration Testing
Compliance Assistance
SOX, PCI, HIPAA
Protects
Oracle EBS
Build
Security
You
Agenda
Best Practices
Overview
2
EBS Privileged
Accounts
Q&A
4
Logging
Auditing &
Monitoring
{ generic
privileged
account }
application, database, or
operating system account
used for administration
by multiple people and
has significant privileges
Some intentional
Most accidental
SYSADMIN
seeded application accounts
APPS, APPLSYS
SYS, SYSTEM
Oracle EBS schemas (GL, AP, ...)
root
oracle, applmgr
database
APPS
can obtain
SYSADMIN
password
application
SYSADMIN
execute
SQL as APPS
execute
SQL as SYS
connect
as SYSDBA
database
SYS
execute OS
commands
as oracle
operating system
oracle/
applmgr
Don't Know
No 3%
No
Somewhat 26%
Somewhat
Yes 65%
Yes
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Don't Know
Not
Managed
17%
Not
Managed
Somewhat 35%
Somewhat
Very
Actively
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Agenda
Best Practices
Overview
2
EBS Privileged
Accounts
Q&A
4
Logging
Auditing &
Monitoring
Generic
Privileged
Accounts
E-BUSINESS SUITE
SYSADMIN
-
Application administrators
Application DBAs
Support and power users
Helpdesk
Consultants and subcontractors
Control
Log &
Monitor
Audit
Default
Password
Active
Responsibilities
ASGADM
WELCOME
SYSTEM_ADMINISTRATOR
ADG_MOBILE_DEVELOPER
IBE_ADMIN
WELCOME
IBE_ADMINISTRATOR
MOBADM
MOBADM
MOBILE_ADMIN
SYSTEM_ADMINISTRATOR
MOBILEADM
WELCOME
ASG_MOBILE_ADMINISTRAOTR
SYSTEM_ADMINISTRATOR
OP_CUST_CARE_ADMIN
OP_SYSADMIN
WIZARD
OP_CUST_CARE_ADMIN
OP_SYSADMIN
WELCOME
OP_CUST_CARE_ADMIN
OP_SYSADMIN
AZ_ISETUP
APPLICATIONS FINANCIALS
APPLICATION IMPLEMENTATION
Log &
Monitor
Audit
Generic
Privileged
Accounts
DATABASE
SYS
Application
o2
u1
a1
o1
(APPS)
DBA
(privileged)
SYSTEM
a2
o3
Management
(DBSNMP)
Application
Data Owners
Backup
Client/Server
(application)
o4
(RMAN)
Options
u2
u3
a3
o5
Interface
Ad-hoc
(limited privileges)
(non-application)
Application (a)
Oracle (o)
Oracle
E-Business
Suite
SYS
Owner of database
Must be used for some operations
SYSTEM
APPS
APPLSYS
Schema
Owners
(GL, AP, etc.)
Default
Password
Exists in
Database %
Default
Password %
SYS
CHANGE_ON_INSTALL
100%
3%
SYSTEM
MANAGER
100%
4%
DBSNMP
DBSNMP
99%
52%
OUTLN
OUTLN
98%
43%
MDSYS
MDSYS
77%
18%
ORDPLUGINS
ORDPLUGINS
77%
16%
ORDSYS
ORDSYS
77%
16%
XDB
CHANGE_ON_INSTALL
75%
15%
DIP
DIP
63%
19%
WMSYS
WMSYS
63%
12%
CTXSYS
CTXSYS
54%
32%
Control
Log &
Monitor
Audit
Control
Log &
Monitor
Audit
Control
Log &
Monitor
Audit
Control
Log &
Monitor
Audit
Generic
Privileged
Accounts
OPERATING SYSTEM
Control
Log &
Monitor
Audit
Agenda
Best Practices
Overview
2
EBS Privileged
Accounts
Q&A
4
Logging
Auditing &
Monitoring
No hardcoding of passwords
-
Sophisticated security
Robust standard reports
Built to support meet compliance requirements
Agenda
Best Practices
Overview
2
EBS Privileged
Accounts
Q&A
4
Logging
Auditing &
Monitoring
No other way
Payment Card
HIPAA
SOX
(PCI DSS)
(NIST 800-66)
(COBIT)
IT Security
FDA 21 CFR 11
(ISO 27001)
Oracle Database
Native Auditing
Syslog
Signon
AuditTrails
Page Tracking
Reporting
Correlation
E8 - Modify role
E2 - Logoff
E3 - Unsuccessful login
E7 - Create role
PCI
DSS 10.2
21 CFR
Part 11
SOX
(COBIT)
HIPAA
(NIST 800-66)
IT Security
(ISO 27001)
FISMA
(NIST 800-53)
E1 - Login
10.2.5
11.10(e)(d)
A12.3
164.312(c)(2)
A 10.10.1
AU-2
E2 - Logoff
10.2.5
11.10(e)
DS5.5
164.312(c)(2)
A 10.10.1
AU-2
E3 - Unsuccessful login
10.2.4
11.10(e)
11.300(d)
DS5.5
164.312(c)(2)
A 10.10.1
A.11.5.1
AC-7
E4 - Modify authentication
mechanisms
10.2.5
11.10(e)(d)
11.300(b)
DS5.5
164.312(c)(2)
A 10.10.1
AU-2
10.2.5
11.10(e)
11.100(a)
DS5.5
164.312(c)(2)
A 10.10.1
AU-2
10.2.5
11.10(e)
11.100(a)
DS5.5
164.312(c)(2)
A 10.10.1
AU-2
E7 - Create role
10.2.5
11.10(e)
DS5.5
164.312(c)(2)
A 10.10.1
AU-2
E8 - Modify role
10.2.5
11.10(e)
DS5.5
164.312(c)(2)
A 10.10.1
AU-2
10.2.5
11.10(e)
DS5.5
164.312(c)(2)
A 10.10.1
AU-2
10.2.5
11.10(e)
DS5.5
164.312(c)(2)
A 10.10.1
AU-2
10.2.2
11.10(e)
DS5.5
164.312(c)(2)
A 10.10.1
AU-2
10.2.6
11.10(e)
DS5.5
164.312(c)(2)
A 10.10.1
AU-2
AU-9
10.2.7
11.10(e)
DS5.5
164.312(c)(2)
A 10.10.1
AU-2
AU-14
10.2.2
11.10(e)
DS5.5
164.312(c)(2)
A 10.10.1
AU-2
Level 1
Level 2
Level 3
Agenda
Best Practices
Overview
2
EBS Privileged
Accounts
Q&A
4
Logging
Auditing &
Monitoring
Contact Information
web: www.integrigy.com
Mike Miller
Chief Security Officer
Integrigy Corporation
e-mail: mike.miller@integrigy.com
blog: integrigy.com/oracle-security-blog
youtube: youtube.com/integrigy