For those clients using Oracle Discoverer, especially those using Discoverer with the Oracle E-Business Suite for financial reporting, the October 2016 Oracle Critical Patch Update (CPU) include a high-risk vulnerability reported by Integrigy Corporation. CVE-2016-5495 is a vulnerability with the Discoverer EUL Code and Schema and has a base score 7.5. Integrigy believes this vulnerability affects all versions of Discoverer used with the Oracle E-Business Suite and that the confidentiality, integrity, and availability of (more...)
The Data Mover allows for total manipulation of data within PeopleSoft. You can use it to transfer data among PeopleSoft databases, regardless of operating system and database vendor. To state that Data Mover scripts need to be carefully secured is an understatement – the security of Data Mover scripts and activities must be HIGHLY secured.
When performing a PeopleSoft security audit Integrigy carefully reviews Data Mover scripts and activities. If you want to look today (more...)
When performing a PeopleSoft security audit Integrigy carefully reviews batch processing activity generated through the Process Scheduler. Of particular focus is who has access to administer the Process Scheduler and reviewing batch jobs to identify where jobs are being run with super user privileges.
To look today at your environment for who has access to manage the Process Scheduler, the following can be used:
SELECT A.ROLEUSER, A.ROLENAME, A.DYNAMIC_SW FROM SYSADM.PSROLEUSER A (more...)
When performing a PeopleSoft security audit, reconciling users should be one of the first tasks. This includes default accounts created through the installation of PeopleSoft as well as user accounts associated with staff, vendors and customers.
The following are several of the topics that Integrigy investigates during our PeopleSoft security configuration assessments - take a look today at your settings:
- Default accounts - PeopleSoft default application user accounts with superuser privileges where possible should be (more...)
Jolt along with Tuxedo supports PeopleSoft web requests. Specifically, Jolt is the layer between the application server and the web server. It is also described as a Java-enabled version of Tuxedo.
When performing a PeopleSoft security audit, Integrigy reviews in detail the PeopleSoft Jot security settings to ensure they are set per best practice recommendations. To do this yourself, use the table below to review your settings. These settings should also be regularly reviewed (more...)
When performing a PeopleSoft security audit, Integrigy reviews in detail the PeopleSoft Web Portal security settings to ensure they are set per best practice recommendations. To do this yourself, use the table below to review your settings.
These settings should also be regularly reviewed to ensure against configuration drift.
Allow Public Access
User sign on bypassed when direct link to a page are used – PUBLIC user access.
Protection of sensitive data while at-rest, in-motion or in-use all need to be addressed as part of a holistic security strategy. This includes both Personally Identifiable Information (PII) as well as sensitive PeopleSoft system configurations.
When performing a PeopleSoft security audit, Integrigy reviews the use and implementation of encryption within all components of the PeopleSoft technology stack. This includes the following, all which are critical. Review yours today and contact Integrigy with any questions.
- Implementation (more...)
PeopleSoft Public users are not required to authenticate (sign on). These are generic accounts created for specific purposes, for example informational pages and/or company directories. Public users are also not subject to timeouts (session inactivity). Because no authentication is required, no sensitive data should be accessible to these users. It also goes without saying, that if you don’t need Public accounts, don’t use them.
When performing a PeopleSoft security audit, Integrigy identifies Public users and (more...)
Being hospitable and welcoming to guests is usually considered good manners. That said, being a gracious host does not mean you should be careless with your security.
With regard to PeopleSoft application security, the user GUEST is a default account created with the installation of PeopleSoft. When performing a PeopleSoft security audit, several attributes of the GUEST user are reviewed, including the following - take a look today at your settings:
For the GUEST (more...)
When performing a PeopleSoft security audit, reviewing what rights and privileges individual users have been granted for system and application security privileges (authorization) is one of the key deliverables. The following are several of the topics that Integrigy investigates during our PeopleSoft security configuration assessments - take a look today at your settings:
Review users with access to
- The SQR folder
- Process scheduler
- Security and other sensitive administration menus
- Security and other sensitive administration (more...)
Securing the PeopleSoft Integration Broker (IB) ensures the security of messaging both within PeopleSoft applications and among third-party systems. The following are several of the key tasks that Integrigy performs during our PeopleSoft security configuration assessments - take a look today at your settings:
- Ensure all inbound requests are required to use Secure Socket Layer security/Transport Layer Security (SSL/TLS)
- Ensure that the default the PSKEY password has been changed - The PSKEY is keystore contains (more...)
Logging and auditing are one of the pillars of PeopleSoft Security. Both application and database auditing is required. Logging and auditing support a trust-but-verify approach which is often deemed required to secure the activities of privileged system and database administrators.
While both the application and database offer sophisticated auditing solutions, one key feature Integrigy always recommends is to ensure that EnableDBMononitoring is enabled within the psappssrv.cfg file. This is set by default but (more...)
PeopleSoft, similar to other major ERP applications, while depending on a database to store information, arguably does not secure the supporting database. The security of the database is the client’s responsibility.
In order to give a few examples of what we are talking about when we refer to database security, the following are several of the 200+ database security checks that Integrigy performs during our PeopleSoft security configuration assessments - take a look today at (more...)
The prior blog post [make a link] reviewed PeopleSoft CPU patching. Worthy of its own post is the October 2014 CPU. A show of hands back in April at our PeopleSoft database security presentation at Collaborate 2016 [link?] further confirmed Integrigy’s research that a surprising number of PeopleSoft installations have not applied this patch.
The PeopleTools October 2014 CPU (8.52.24, 8.53.17, 8.54.04) fixes a critical issue with the (more...)
The process of applying security patches starts with identifying which patches to apply. For PeopleSoft, security patches need to be considered for both the application and the major technical components. The application of security patches, referred to by Oracle as Critical Patch Updates (CPUs), for one component DO NOT apply security patches for the other components.
For example, PeopleTools CPU patches DO NOT include database CPUs – applying one will not automatically apply nor include (more...)
Throughout the summer, Integrigy will be releasing new research on PeopleSoft security. This research focuses on the secure configuration of PeopleSoft and includes both the application and the major technical components such as the database (Oracle RDBMS), WebLogic and Jolt/Tuxedo. Hopefully, these blog posts will be useful.
If you have questions, please contact us at firstname.lastname@example.org
Michael A. Miller, CISSP-ISSMP, CCSP
Several clients and partners have asked for this checklist lately. Posting it for those who may find it useful:
- If possible ask for the following:
- System diagram
- All URLs – WebLogic, Enterprise Manager and OBIEE
- Ask about load balancer and reverse proxy
- WebLogic accounts and passwords for both /EM and /Console
- TNSNAMES info and DB accounts and passwords for WebLogic repository database
- Ideally O/S accounts and passwords for server supporting WebLogic – will need for (more...)
A question we have answered a few times in the last few months is whether or not, and if so, how easy do Database Activity Monitoring (DAM) tools such as IBM Guardium support ERP platforms such as the Oracle E-Business Suite, PeopleSoft and SAP. The answer is yes; DAM tools can support ERP systems. For example, IBM Guardium has out-of-the-box policies for both the E-Business Suite and SAP – see figures one and two below.
With the recent news about yet another database breach of Personally Identifiable Information (PII), Integrigy had a discussion with a client about how to better protect the PII data of their executives.
The following Fine-Grained-Auditing (FGA) policy started the discussion. The policy below will conditionally log direct connections to the Oracle E-Business Suite database when the PII data of corporate executives is accessed. For example, it will ignore E-Business Suite end-user connections to the database, (more...)