| Oracle® Retail Warehouse Management System Security Guide Release 15.0 E68107-01 |
|
 Previous |
This section covers how to improve security when dealing with the administration of RWMS.
This section covers security aspects of administration.
The following Secure Copy Parameters (SCPs) should be used for Password Administration. The usage description is provided in the section SCP Parameters for Security.
ac_cycle_count_priv
hashing_algorithm
max_invld_login_cnt
min_password_length
password_complexity
password_expire
User passwords will be stored using the hashing algorithms provided by the Oracle database. The hashing algorithm which will be used can be changed by modifying the SCP hashing_algorithm.
The default value of the SCP is DBMS_CRYPTO.HASH_SH1. Other allowed values are DBMS_CRYPTO.HASH_MD4 and DBMS_CRYPTO.HASH_MD5.
If the SCP value is modified, the passwords will be hashed using the new algorithm when the user changes his password.
At install time and when utilizing the RWMS copy facility functionality, RWMS populates the dms_menu table with all of the menu options that make up the RWMS application.
In the dms_menu table there is a column called user_privilege. This column is used in conjunction with the user_privilege column within the dms_user table to restrict users from accessing menu options from the RWMS Main Menu screens. It also prevents users from being able to access a screen via the task administration functionality where the application directs users from screen to screen to complete tasks without navigating through menu options.
Each screen can be configured using the Menu Editor to set its user_privilege level. When a user logs into the RWMS application the dms_user.user_privilege setting is evaluated against the dms_menu.user_privilege setting to determine what menu options should be available.
The configuration of the user_privilege setting should be based on business needs. It is recommended that users carrying out administrative tasks should have higher privileges than users carrying out day to day tasks.
|
Note: When the dms_menu table is populated at installation time via the base install scripts the user_privilege level is always set to 1. When the dms_menu table is populated via the copy facility functionality, the user_privilege is copied over as well. These default values will probably require modification to improve security. |
Hardening
Depending on the business needs, all the menu options need to be assigned the desired privilege so that the users get access to only the necessary forms.
The following SCP parameters will help in strengthening the security of the application:
ac_cycle_count_priv: The default value is 7. This specifies the privilege level that allows users to perform Audit Counts. For hardening, this should be increased to reduce the number of users with those privileges. The maximum privilege level is 9.
hashing_algorithm: This should be set to the hashing algorithm provided by Oracle Database. The default value is DBMS_CRYPTO.HASH_SH1.
max_invld_login_cnt: The default value is 5 and indicates the number of invalid login attempts allowed. For hardening this value should be reduced.
min_password_length: Default length of password is 7. For hardening, this can be increased up to 20.
password_complexity: The default value is ANX. The options are:
Set to N for numeric only passwords.
Set to A for alphabetic only passwords.
Set to AN for Alphanumeric only passwords (One alphabet and one number mandatory).
Set to ANX for Alphanumeric and any other special character based password. (Minimum of one alphabet, one number and one special character mandatory).
Set to X for any character based password.
ANX is the suggested and the strongest setting. Any other setting will leave the system prone to brute force attacks.
password_expire: The number of days after which password expires. The default value is 365. For hardening this value should be reduced.
SSH Connection
The Shell Scripts create a SSH connection using a defined credentials stored in the app server that will have execute permissions for the scripts and write permissions for log files as documented in the Operations Guide.
File Permissions
The Shell Scripts should normally not have Write Permissions for Group and Other users. Permissions should be set to 755 or lower. For hardening ensure that the user accessing the batch jobs are part of group and do not provide access to other users.
Oracle Connection
The shell scripts will run the SQL statements using the RWMS Owning schema. Ensure that the appropriate wallet alias is created for this user and run the profile for executing Shell Scripts as documented in the Operations Guide.
