| Oracle® Retail Predictive Application Server and Applications Security Guide Release 14.1.1 E61143-01 |
|
 Previous |
 Next |
| Oracle® Retail Predictive Application Server and Applications Security Guide Release 14.1.1 E61143-01 |
|
Previous |
Next |
This chapter of the security guide deals with security factors related to the installation of the RPAS Server.
As part of the RPAS installation there are several security considerations regarding operating system file permissions, account creation, and folder permissions, among others. This section provides recommendations for operating system permissions and accounts for an RPAS installation, file ownership and access for the RPAS server and the Fusion Client, account creation guidelines, and overall operating system maintenance.
This section contains a short list of operating system security precautions to consider while installing the RPAS Server. This set of precautions is primarily intended for preventing unauthorized access to operating system files, whether they are sitting in a folder or in the process of being transferred. They are grouped into RPAS Server and Fusion Client precautions.
The following are recommended when setting up the RPAS Server:
Require ssh and scp or other secure methods to log in to a shell in the operating system hosting the application server when doing administrative tasks.
Employ an internet firewall between the collection of the application server/RPAS server machines and the outside world.
Eliminate telnet, ftp, rsh, rlogin, and rcp connections.
Configure SSL access between the RPAS Server and Oracle Database, if using the HSA functionality.
The following are recommended when setting up the Fusion Client.
Ensure that the operating system user who installs the WebLogic Server and ADF runtime libraries and who creates the WebLogic domains is not the root user. Instead create another user (for the purposes of this document, the user 'oracle' is used as the example).
Ensure that no files are created by root or any other user within the WebLogic Server installation directory.
Ensure that the 'oracle' user is also the user who starts up the WebLogic Servers.
Ensure that the Fusion Client is installed by the 'oracle' user.
Ensure that no other user creates files in the Fusion Client installation directory and that all files are owned by the 'oracle' user. (A select few other users present in the installer user's group may be allowed to read the files).
A permission of 640 is appropriate for all files under the Fusion Client installation directory. Files created by the Fusion Client installer have this permission by default.
The following list provides general recommendations on how to strengthen the overall system security by configuring the Operating System (OS) accounts in a secure manner.
Make sure that all OS accounts have passwords that cannot be guessed.
Enforce rules for passwords requiring a combination of upper and lower case letters, numerals and special characters.
Ensure that enforced password changes are required at regular intervals.
Use a password cracking tool (such as Crack or John-the-Ripper) at regular intervals. This will guard against people using passwords associated with them such a children's names or hobbies.
Automatically disable accounts after a specified number of failed login attempts.
Severely restrict the distribution of the root password and keep track of who has them:
Change the root password at frequent, regular intervals.
Change the root password as a matter of policy as soon as anyone with knowledge of it leaves the company.
.netrc files weaken security.
Root and root only should have uid "0".
Check root ".*" files for security holes. Such files should have 700 or 600 permissions and nothing else.
To avoid Trojan Horse programs, root user should always use full path names including aliases. Root should never have "." in its PATH.
Oracle recommends that an RPAS OS account be created and given a default file creation permission of 700 (via umask).
This account should be used to install the RPAS binaries, execute the rpasInstall process, administer the daemons, and own the cron and batch processes. This will provide a hardened configuration where the files in RPAS_HOME, RIDE_HOME, and the RPAS domains are not accessible at the operating system level to anybody other than the rpas account.
An rpas user group can also be created to share this rpas administration privilege among multiple OS accounts, and in this case the umask should be set to 750 instead of 700.
