Secure Configuration and Auditing and Logging Checklists

This appendix covers the following topics:

• Overview
• Secure Configuration Checklist
• Auditing and Logging Checklist

Overview

This appendix summarizes recommendations in this guide for secure configuration as well as auditing and logging. It includes links to the relevant pages for the recommended configuration. Use it as a checklist or reference guide for the settings you should configure in your environment.

Secure Configuration Checklist

System-Wide Advice

• Use the Secure Configuration Console

• Keep software up-to-date

• Restrict network access to critical services

• Follow the principle of least privilege

• Monitor system activity

• Keep up-to-date on the latest security information

Oracle TNS Listener Security

• Harden operating environment

• Harden External Procedure (EXTPROC) services

• Add IP restrictions or enable Valid Node Checking

• Specify connection timeout

• Enable encryption of network traffic

• Enable admin restrictions

• Enable TNS listener logging

Oracle Database Security

• Harden operating environment

• Disable XDB

• Review database links

• Use Transparent Data Encryption (TDE)

• Use Network Access Control Lists (ACLs)

• Remove operating system trusted remote logon

• Change default installation passwords

• Implement two profiles for password management

• Restrict access to SQL trace files

• Remove operating system trusted remote roles

• Limit file system access within PL/SQL

• Limit dictionary access

• Revoke unnecessary grants given to APPLSYSPUB

Oracle Application Tier Security

• Harden operating environment

• Configure Allowed Resources

• Configure Allowed Redirects

• Protect diagnostic pages

Oracle E-Business Suite Security

• Harden operating environment

• Set Workflow notification mailer SEND_ACCESS_KEY to N

• Ensure you know who is a Workflow admin

• Set tools environment variables

• Restrict file types that may be uploaded

• Enable Antisamy HTML filter

• Use certified HTTP security headers

• Use TLS to encrypt Oracle E-Business Suite connections

• Avoid weak ciphers and protocols for SSL (HTTPS)

• Use external web tier if exposing any part of Oracle E-Business Suite to the internet

• Use terminal services for client-server programs

• Change passwords for seeded application user accounts

• Switch to hashed passwords

• Tighten logon and session profile options

• Create new user accounts safely

• Create shared responsibilities instead of shared accounts

• Configure concurrent manager for safe authentication

• Configure concurrent manager for start and stop without the APPS password

• Activate server security

• Create DBC files securely

• Consider using single sign-on

• Review and limit responsibilities and permissions

• Set other security-related profile options

• Restrict responsibilities by web server trust level

Desktop Security

• Configure browser

• Update the browser

• Turn off autocomplete

• Set policy for unattended PC sessions

Operating Environment Security

• Clean up file ownership and access

• Lock down operating system libraries and programs

• Filter IP packets

• Prevent spoofing

• Eliminate Telnet, rsh, and FTP daemons

• Verify network configurations

• Monitor for attacks

• Configure accounts securely

• Limit root access

• Manage user accounts

• Secure NFS

• Secure operating system devices

• Secure executables

• Secure file access

Auditing and Logging Checklist

Oracle E-Business Suite

• Monitor unsuccessful login attempts

• Enable Sign-On Audit

• Monitor Sign-On Auditing

• Disable inactive sessions

• Purge session information

• Purge Sign-On Audit data

• Configure Database Connection Tagging

• Set in review debug logging

Application Tier

• Configure and monitor Oracle HTTP Server (OHS) logging

Database

• Configure and monitor the database listener log

• Monitor the database alert log

• Configure Unified Auditing

• Audit and monitor per Oracle Database security guidelines