Copyright © 2012 Splunk Inc. Splunking PeopleSoft Marquis Montgomery Security Architect/Team Lead,...
-
Upload
emery-hodges -
Category
Documents
-
view
224 -
download
4
Transcript of Copyright © 2012 Splunk Inc. Splunking PeopleSoft Marquis Montgomery Security Architect/Team Lead,...
Copyright © 2012 Splunk Inc.
Splunking PeopleSoft
Marquis Montgomery
Security Architect/Team Lead, Corporate Security
AGENDA
What is PeopleSoft?
Realistic PeopleSoft architectures
Limitations we’re trying to mitigate
Use cases & how we do it
How you can do it
PeopleSoft vs PeopleToolsPeopleSoft Version– Denoted by module with two numbers (HCM 9.1, SA 8.9)
PeopleTools Version– Denoted with three numbers (8.53.11)– [major release] . [minor release] . [dot release]
3
Basic ArchitecturePeopleSoft Internet Architecture (PIA) v8– Also called Pure Internet Architecture
3-tier vs 2-tier– 3-tier via the web (web, app, db)– 2-tier via Application Designer (app, db)
4
Realistic Architecture
PeopleSoft in the Enterprise
6
PRD
DEV
TST
STG
PeopleSoft LimitationsGeneric ID’s used (and often required) for application maintenance– ‘VP1’ level ID in the application– SYSADM at the database tier (App -> DB)
Row level auditing within the application is expensiveLimited (or no) security information from Oracle about vulnerabilitiesMany versions of PSFT and PTools, long upgrade cycle & patching quarterly not always possibleWidely distributed system with lots of log sources
7
WebLogic Use Cases1) Table of IP to web requests (Time, IP, GET/POST, response code)2) Breakdown by response code (200, 404, 304, etc)3) URL history per IP4) Portions of the app accessed the most (pageletname)5) No app server available / no available application server
domain / Jolt session pool6) IB connector errors (free form search / troubleshooting)7) DetectCSRF8) Untrusted Server Certificate chain
8
Application Server Use Cases1) All errors, notices, & warnings2) Authentication failures3) Authentication succeeded4) Guest activity5) LDAP Errors & failures6) New auth token7) password encryption notices8) password expired9) switch user attempt10) Invalid user / pwd over threshold alert
9
Database Server Use Cases1) Authentication success2) Authentication failure3) Drops, alters, rollbacks, commits
DBA activity4) DBA activity (depending on logging)
Sensitive data selects (National ID field)
10
WebLogic Log Sources
11
Log name Contents
1. Access Client IP, date & time, URL request, response code
2. Servlets Debug & troubleshooting information from clients, some security alerts (CSRF)
3. Stderr Error messages related to the webservers
BEA Tuxedo Log Sources
12
Log name Contents
1. Appsrv Username@IP, authentication success / fail,
2. Tuxlog App server restart activity, Tuxedo version
3. Tuxaccess # of clients on app server, logon / logoff activity, username, client IP
4. Watchsrv PID, current state, version, domains booted
Let’s see how it looks
DEMO13
How you can do itWebLogic– http://docs.oracle.com/cd/E12840_01/wls/docs103/logging/config_logs.html– http://docs.oracle.com/cd/E12840_01/wls/docs103/ConsoleHelp/taskhelp/loggi
ng/EnableAndConfigureHTTPLogs.html
PeopleSoft App Server– http://docs.oracle.com/cd/E12531_01/tuxedo100/ada/admon.html
Oracle DB– http://docs.oracle.com/cd/E11882_01/network.112/e16543/auditing.htm
14
How you can do itSplunk PeopleSoft TA– http://splunk-base.splunk.com/apps/58502/ta-peoplesoft_architecture
CedarCrestone Oracle 10G TA– http://splunk-base.splunk.com/apps/58501/ta-cedarcrestone_oracle_10g
CedarCrestone Oracle 11G TA– http://splunk-base.splunk.com/apps/58500/ta-cedarcrestone_oracle_11g
15