1 / 16

Splunking PeopleSoft

Splunking PeopleSoft. Marquis Montgomery Security Architect/Team Lead, Corporate Security. AGENDA. What is PeopleSoft? Realistic PeopleSoft architectures Limitations we’re trying to mitigate Use cases & how we do it How you can do it. PeopleSoft vs PeopleTools. PeopleSoft Version

nellis
Télécharger la présentation

Splunking PeopleSoft

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Splunking PeopleSoft Marquis Montgomery Security Architect/Team Lead, Corporate Security

  2. AGENDA What is PeopleSoft? Realistic PeopleSoft architectures Limitations we’re trying to mitigate Use cases & how we do it How you can do it

  3. PeopleSoft vsPeopleTools • PeopleSoft Version • Denoted by module with two numbers (HCM 9.1, SA 8.9) • PeopleTools Version • Denoted with three numbers (8.53.11) • [major release] . [minor release] . [dot release]

  4. Basic Architecture • PeopleSoft Internet Architecture (PIA) v8 • Also called Pure Internet Architecture • 3-tier vs 2-tier • 3-tier via the web (web, app, db) • 2-tier via Application Designer (app, db)

  5. Realistic Architecture

  6. PeopleSoft in the Enterprise PRD TST DEV STG

  7. PeopleSoft Limitations • Generic ID’s used (and often required) for application maintenance • ‘VP1’ level ID in the application • SYSADM at the database tier (App -> DB) • Row level auditing within the application is expensive • Limited (or no) security information from Oracle about vulnerabilities • Many versions of PSFT and PTools, long upgrade cycle & patching quarterly not always possible • Widely distributed system with lots of log sources

  8. WebLogic Use Cases 1) Table of IP to web requests (Time, IP, GET/POST, response code) 2) Breakdown by response code (200, 404, 304, etc) 3) URL history per IP 4) Portions of the app accessed the most (pageletname) 5) No app server available / no available application server domain / Jolt session pool 6) IB connector errors (free form search / troubleshooting) 7) DetectCSRF 8) Untrusted Server Certificate chain

  9. Application Server Use Cases 1) All errors, notices, & warnings 2) Authentication failures 3) Authentication succeeded 4) Guest activity 5) LDAP Errors & failures 6) New auth token 7) password encryption notices 8) password expired 9) switch user attempt 10) Invalid user / pwd over threshold alert

  10. Database Server Use Cases 1) Authentication success 2) Authentication failure 3) Drops, alters, rollbacks, commits • DBA activity 4) DBA activity (depending on logging) • Sensitive data selects (National ID field)

  11. WebLogic Log Sources

  12. BEA Tuxedo Log Sources

  13. Let’s see how it looks DEMO

  14. How you can do it • WebLogic • http://docs.oracle.com/cd/E12840_01/wls/docs103/logging/config_logs.html • http://docs.oracle.com/cd/E12840_01/wls/docs103/ConsoleHelp/taskhelp/logging/EnableAndConfigureHTTPLogs.html • PeopleSoft App Server • http://docs.oracle.com/cd/E12531_01/tuxedo100/ada/admon.html • Oracle DB • http://docs.oracle.com/cd/E11882_01/network.112/e16543/auditing.htm

  15. How you can do it • Splunk PeopleSoft TA • http://splunk-base.splunk.com/apps/58502/ta-peoplesoft_architecture • CedarCrestone Oracle 10G TA • http://splunk-base.splunk.com/apps/58501/ta-cedarcrestone_oracle_10g • CedarCrestone Oracle 11G TA • http://splunk-base.splunk.com/apps/58500/ta-cedarcrestone_oracle_11g

  16. Q&A (Thank you!)marquis.montgomery@cedarcrestone.com@trademarq

More Related