Copyright © 2012 Splunk Inc.

Splunking PeopleSoft

Marquis Montgomery

Security Architect/Team Lead, Corporate Security

AGENDA

What is PeopleSoft?

Realistic PeopleSoft architectures

Limitations we’re trying to mitigate

Use cases & how we do it

How you can do it

PeopleSoft vs PeopleToolsPeopleSoft Version– Denoted by module with two numbers (HCM 9.1, SA 8.9)

PeopleTools Version– Denoted with three numbers (8.53.11)– [major release] . [minor release] . [dot release]

3

Basic ArchitecturePeopleSoft Internet Architecture (PIA) v8– Also called Pure Internet Architecture

3-tier vs 2-tier– 3-tier via the web (web, app, db)– 2-tier via Application Designer (app, db)

4

Realistic Architecture

PeopleSoft in the Enterprise

6

PRD

DEV

TST

STG

PeopleSoft LimitationsGeneric ID’s used (and often required) for application maintenance– ‘VP1’ level ID in the application– SYSADM at the database tier (App -> DB)

Row level auditing within the application is expensiveLimited (or no) security information from Oracle about vulnerabilitiesMany versions of PSFT and PTools, long upgrade cycle & patching quarterly not always possibleWidely distributed system with lots of log sources

7

WebLogic Use Cases1) Table of IP to web requests (Time, IP, GET/POST, response code)2) Breakdown by response code (200, 404, 304, etc)3) URL history per IP4) Portions of the app accessed the most (pageletname)5) No app server available / no available application server

domain / Jolt session pool6) IB connector errors (free form search / troubleshooting)7) DetectCSRF8) Untrusted Server Certificate chain

8

Application Server Use Cases1) All errors, notices, & warnings2) Authentication failures3) Authentication succeeded4) Guest activity5) LDAP Errors & failures6) New auth token7) password encryption notices8) password expired9) switch user attempt10) Invalid user / pwd over threshold alert

9

Database Server Use Cases1) Authentication success2) Authentication failure3) Drops, alters, rollbacks, commits

DBA activity4) DBA activity (depending on logging)

Sensitive data selects (National ID field)

10

WebLogic Log Sources

11

Log name Contents

1. Access Client IP, date & time, URL request, response code

2. Servlets Debug & troubleshooting information from clients, some security alerts (CSRF)

3. Stderr Error messages related to the webservers

BEA Tuxedo Log Sources

12

Log name Contents

1. Appsrv Username@IP, authentication success / fail,

2. Tuxlog App server restart activity, Tuxedo version

3. Tuxaccess # of clients on app server, logon / logoff activity, username, client IP

4. Watchsrv PID, current state, version, domains booted

Let’s see how it looks

DEMO13

How you can do itWebLogic– http://docs.oracle.com/cd/E12840_01/wls/docs103/logging/config_logs.html– http://docs.oracle.com/cd/E12840_01/wls/docs103/ConsoleHelp/taskhelp/loggi

ng/EnableAndConfigureHTTPLogs.html

PeopleSoft App Server– http://docs.oracle.com/cd/E12531_01/tuxedo100/ada/admon.html

Oracle DB– http://docs.oracle.com/cd/E11882_01/network.112/e16543/auditing.htm

14

How you can do itSplunk PeopleSoft TA– http://splunk-base.splunk.com/apps/58502/ta-peoplesoft_architecture

CedarCrestone Oracle 10G TA– http://splunk-base.splunk.com/apps/58501/ta-cedarcrestone_oracle_10g

CedarCrestone Oracle 11G TA– http://splunk-base.splunk.com/apps/58500/ta-cedarcrestone_oracle_11g

15

Q&A (Thank you!)marquis.montgomery@cedarcrestone.com@trademarq

16