1. Copyright © 2012 Splunk Inc. Splunking PeopleSoft Marquis Montgomery Security Architect/Team Lead, Corporate Security

2. AGENDA What is PeopleSoft? Realistic PeopleSoft architectures Limitations we’re trying to mitigate Use cases & how we do it How you can do it

3. PeopleSoft vs PeopleTools PeopleSoft Version –Denoted by module with two numbers (HCM 9.1, SA 8.9) PeopleTools Version –Denoted with three numbers (8.53.11) –[major release]. [minor release]. [dot release] 3

4. Basic Architecture PeopleSoft Internet Architecture (PIA) v8 –Also called Pure Internet Architecture 3-tier vs 2-tier –3-tier via the web (web, app, db) –2-tier via Application Designer (app, db) 4

5. Realistic Architecture

6. PeopleSoft in the Enterprise 6 PRD DEV TST STG

7. PeopleSoft Limitations Generic ID’s used (and often required) for application maintenance –‘VP1’ level ID in the application –SYSADM at the database tier (App -> DB) Row level auditing within the application is expensive Limited (or no) security information from Oracle about vulnerabilities Many versions of PSFT and PTools, long upgrade cycle & patching quarterly not always possible Widely distributed system with lots of log sources 7

8. WebLogic Use Cases 1) Table of IP to web requests (Time, IP, GET/POST, response code) 2) Breakdown by response code (200, 404, 304, etc) 3) URL history per IP 4) Portions of the app accessed the most (pageletname) 5) No app server available / no available application server domain / Jolt session pool 6) IB connector errors (free form search / troubleshooting) 7) DetectCSRF 8) Untrusted Server Certificate chain 8

9. Application Server Use Cases 1) All errors, notices, & warnings 2) Authentication failures 3) Authentication succeeded 4) Guest activity 5) LDAP Errors & failures 6) New auth token 7) password encryption notices 8) password expired 9) switch user attempt 10) Invalid user / pwd over threshold alert 9

10. Database Server Use Cases 1) Authentication success 2) Authentication failure 3) Drops, alters, rollbacks, commits  DBA activity 4) DBA activity (depending on logging)  Sensitive data selects (National ID field) 10

11. WebLogic Log Sources 11 Log nameContents 1. AccessClient IP, date & time, URL request, response code 2. ServletsDebug & troubleshooting information from clients, some security alerts (CSRF) 3. StderrError messages related to the webservers

12. BEA Tuxedo Log Sources 12 Log nameContents 1. AppsrvUsername@IP, authentication success / fail, 2. TuxlogApp server restart activity, Tuxedo version 3. Tuxaccess# of clients on app server, logon / logoff activity, username, client IP 4. WatchsrvPID, current state, version, domains booted

13. Let’s see how it looks DEMO 13

14. How you can do it WebLogic –http://docs.oracle.com/cd/E12840_01/wls/docs103/logging/config_logs.htmlhttp://docs.oracle.com/cd/E12840_01/wls/docs103/logging/config_logs.html –http://docs.oracle.com/cd/E12840_01/wls/docs103/ConsoleHelp/taskhelp/loggi ng/EnableAndConfigureHTTPLogs.htmlhttp://docs.oracle.com/cd/E12840_01/wls/docs103/ConsoleHelp/taskhelp/loggi ng/EnableAndConfigureHTTPLogs.html PeopleSoft App Server –http://docs.oracle.com/cd/E12531_01/tuxedo100/ada/admon.htmlhttp://docs.oracle.com/cd/E12531_01/tuxedo100/ada/admon.html Oracle DB –http://docs.oracle.com/cd/E11882_01/network.112/e16543/auditing.htmhttp://docs.oracle.com/cd/E11882_01/network.112/e16543/auditing.htm 14

15. How you can do it Splunk PeopleSoft TA –http://splunk-base.splunk.com/apps/58502/ta-peoplesoft_architecturehttp://splunk-base.splunk.com/apps/58502/ta-peoplesoft_architecture CedarCrestone Oracle 10G TA –http://splunk-base.splunk.com/apps/58501/ta-cedarcrestone_oracle_10ghttp://splunk-base.splunk.com/apps/58501/ta-cedarcrestone_oracle_10g CedarCrestone Oracle 11G TA –http://splunk-base.splunk.com/apps/58500/ta-cedarcrestone_oracle_11ghttp://splunk-base.splunk.com/apps/58500/ta-cedarcrestone_oracle_11g 15

16. Q&A (Thank you!) marquis.montgomery@cedarcrestone.com @trademarq marquis.montgomery@cedarcrestone.com 16