Oracle has updated the white paper "Best Practices for Securing the E-Business Suite 11i"to version 3.0.5. The major changes include -
- For 11.5.10.x, inclusion of a script to disable unnecessary packages in FND_ENABLED_PLSQL. The FND_ENABLED_PLSQL table contains a list of about 800 database packages and procedures that may be called through modplsql (think http://<host>:<port>/pls/<sid>/<package>.<procedure>). The txkDisableModPLSQL.sql script will disable all but 128 packages. I will post more details in the near future as all 11.5.10.x implementations will want to make sure this script has been run.
- The new white paper "Removing Credentials from a Cloned EBS Production Database"Metalink Note ID 419475.1 is referenced in the new "Practice Safe Cloning" section, which discusses scrambling confidential information like social security numbers and changing all production passwords in a cloned instance. Changing all production passwords (database accounts and application users) is CRITICAL and must be done for every clone from production, otherwise it is fairly easy and well documented on how to obtain all production application user passwords in a development or test instance (see the Integrigy white paper "Oracle Applications Password Decryption" for more information).
All the recommendations in the document should be implemented for a secure environment as well as secure development and change control practices.