Physically secure the hardware.
|
Keep your hardware in a secured area to prevent unauthorized operating system users from
tampering with the deployment machine ore its network connections.
|
Secure the networking services that the operating system provides.
|
Have an expert review network services such as e-mail programs or directory services to
ensure that a malicious attacker cannot access the operating system or
system-level commands. The way you do this depends on the operating system
you use.
Sharing a file system with other machines in the enterprise network imposes risks of a
remote attack on the file system. Be certain that the remote machines and
the network are secure before sharing the file systems from the machine that
hosts Oracle BPM components.
|
Use a file system that can prevent unauthorized access.
|
Make sure the file system on each Oracle BPM component host can prevent unauthorized
access to protected resources. For example, on a Windows computer, use only
NTFS.
|
Set file access permissions for data stored on disk.
|
Set operating system file access permissions to restrict access to data stored on disk.
This data includes, but is not limited to, the following:
- Third-party authentication directories
- Portal configuration files
For example, operating systems such as Unix and Linux provide utilities such as umask and
chmod to set the file access permissions. At a minimum, consider using
'umask 066', which denies read and write permissions to Group and Others.
|
Set file access permissions for data stored in the portal database.
|
Set operating system file access permissions to restrict access to data stored in the
portal database.
|
Safeguard passwords.
|
The passwords for user accounts on production machines should be difficult to guess and
should be guarded carefully. Set a policy to expire passwords periodically.
Never code passwords in client applications.
|
Do not develop on a production machine.
|
Develop first on a development machine and then move code to the production machine when
it is completed and tested. This process prevents bugs in the development
environment from affecting the security of the production environment.
|
Do not install development and sample software on a production machine.
|
Do not install development tools on production machines. Keeping development tools off the
production machine reduces the leverage intruders have should they get
partial access to an Oracle BPM production machine. Do not install the
Oracle BPM sample applications on production machines.
|
Enable security auditing.
|
Configure security auditing to enable monitoring of sensitive portal functions using the
Audit Manager function.
|
Consider using additional software to secure your operating system.
|
Most operating system can run additional software to secure a production environment. For
example, and Intrusion Detection System (IDS) can detect attempts to modify
the production environment.
Refer to the vendor of your operating system for information about available software.
|
Apply operation-system service packs and security patches.
|
Refer to the vendor of your operating system for a list of recommended service packs and
security-related patches.
|
Apply the latest Oracle BPM maintenance packs and implement the latest security
advisories.
|
You are advised to apply each maintenance pack as it is released. Maintenance packs are a
roll-up of all bug fixes for each version of the product.
|