• CCDB Content Overview of an ABAP system

Config stores  in CCDB could be categorized like the following:

•  Software Configuration
•  ABAP Instance Parameter
•  Database Configuration
•  Operating System Configuration
•  Business Warehouse Configuration
•  RFC Destinations Configuration
•  System Change Option Configuration
•  Security Configuration
• Critical user authorizations

Config Stores dealing with Software Configuration

SAP_KERNEL  

SAP Kernel release and patch information

Additional Information

Example Content of SAP_KERNEL

ABAP_INSTANCE_PAHI

Active profile parameter of an ABAP instance

Additional Information

Example Content of ABAP_INSTANCE_PAHI

ABAP_INSTANCE_PAHI_ENH****

Selected profile parameters of an ABAP instance, which you can define multiple times, plus additional entries showing the concatenated values of these parameters: icm/HTTP/admin_ALL, icm/HTTP/auth_ALL, icm/HTTP/logging_ALL, icm/HTTP/redirect_ALL, and icm/server_port_ALL.

It allows, e.g. to check if at least one of the parameters icm/server_port_0 to icm/server_port_9 contains an entry for HTTPS because all parameter value  are concatenated into the entry icm/server_port_ALL.

Additional Information

Example Content of ABAP_INSTANCE_PAHI_ENH

ABAP_DEFAULT_PROFILE, ABAP_INSTANCE_PROFILE,  ABAP_START_PROFILE, ABAP_ASCS_PROFILE

Profile files used by an ABAP instance

Additional Information ABAP_INSTANCE_PROFILE

Example Content of ABAP_INSTANCE_PROFILE

#.*************************************************************************************
#.*                                                                                   *
#.*       Instance profile XXX_YYY_HOST                                               *
#.*                                                                                   *
#.*       Version                 = 000858                                            *
#.*       Generated by user = USERID                                                  *
#.*       Generated on = 09.09.2014 , 06:45:15                                        *
#.*                                                                                   *
#.*************************************************************************************
#parameter created                          by: DSS*         15.09.2013 14:41:57
ssl/client_ciphersuites = 208:HIGH:MEDIUM:+e3DES:!aNULL:!eNULL

Config Stores dealing with Database Configuration

ENV_VARIABLES

Shell enviroment variables of  user <SID>ADM

Additional Information

 Example Content of ENV_VARIABLES

PHYSICAL_HOST

Relation physical host to virtual host

Additional Information

Example  Content of PHYSICAL HOST

saposcol

CPU, memory, and operating system patch information

Additional Information

Example Content of saposcol

saposcol

#<?xml version="1.0" encoding="utf-16"?>  
<sldinfo model_version="1.3.21" supplier_name="ComputerSystem" supplier_version="1.0">
<group group_type="SPECIFIC" name="system1">
<class name="SAP_ComputerSystem">
<instance> <property name="Status">
<value> OK</value>
</property> <property name="NameFormat">
<value> IP</value> </property>
<property name="Caption">
<value> Windows Server vmw4748 [X64]</value>
</property> <property name="Name">
...

SAPHostAgent

Version of the SAP host agent 

Additional Information

Example Content of SAPHostAgent

SYSTEM_TIMEZONE***

Contains the system timezone  

Additional Information

Example Content of SYSTEM_TIMEZONE

Config Stores dealing with Business Warehouse Configuration

ROIDOCPRMS

BW request transfer parameters

Additional Information

Example Content of ROIDOCPRMS

RSADMIN, RSADMINA, RSADMINC, RSADMINS

Common BW configuration

UPC_DARK, UPC_DARK2

Specific BW configuration

Config Stores dealing with RFC Destinations Configuration

RFCDES

All RFC destinations of a system; all RFC options in one column

Additional Information

 Example Content of RFCDES

RFCDES_TYPE_[3,G,H,L,T]

RFC destinations per type, each attribute is a column

Additional Information

Example Content of RFCDES_TYPE_3

RFCDES_TYPE_3_CHECK

(Security): Is a user with critical authorizations used in an RFC destination?

Additional Information

Example Content of RFCDES_TYPE_3_CHECK

Config Stores dealing with System Change Configuration

CLIENTS

System change settings per client

Additional Information

Example Content of CLIENTS

COMPONENTS

System change settings per component

Additional Information

Example Content of COMPONENTS

GLOBAL

System change settings global

Additional Information

Example Content of GLOBAL

NAMESPACES

System change settings per namespace

Additional Information

Example Content of NAMESPACES

GLOBAL_CHANGE_LOG***

Change Log of System Change Option - Global Setting (which is transaction SE03 / System Change Option)
There is still config store GLOBAL which contains the setting as well just based on the usual snapshot extraction method of CCDB.

Additional Information

Content of GLOBAL_CHANGE_LOG

COMPONENTS_CHANGE_LOG***

Change Log of System Change Option - Software Component

Additional Information

Example Content of COMPONENTS_CHANGE_LOG

NAMESPACES_CHANGE_LOG***

Change Log of System Change Option - Namespace/Name Range 

Additional Information

Example Content of NAMESPACES_CHANGE_LOG

Config Stores dealing with Security Configuration

ŸGW_REGINFO, GW_SECINFO, MS_SECINFO, GW_PRXINFO

 Gateway, proxy and message server access control lists

Additional Information GW_SECINFO

Example Content of GW_SECINFO

P USER=* USER-HOST=local HOST=local TP=*
P USER=* USER-HOST=local HOST=internal TP=*
P USER=* USER-HOST=internal HOST=local TP=*

STANDARD_USERS

ABAP standard user with password and lock status

Additional Information

 Example Content of STANDARD_USERS

PSE_CERT

Certifications with validity information

Additional Information

Example Content of PSE_CERT

ŸTWPSSO2ACL, RFCSYSACL, SNCSYSACL

Trusted-RFC, -SNC and -„Logon Tickets“ information

Additional Information TWPSSO2ACL

Example Content of TWPSSO2ACL

SICF_SERVICES

Active Web Services

Additional Information

Example Content of SICF_SERVICES

AUTH_SECURITY_POLICY

Contains (if exists) the new security policy

Security Policies,  which extend user types and password rules in ABAP, have been introduced with SAP_BASIS 7.03 (= 7.00 Ehp 3). See transaction SECPOL respective the online help:http://help.sap.com/saphelp_nw70ehp3/helpdata/en/41/019a4dba8d4afcb9e6a12003e40a2a/content.htm.

 Additional Information

 Example Content of AUTH_SECURITY_POLICY

SECURITY_POLICY_USAGE**** 

SECURITY_POLICY_USAGE provides usage overview for policies for ABAP systems. Users with no policy are summed up into line where SECURITY_POLICY is emtpy.

Additional Information

Example Content of SECURITY_POLICY_USAGE

AUDIT_CONFIGURATION

Contains the current audit log file configuation

Additional Information

Example Content of AUDIT_CONFIGURATION

Example for a deactivated Security Audit Log with two empty filters: 

<?xml version="1.0" encoding="utf-16"?>
<AuditConfiguration Enabled="No" SlotCount="2">
<Slot Client="" HighButton="" Login="" LowButton="X" MedButton="" Misc=""
MsgVect="00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
RFCLogin="" RFCStart="" RepoStart="" SelVar="00" SlotIndex="1" Status="" System="" TAStart="" Uname="" UserMaster=""/>
<Slot  Client="" HighButton="" Login="" LowButton="X" MedButton="" Misc="" 
MsgVect ="00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 
RFCLogin="" RFCStart="" RepoStart="" SelVar ="00" SlotIndex="2"  Status="" System="" TAStart="" Uname="" UserMaster="" />
</AuditConfiguration>

The token SlotIndex shows the slot number. The token Enabled shows the master switch for the Security Audit Log. The token Status shows if a slot is activated. The tokens Client and Uname define the selection. The tokens HighButton, MedButton, and LowButton show the severity. The tokens Login, RFCLogin, TAStart, RepoStart, RFCStart, UserMaster, Misc, and System show the event classes if SelVar is "00".

The token MsgVect shows the detailed message selection if  SelVar  is not "00". In this case active events are identified using individual bits at specific positions within field MsgVect. The position is calculated using the alphanumerical order 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ according to the  SUBID of the events. The event area (AU,  BU,  CU, DU, EU) defines the bit which is added to the value on that position: AU = x80 (hex), BU = x40, CU = x20 ,  DU  =  x10 ,  EU  =  x08 .

Only the first 36 positions of field MsgVect are used. Every position holds two bytes therefore you see two hexadecimal characters per position.

Example showing active system events of event area  AU  = x 80  only (AUE AUF AUG AUH AUI AUJ): 

Position 123456789012345678901234567890123456789012345678901234567890123456789012
SUBID    -0-1-2-3-4-5-6-7-8-9-A-B-C-D-E-F-G-H-I-J-K-L-M-N-O-P-Q-R-S-T-U-V-W-X-Y-Z
MSGVECT  000000000000000000000000000080808080808000000000000000000000000000000000...

Example showing events CUL (x20), CUM (x20) and BUZ (x40).

Position 123456789012345678901234567890123456789012345678901234567890123456789012
SUBID    -0-1-2-3-4-5-6-7-8-9-A-B-C-D-E-F-G-H-I-J-K-L-M-N-O-P-Q-R-S-T-U-V-W-X-Y-Z
MSGVECT  000000000000000000000000000000000000000000202000000000000000000000000040...

If you want to validate for individual event you can use a regular expression to define an rule within configuration validation.

.{42}2.2..{24}4..+

This regular expression skips 42 characters, checks the two event positions L and M, skips another 24 characters, checks event position Z, and accepts any remaining characters.  

You yan use double bytes for ignored positions, too:

(..){21}2.2.(..){12}4..*

Caution: Every double byte is a bit vector which represents multiple event codes.

If you just want to verify if a specific message is part of the filter but you do no care if more events are active, then you are in trouble.

• If CUL is active you see x20 on that position.
• If AUL and CUL are active you see x80 + x20 = xA0 on that position.
• The Rexeg part 2. above is true if CUL is active (and if EUL is active as well) but not if any of the events AUL, BUL, DUL are active.
• The Rexeg part 2. above is true if CUM is active (and if EUM is active as well) but not if any of the events AUM, BUM, DUM are active.
• The Rexeg part 4. above is true if BUZ is active (and if EUZ is active as well) but not if any of the events AUZ, CUZ, DUZ are active.

Therefore, you have to construct a regular expression which covers all combinations:

This leads to the following regular expression which verifies if at least the events CUL, CUM, and BUZ are active.

(..){21}[2367ABEF][08][2367ABEF][08](..){12}[4-7C-F][08].*

SESSION_MANAGEMENT

Shows if the new ABAP session management is active.

This configuration store shows if the field ICF_CONTROL of table ICF_SESSION_CNTL has a value > 0 in a client (availalbe per connected client to SAP Solution Manager). You maintain the session management setting in transaction SICF_SESSIONS.

Online documentation - Activating HTTP Security Session Management on AS ABAP
http://help.sap.com/saphelp_nw73/helpdata/en/bb/1bcf2122fd4a76948816b1342f20d7/content.htm

Additional Information

Example Content of SESSION_MANAGEMENT

USER_PASSWD_HASH_USAGE

 Shows the distribution of the different password hash types ( BCODE  PASSCODE / PWDSALTEDHASH). 

See also Why you should really get rid of old password hashes *NOW* posted by joris van de Vis in SCN Security on May 8, 2014 9:01:30 AM.

Additional Information

Example Content of USER_PASSWD_HASH_USAGE

TDDAT

Contains authorization class for specific (hard coded) tables SSF_PSE_* and  USR* and  USH*

Additional Information

Example Content of TDDAT

TDDAT_TABLES**

 Like config store TDDAT but allows to specifiy the tables checked in the store customizing. 

You can choose patterns like T77* or US+02 for customizing field table name.

Additional Information

LOCKED_TRANSACTIONS***

Contains all transactions which have been locked ( columns: TRANSACTION / TEXT)

Additional Information

Example Content of LOCKED_TRANSACTIONS

VSCAN_GROUP and VSCAN_SERVER***

Provide information about the Virus Scan Adapter. For more information see here:  help.sap.com

Additional Information

Content of VSCAN_GROUP

Additional Information

Example Content of VSCAN_SERVER

Config Stores dealing with Critical User Authorizations

AUTH_PROFILE_USER**

User profile check store (Default: users having SAP_ALL profile) based on profiles

Additional Information

 Example Content of AUTH_PROFILE_USER

ŸColumn USER_TYPE has been added with ST-A/PI 01R*

AUTH_PROFILE_USER_CHANGE_DOC***

User change documents showing SAP_ALL assignments. Including the timestamp of the event in the managed system and also the user who did the asignment.

Additional Information

Example Content of AUTH_PROFILE_USER_CHANGE_DOC

AUTH_TRANSACTION_USER**

User transaction check store based on transactions. Based on customizing.

Additional Information

AUTH_ROLE_USER**

Contains user to role relations. Based on customizing

Additional Information

AUTH_USER_TYPES**

Contains user type information. Based on customizing.

This ConfigStore allows to check for users of a specific user type. The customizing consists of three fields:

'Check Id'          A character field of length 30 used as identifier of a check in the customizing and the store content.
'User Name'      A dedicated user or a user pattern can be used here.
'User type'         The following values are allowed: 'DIALOG', 'SYSTEM', 'COMMUNICATION', 'REFERENCE', 'SERVICE' and '*' for all user types.
The ConfigStore must not be used to upload mass data. The intention of this Store is to check dedicated users and or may be small user groups which can be selected using a user pattern.

Typical use case:
Check if WF-BATCH or other powerful technical users have user type “system”.

Additional Information

Config Stores dealing with Role Configuration

AUTH_COMP_CHECK_ROLE**

Role check store based on authorization combinations

Ÿ AUTH_PATTERN_ROLE** 

Role check store based on naming pattern

Use this store to get a list of role names into the CCDB. In the customizing  of the ConfigStore you enter patterns like Z* into the value column. You can ignore the parameter column. Limitation: Only the * is recognized as a pattern character but not the + sign as you might expect it.

AUTH_P_ABAP_ROLE**

Roles granting access to HR Reports (P_ABAP = Authorization object that is used during the authorization check for HR Reports)

AUTH_INDI_MAINT_ORGA_ROLE** 

Roles having individuel maintained organizational elements

AUTH_DISPLAY_ROLE**

Display roles with non-dispaly authorizations. You have to define customizing describing the role names (use * to describe generic names) which should be checked.
Customizing table contains 2 column: Parameter and Value.  Each Entry needs an unique Parameter entry (just start with ROLE0001 for the first entry and ROLE0002 for the second entry and so on). Value contains the role name (support wildcard *).

AUTH_INFOTYPE_ROLE**

Roles with InfoTypes

AUTH_3RD_PARTY_ROLE**

3rd party roles with unexpected authorizations

AUTH_SENSI_TRANSACTION_ROLE**

Roles with access to sensitive transactions

AUTH_SENSI_TABLES_ROLE**

Roles with access to sensitive tables

AUTH_GEN_ORGA_ELEM_ROLE**

Roles with generic organisations elements

Abbreviations

* Added with 7.10 SPS10

** Config store customizing available / necessary

*** Added with 7.2 SP03

**** Added with 7.2 SP05