Skip to end of metadata
Go to start of metadata

Introduction

This page describes the use of Configuration Validation focusing on ABAP security. It can help to identify security risks of the managed SAP systems. The page shows some selected configuration items as potential starting point for a target system focusing on security. It cannot cover all configuration items relevant for your systems.

The Configuration and Change database (CCDB; setup via RCA setup) collects for each technical system and its instances technical configuration items of the SAP software layer. Security related items of the operating system, database and network are not covered.

The example uses a Solution Manager 7.10 SP1 where the integration system (SI7) is connected to as managed systems.

Use Case:
The SAP Security Optimization Service has pointed out some risks. You would like to verify that the recommendations are implemented and in place, e.g. on a weekly or monthly basis.

The configuration validation can help to identify systems that are not compliant related to the selected items.

Where can I find Configuration Validation?

Configuration Validation can be found in the Work Center Change Management in Related Links

Where can I find the used Config Stores and have a look at the data?

 Work Center Root Cause Analysis (RCA) - System Analysis - Change Reporting

The extraction of the data is scheduled as soon as a “Root Cause Analysis Set Up” has been performed for a system. The items that belong together are stored as Config Stores, which results in many Config Stores per system in CCDB. E.g. the Config Store ABAP_INSTANCE_PAHI contains parameters. As this Config Store is related to an instance, it is assigned to an instance in change reporting, too. Our example SD7 has a ‘Central’ and a ‘Dialog’ instance.

Please see also the Client depending stores starting with AUTH*:

Preparation: Target System with selected Config Stores

Note: The Config Stores that contain security related items are secured. The user needs additional authorizations.
Please assign the authorization

Authorization-Object

AI_CCDB_SC

CCDB Store Content

ACTVT

03

Display

CONT_AUTH

* or SECURITY

 

to the users which are supposed to do the validation. The role SAP_CV_ALL, which is part of the collective role SAP_CV_ADMIN_COMP contains the authorization, but inactive.

You can find the list of all secured Config Store by calling function DIAGST_GET_STORES in transaction SE37. Enter a system id into field SID (or leave this field empty), enter PROTECTED = Y and DISPLAY = X and execute the function. You may reduce the list of displayed columns to show these fields only: GROUP_SOURCE, GROUP_NAME, STORE_CATEGORY, STORE_TYPE, STORE_NAME.

In order to perform all configuration validation examples it’s most convenient to create a target system upfront. Configuration Validation - Target System Maintenance - Create.
Enter your source system (SD7 in or example), press ENTER. On the right hand side Config Stores can be selected. It would be an option to select several Config Stores individually and use them in the Target system. To simplify this step a template is delivered with some selected Config Stores and Items for a security target system. The better option would be to use this template instead as starting point. Thus press ‘Create with Template’.

Select 0SEC_NEW, please read the displayed text, type a System ID and description and press ‘Create’.

This will create the new Target system BP_SEC1 according to the definition of the template.
As a result the target system BP_SEC1 is created.

Use the ‘Edit’ function of ‘Target System Maintenance’ for BP_SEC1 to see the definition.

You may display the Items with values and operators of a Config Store. You can add or remove configuration items and adapt values and/or operators to fit your specific security policy.

Please update the content of the Config Stores SAP_KERNEL and ABAP_NOTES.

SAP_KERNEL

Click on the Config Store SAP_KERNEL:

Please adjust the content of the field ‘Value Low’ for KERN_REL and the KERN_PATCHLEVEL according to the kernel release that is supposed to be used in your SAP systems. Remark: The entries for kernel patch 271 of the 700_REL shipped with the template had been defined mid of February 2011 as the lowest patch level for which no relevant SAP note of the online recommendation did exist. With other words for patch 271 and higher patches no kernel related security issues had been known at this time.

ABAP_NOTES

The Config Store ABAP_NOTES has to get an update. Click on ABAP_NOTES and afterwards on the ‘ABAP’ icon :

Depending on the fact whether the information had been downloaded currently or not it will take some seconds or a minute. Afterwards press ‘Save’.

Several error messages related duplicate entries will be displayed. Remove the duplicates by pressing the delete icon . Afterwards save the content. The ABAP_NOTES Config Store will contain for most of the notes several records, which contain definitions for the component and the release:

  • The note number (10 digits, leading zeros) is the key.
  • Texts and empty fields get the Ignore operator.
  • PRSTATUS ‘E’ means ‘Completely implemented’.
  • Component, release and extrelease and the kernel information are defined according the note information, which can be displayed in SAP market place.

Press the icon  to show the notes content.

More notes can be added to the ABAP_NOTES Config Store. Notes that should not be checked can be removed. 

The other Config Stores provided by the template are:

STANDARD_USERS


The password status should not be DEFAULT. The user SAP* must exist in all clients and its password must be changed. For the other users there is no need to be existent in all clients. The value of the parameter login/no_automatic_user_sapstar does not influence the validation of the user SAP*.

The documentation ‘Protecting Standard Users’ abort SAP Standard users can be found in the SAP HELP PORTAL e.g. for 7.0 Ehp1 http://help.sap.com/saphelp_nw70ehp1/helpdata/en/3e/cdaccbedc411d3a6510000e835363f/content.htm

AUTH_PROFILE_USER


The second item defines that all users (Contains * in the USER field) that have the SAP_ALL profile are valuated as NON compliant, because the operator for the RESULT is ‘NOT equal’ USER_IS_AUTHORIZED. The first item of the screen shot describes the exception for the user SAPSYS. SAPSYS is just an example for an exception. For this user it’s compliant, if the SAP_ALL profile is assigned (Result operator = USER_IS_AUTHORIZED).You can define other exceptional users of the systems instead.

Background: The AUTH_PROFILE_USER Config Stores of the managed systems are filled only with user names that have the profile SAP_ALL assigned. The items have the RESULT USER_IS_AUTHORIZED.
You can customize the profiles to be used via the CCDM Administration Tool. It can be started via the transaction CCDB from the Solution Manager GUI.

In this tool Navigate to tab “Technical Systems”. Select system and display stores relevant for user critical authorizations. Navigate to tab “Customizing” and create new customizing variant. Insert the necessary user profiles

SICF_SERVICES

In a SAP system only the really needed services for the SAP Internet Communication Framework (ICF) should be active. Some services should not be active at all, see the White paper ‘Secure Configuration SAP NetWeaver Application Server ABAP’ (https://support.sap.com/securitywp). These services mentioned in the white paper are checked by these definitions.

Background: The Config Stores SICF_SERVICES of the managed systems contain only records for the active services. The ICF_NAME of our Config Store is not a unique key. That is why we used the ‘Not exists’ operator not for the ICF_NAME, but for the URL key. The content of the URL field correlates to the content of the ‘SICF SERVICE’ column of the white paper, section LIMIT WEB-ENABLED CONTENT.

MS_SECINFO

The definition means that the entry HOST=* which is the default entry used in a system in case no message server ACL is defined is validated as NON compliant.

For background information see section SAP MESSAGE SERVER SECURITY of the White paper ‘Secure Configuration SAP NetWeaver Application Server ABAP’ (https://support.sap.com/securitywp).

GW_SECINFO

This definition validates all lines that use only parameters with the * as non compliant which would be the same result as the validation of EhP1, see SAP note 1234799. For background information see section SAP GATEWAY SECURITY of the White paper ‘Secure Configuration SAP NetWeaver Application Server ABAP’ (https://support.sap.com/securitywp).

GW_REGINFO

This definition validates all lines that use only parameters with the * as non compliant which would be the same result as the validation of EhP1, see SAP note 1234799.

For background information see section SAP GATEWAY SECURITY of the White paper ‘Secure Configuration SAP NetWeaver Application Server ABAP’ (https://support.sap.com/securitywp).

ABAP_INSTANCE_PAHI



 

The definition covers parameters that are validated also by the security optimization services (SOS). The Regex for login/ticket_expiration_time means less than 12 hours would be compliant.

GLOBAL

To avoid undesired changes a productive SAP system should be set to NOT modifiable. This is checked by the item using the operator ‘Not equal’ of the Config Store Global.

Comparison of Security settings

Select your target system and the validation report

Activate the tab strip Report Execution. The report 0TPL_0SMD_VCA2_NCOMPL_CI_REF provides only non compliant items in the initial result which is the information looked for mostly. Enter the target system which was created before, select 0TPL_0SMD_VCA2_NCOMPL_CI_REF and ‘Start operators validation reporting’.

Reporting

Selection

As reference system the target system BP_SEC1 is used in our example. For ‘comparison system’ select the system e.g. SI7. Of course you can validate many more systems. A comparison List – in the former screen shot SI7 – will help to reduce the effort, if you need the same systems for comparison more often. You can restrict to one of the Config Stores defined in your target system like ABAP_INSTANCE_PAHI or – as in our screen shot – do not select any Config Store. Then all Config Stores of the target system are read. Confirm the variable screen with ‘Execute’.

Our example shows only the first 30 items of overall 339 items that have the ‘No’ in the column ‘Compliance’.

The screen shot shows two ABAP_INSTANCE_PAHI Config Stores, because there are two instances used.

The ABAP_NOTES validation is a combination of several checks:

  • If the SAP note is applied, Compliance is ‘Yes’ of course.
  • If the SAP note is not applied and the software component level of the comparison system fits to that requested by the SAP note, which means the SAP note contains at least one correction instruction that can be applied, Compliance is ‘No’.
  • If the SAP note is not applied and the software component level of the comparison system does not fit to that requested by the SAP note, which means the SAP note contains no correction that can be applied, because of the fact that the component does not exist or the level is higher, Compliance is ‘Yes’.

The details report

The details report that you get via the context menu (right mouse click on the note number) by selecting ‘Goto’, ‘Config.Validation – Items – Validation Details’ will be opened in a new window. It helps to understand why the selected SAP note is not compliant, e.g.:

 This screen shot shows that the NOTE 0001387574 was not found, the COMPONENT SAP_BASIS and the RELEASE 702 were found and the EXTRELEASE 0004 fits the conditions <= 4. The note fits, but is not applied, which results in compliance No.

Filter

Back to the original report. It uses filters and displays all items with Compliance ‘No’. However it is possible that an item was not found in the comparison Config Store. These items are not valuated with ‘No’. You can display these items. Please use the select filter value dialog to filter on ‘Items not found’. Open the Navigation Block, click on the filter icon next to ‘Compliance’:


In the dialog ‘Select Filter Value for Compliance’ deselect ‘No’ and select ‘Item not found’ and press ‘Transfer’.
In our example some items of the ABAP_INSTANCE_PAHI Config Stores had not be found:
 

Additional Information

Back to the original report. Some of the Config Stores are instance related, some are client related. The information about the instance or the client is not displayed initially. Please drill down the characteristics ‘Instance’ and ‘Cf. Item Value Info’. Expand the Navigation Block and find both in the section Free Characteristics and get the instance information for the Config Store ABAP_INSTANCE_PAHI, the notes description of ABAP_NOTES items and the client of the AUTH_PROFILE_USER Config Stores. For the screen shots some columns had been removed:



Display all active SICF services

The report 0TPL_0SMD_VCA2_CITEMS_REF provides all available items in the initial result. Start report execution for the systems e.g. SD7 and SI7 in our example:

In the variable screen enter SICF_SERVICES as Config Store. You can also enter one of the other ConfigStores available in the target system for other topics.

In the result area the key field information of the Config Store is displayed in the column Config.Item:

The items that are not defined in our target system BP_SEC1 are valuated ‘Additional in Comparison System.

Display the history / all items of a ConfigStore

You can display the complete content of the Config Store by selecting the CR: Changes (last 28 days) in the ‘Goto’ column of the Configuration Validation report.

This opens the Change Reporting, which will display all items that had been changed the last 28 days.

Deactivate the ‘History filter’ to get all available items displayed.

Items that had been changed after the first extraction will have the history icon.

RFC Hopping

In case an RFC Destination contains login data of a user with critical authorizations (for example with the profile SAP_ALL) it leads to the following risks

  • Privilege Escalation
  • User impersonation
  • Bypass Network Firewalls
  • Hop through the whole system landscape (e.g. jump to a central system like the Solution Manager)

To avoid these risks it is necessary to identify critical RFC Destinations across systems and also monitor RFC Destinations to critical systems.

Store RFCDES_TYPE_3_CHECK

RFCDES_TYPE_3_CHECK Store is filled based on the content of Store RFCDES_TYPE_3 which contains definition of all RFC Destinations. ConfigStore RFCDES_TYPE_3 is read and per RFC Destination it is tried to find the target system (host, system id), the technical system ABAP. After the target system is found the Store AUTH_PROFILE_USER for this system is checked for the authorizations assigned to the user saved in the RFC Destination.

If the destination user is found there, the destination gets validated as ‘critical’ the expression 'CRITICAL_USER_PROFILE' is stored.

If the user is not found: ‘OK_USER_NOT_IN_PROFILE_STORE’.

If no user and/or no password is stored in the destination it is validated as o.k independent whether the target system (host etc.) had been found: 'OK_NO_USER_OR_PW_IN_RFCDEST'. Additionally the target system is stored.

Target System to find all critical RFC Destinations

Create a Target System containing only one Store RFCDES_TYPE_3_CHECK. The content of this Store need to be reduced up to one line. To define the pattern for searching all RFC Destinations with critical status you need to use the following configuration:

Set the operator “Contains” and value “*” for the field RFCDEST

Set the operator “Not equal” with the value “'CRITICAL_USER_PROFILE” for the field “CV_USER_PROFILE_RESULT”.

Set the operator “Ignore” for all the other fields

Critical RFC Destinations – Report Output

The report 0TPL_0SMD_VCA2_NCOMPL_CI_REF  shows all the RFC Destinations with critical status. The critical user authorizations could be customized via the AUTH_PROFILE_USER Store (by default the users with the profile “SAP_ALL” is checked).  

Please select the reference system, the validation report, leave the checkbox “Suppress query popup” unmarked and start the validation report.

The popup Variable screen is displayed. Provide “*” in the field Comparison Systems and execute the report

All the RFC Destinations which include login data for the users with the critical authorizations are displayed.

To display details on validation please select via right mouse click Goto - Config. Validation Details

The details on validation will be displayed. In the column “Comparison Value” you can find all the details on the critical RFC Destination. In our example for the RFC Destination “PMIB4X001” which is created in the system B4X the user “PIRWBUSER” and the password saved in the logon data. This user has the profile “SAP_ALL” assigned in the system B4X

Target System to find all RFC Destinations pointing to a critical System

Create a Target System containing only one Store RFCDES_TYPE_3_CHECK. The content of this Store needs to be reduced up to one line. To define the pattern for searching all RFC Destinations pointing to a critical system you need to use the following configuration:

  • Set the operator “Contains” and value “*” for the field RFCDEST
  • Set the operator “=” with the value equal to the critical systen for the field “CV_CONFIG_DEST_LONG_SID”.
  • Set the operator “Ignore” for all the other fields

RFC Destinations pointing to a critical System – Report Output

The report  0TPL_0SMD_VCA2_ CITEMS_REF  display both compliant and non compliant items.  

Please select the reference system, the validation report, leave the checkbox “Suppress query popup” unmarked and start the validation report.

The popup Variable screen is displayed. Provide “*” in the field Comparison Systems and execute the report

The validation results for all RFC Destinations will be displayed. We need to display only RFC Destinations matching the pattern defined in the Target System. For that please click the right mouse button in the column “Compliance”

The popup for the filter selection is displayed

Select filter value “Yes” for column “Compliance” to display only the RFC Destinations pointing to the critical system.

 

This page is part of the Application Operations Wiki. Notice that Application Operations itself is a use-case of SAP Solution Manager

  • No labels