Symptom
The SAP EarlyWatch Alert report contains selected checks about "Security". These checks are described in this note.
Other terms
EarlyWatch Alert, EWA, security, RSECNOTE
Reason and Prerequisites
The checks were first delivered with the SAP Solution Manager Plug-In ST-SER 620_2005_1 and they have been revised several times since then.
Solution
As of Support Package 3 of the SAP Solution Manager Plug-Ins ST-SER 701_2008_2, the "Security" unit in the SAP EarlyWatch Alert report refers to the following structure:
The individual checks are described here:
More than 10% of the users (but at least 10) of a client have the checked authorization.
A table consisting of the columns "Client", "No. of Users Having This Authorization", "No. of Valid Users" and "Rating" displays the determined results.
The "Client" column specifies the clients to be checked. The "No. of Valid Users" column displays how many valid users have the authorization to be checked. The "No. of Valid Users" column displays all valid users of the checked clients. Valid users are those that are neither locked nor invalid due to a time limit.
The highest valuation of one of the checks mentioned previously determines the overall valuation of the unit "Security" in the SAP EarlyWatch Alert report.
The SAP EarlyWatch Alert report contains selected checks about "Security". These checks are described in this note.
Other terms
EarlyWatch Alert, EWA, security, RSECNOTE
Reason and Prerequisites
The checks were first delivered with the SAP Solution Manager Plug-In ST-SER 620_2005_1 and they have been revised several times since then.
Solution
As of Support Package 3 of the SAP Solution Manager Plug-Ins ST-SER 701_2008_2, the "Security" unit in the SAP EarlyWatch Alert report refers to the following structure:
- 1. "Security-related SAP Notes"
- 2. "Users with Critical Authorization"
- a) "Users Authorized to Display all Tables"
- b) "Users Authorized to start all Reports"
- c) "Users Authorized to Debug / Replace"
- d) "Users Authorized to Display Other Users Spool Request"
- e) "Users Authorized to Administer RFC Connections"
- f) "Users Authorized to Reset/Change User Passwords"
- 3. "Default Passwords of Standard Users"
The individual checks are described here:
- "Security-related SAP Notes"
- In this section, a check will determine whether or not selected and required security-relevant notes or HotNews have been implemented in the system.
- A note or a HotNews is no longer required if your system release or Support Package level already contains the correction.
- If the check determines that required security-relevant notes or HotNews have not been implemented, you will be informed of this by an overall status in the SAP EarlyWatch Alert report. The unit receives a "yellow" rating if at least one security-relevant SAP note needs to be implemented. The rating is "red" if at least one security-relevant HotNews needs to be implemented. In both cases, a relevant alarm message is entered in unit 1. "Service Summary" in the SAP EarlyWatch Alert report.
- An administrator uses the tool RSECNOTE to create the detailed evaluation of the required security-relevant notes or Hot News in the system to be analyzed.
You can use this tool to manually accept recommendations for notes or HotNews. The number of recommendations accepted manually is reported in the SAP EarlyWatch Alert report.
If the tool RSECNOTE and the check routines contained inside it do not yet exist in the system to be analyzed, the SAP EarlyWatch Alert report informs you of this. The correction instructions that you can use to create this tool and the documentation for the tool are contained in Note 888889.
- If the tool RSECNOTE and the check routines contained inside it do not yet exist in the system to be analyzed, only Notes 1167258, 1168813, 1298160 and 1304803 are checked to see whether they are required and need to be implemented.
- The quantity of checked notes or HotNews is managed online by SAP. During a check, a system loads the list automatically using the service connection to SAPNet once a day. You can also use the tool RSECNOTE to update the list manually.
- You can use the Note Assistant (transaction SNOTE) to implement the correction instructions. You can find additional information about the Note Assistant on the SAP Service Marketplace under the alias /NOTE-ASSISTENT (https://service.sap.com/note-assistant).
- There is an overview of security-relevant notes or HotNews on the SAP Service Marketplace under the alias /SECURITYNOTES (https://service.sap.com/securitynotes). You can find out which security-relevant notes and HotNews are checked for this EarlyWatch Alert section from the tables on the Sap Service Marketplace and the list of related notes for Note 888889.
- "Users with Critical Authorization"
- The checks in this section analyze how extensive critical authorizations are assigned in the system. Here, examples of critical authorizations from the areas "System administration", "User management" and "Access to sensitive data" are checked.
- However, a complete security analysis of the system is not carried out. If you want to carry out an extensive and configurable analysis, carry out the security optimization self-service. You can find more information about this on the SAP Service Marketplace under the alias /SOS (https://service.sap.com/sos).
- The check is considered critical if several users in one client have the respective checked authorization.
- Critical applies if:
More than 10% of the users (but at least 10) of a client have the checked authorization.
- If a maximum of 10 users have the authorization, the check is rated as uncritical.
- If, in at least one client (except 000 and 066), the check is estimated as critical, the check receives a "yellow" rating. A "red" rating is usually not assigned.
- Setting up the report for the checks:
A table consisting of the columns "Client", "No. of Users Having This Authorization", "No. of Valid Users" and "Rating" displays the determined results.
The "Client" column specifies the clients to be checked. The "No. of Valid Users" column displays how many valid users have the authorization to be checked. The "No. of Valid Users" column displays all valid users of the checked clients. Valid users are those that are neither locked nor invalid due to a time limit.
- "Default Passwords of Standard Users"
- A check determines whether the standard passwords of the standard users SAP*, DDIC, SAPCPIC and EARLYWATCH have been changed in all clients and whether the user SAP* has not been created in one of the clients.
- You can use the report RSUSR003 to display the results of this check in detail.
- You can find additional information in the unit "Protecting Standard Users" (http://help.sap.com/saphelp_nw70/helpdata/EN/3e/cdaccbedc411d3a6510000e835363f/frameset.htm) in the "SAP NetWeaver Application Server Security Guide".
- The check is considered critical and receives a "yellow" rating if, for at least one standard user, the standard password has not been changed or the user SAP* no longer exists in a client.
The highest valuation of one of the checks mentioned previously determines the overall valuation of the unit "Security" in the SAP EarlyWatch Alert report.
Affected Releases
|
Correction delivered in Support Package
|
No comments:
Post a Comment