Professional Documents
Culture Documents
This document has been designed for conducting health checking activities, on SAP Application platform, as defined withi
Further contacts and information For clarification of questions or any further information relating to this checklist, please send an email to the uksechc@uk.ibm.com tas Owner & Administrators IBM Security Instructions Please ensure that you fill in ALL questions on tabs that are relevant to devices for the months health check.
Author
Name Clive Gabel
Revision History
Version Number 5.1 Revision Date 8-Feb-08
v6.0
1-Aug-08
v6.1
9-Apr-09
v7
8-Sep-09
v7.1
15-Mar-10
v8.0
8-Sep-10
v8.2
8-Jul-11
v9.0
11-Oct-11
v9.1
13-Apr-12
Approvals
Name Title
pattabiraman veeramony pattabiraman veeramony pattabiraman veeramony pattabiraman veeramony pattabiraman veeramony pattabiraman veeramony pattabiraman veeramony pattabiraman
ed for conducting health checking activities, on SAP Application platform, as defined within the the ITCS104 v9.1 Chapter 2.2.28
urther information relating to this checklist, please send an email to the uksechc@uk.ibm.com taskid.
estions on tabs that are relevant to devices for the months health check.
Date 8-Feb-08
Updated as per ITCS104 v6.0 dated 15/07/2008: 1.1: Updated DB2 Replication for AIX Operating System Userids; Updated CommonStore userid to match current practices; Removed db2as since is only used in DB2 V7 or below; 2.1: reusable passwords - wait times and history size changes added; removed need for login/min_password_specials parm; 5.2: AIX provider of service shared userids - removed the use of SU (ITCS104 new requirements); updated CommonStore's userid to match current practices; total review and updates to SAP security administrative and system administrative authorization objects and values (including values that are prohibited due to the authorization sensitivity - see Tables tab); 6: Corrected parm names; allowed values to gave latitude for project-specific growth and specified applicable SAP Releases; updated to allow rec/client parm options and now only required logging for production environment; Corrected SM19 system settings per SAP Release; 7.1: Removed requirement/row to "Verify that only approved users are included in the access lists of OSRs beyond that allowed to general users;
Clive Gabel
Updated as per ITCS104 v6.1 dated 28/02/2009: Sect 1.1 Added clarification statements surrounding Shared SAP application userids Application owner SAP application userids for emergency use. System Clients - Allow for multiple production clients and production client number may be other than 100. Allowed project latitude for System profile parameter setting of parm login/no_automatic_user_sapstar in non-production systems. Removed zOS/TSO operating system userid entry due to it being covered under zOS, OS390 and MVS Platforms Tech Spec (ITCS104 Chp. 2.1.8). Removed MS Windows operating system userid entry due to it being covered under the Microsoft Windows 2000 Servers Tech Spec (ITCS104 Chp. 2.1.3). Sect 5.2 Added clarification statements on security administrative and system administrative authorization objects & values matrix related to "prohibited" and "allowed". Corrected an oversight for AIX provider of service shared userids SAPR3, SAP<sid> and SAP<sid>DB to allow the necessary DB2 connection for SAP kernel to be able to start. Sect 6 Added new RECCLIENT system parm to enable logging of table changes made from imported or transported entries to production. Updated Activity auditing system settings for the different SAP release levels. Updated as per ITCS104 v7 dated 15/07/2009: Sect 5.1 - Added clarification to SAP Release for applicable operating system resource AIX settings. Updated as per ITCS104 v7.1 dated 31/01/2010: Sect 1.1 - For CPIC or Communication userids, added clarification on passwords that are contained in a file. (Q.11) Sect 5.2 - For the EarlyWatch Userid added new native SAP authorization profile and clarifications on System Administrative authorization objects. (Q166) Updated to reflect changes in ITCS104 v8.0: Sect 5.2 - Updated AIX provider of service shared userids for the DB2<sid> parameters to align with SAP's recommendation. (Q172-173) Sect 5.2 - System and security administrative authority under SAP security administrative and system administrative authorization objects & values added S_SDCC_ADD and S_SDCC_DAT (Secuirty Admin 5.2 - tab) Sect 5.6 - Added new sub-section 5.6.1 Security, integrity APAR, advisory process for SAP environments requirements to specify SAP application specifics for ITCS104 chapter 3 section 3.5.3 Security advisory patch management. (see Apar 5.6.1 - tab) Sect 6 - Activity auditing - added the ability for multiple file system names under the DIR_AUDIT and rsau/local/file parameters. (Q220 & 227)
Nick Saxon
Nick Saxon
Nick Saxon
Nick Saxon
Updated to reflect changes in ITCS104 v8.2: * Sect 1.1 - Updated the use of Reference Userids. * Sect 3.1 - Corrected a link URL. Updated to reflect changes in ITCS104 v9.0: * Sect 7.1 - Change "P" to "P or Any Internet Reachable" * Added four new controls to 5.1 Operating system resources for SECAUDIT log directory * Update 1.1 Userids definition of Reference Updated version number only to reflect ITCS104 v9.1. There are no changes from ITCS104v9.0
Adam Kasprzak
Adam Kasprzak
Adam Kasprzak
Role
Date Approved
IGA-INDIA SAP BASIS-Team Leader IGA-INDIA SAP BASIS-Team Leader IGA-INDIA SAP BASIS-Team Leader IGA-INDIA SAP BASIS-Team Leader IGA-INDIA SAP BASIS-Team Leader IGA-INDIA SAP BASIS-Team Leader IGA-INDIA SAP BASIS-Team Leader IGA-INDIA SAP BASIS-Team Leader
Chapter 2.2.28
INSTRUCTIONS:
If the server value is NOT COMPLIANT to the value specified in the question, (ie the answer is NO or N/A) You MUST enter the actual server setting or a comment to explain why the question is not applicable
Machine Name/Identifier
Date Checked
FMC
20/06/2012
1 1.1 Userids
2 1.1 Userids
Heading
Userid owners 6 character employee serial number and 3 character personnel system code must be present in Account No. Field. Note: Applies to all types listed below: 1. Dialog 2. BDC / Background / System 3. CPIC / Communication 4. Service 5. Reference Comments Is this the case ?
Sponsored userids must have * at the beginning of the userid owners 6 character employee serial number and 3 character personnel system code. Note: Applies to all types listed below: 1. Dialog 2. BDC / Background / System 3. CPIC / Communication 4. Service 5. Reference Is this the case ?
Nil
YES
YES
3 1.1 Userids
4 1.1 Userids
5 1.1 Userids
No SAP native profiles/role can be assigned to any userid in production except for the exceptions noted within this table or the userid table in section 5.2 (see Tables control tab). Interactive dialog: Note: Applies to all types listed below: 1. Dialog 2. BDC / Background / System 3. CPIC / Communication 4. Service 5. Reference Is this the case ?
BDC / Background/ System : Non-loggable (used for running jobs, system Sponsored userids operations such as ALE, on a Production workflow, batch jobs, etc.) system must have : the full name of the employee who will Userid is allowed to have be using the userid. a non-expiring password. Is this the case ? Is this the case ?
YES
YES
YES
6 1.1 Userids
7 1.1 Userids
8 1.1 Userids
9 1.1 Userids
BDC / Background/ System : Non-loggable (used for running jobs, system CPIC / Communication : operations such as ALE, workflow, batch jobs, etc.) Non-loggable (used for : system to system communication) : Expired or initial passwords are not Userid is allowed to have checked. a non-expiring password. Is this the case ? Is this the case ?
CPIC / Communication : Non-loggable (used for CPIC / Communication : system to system communication) : Non-loggable (used for system to system Password on a Production communication) : userid must be different from the password for the Expired or initial same userid on all nonpasswords are not production systems in the checked. landscape. Is this the case ? Is this the case ?
YES
YES
YES
YES
10 1.1 Userids
11 1.1 Userids
CPIC / Communication : CPIC / Communication : Non-loggable (used for system to system communication) : Non-loggable (used for system to system communication) :
If the password of this userid is contained in a file(s) at the operating Password on a test userid system level then the location of that on test clients may be the file(s) needs to be documented and the same, but the password permissions of the file(s) need to be set must be different from to 700 (i.e. permissions for Production userid and any read/write/execute are for the owning id other non-Test of the file(s) only). systems/clients. Is this the case ? Is this the case ?
YES
YES
12 1.1 Userids
Service (4.6 C and higher) : Service IDs should generally not be used since they are not compliant with ITCS104 and adequate protections are not available in SAP to minimize the risk of users logging on to the IDs. However, if service IDs are absolutely necessary, the following three conditions must be met: 1. The ID must be set up with read only access. 2. The BPO must document the mitigating controls to ensure the IDs are not misused. 3. The SAP technical specification owner must approve the use of the service IDs. Is this the case ?
N/A
13 1.1 Userids
14 1.1 Userids
Non-person user that allows for the assignment of identical users such as internet users. (used for CRM and SRM systems) A Reference ID cannot directly log on to the system. 1. Userid is allowed to have a non-expiring password. 2. Expired or initial passwords are not checked. 3. All reference userids must be assigned to secure user group REFID<xx>. 4. Access to update userids in secure user group(s) is prohibited, except through a defined and controlled emergency process. Is this the case ?
The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : SAPCPIC : Userid type is CPIC or Communication. Is this the case ?
N/A
YES
15 1.1 Userids
16 1.1 Userids
Shared SAP application userids Provider of service SAP application Shared SAP application userids - Provider of userids service SAP application userids
The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : SAPCPIC : Profile S_A.CPIC must be assigned. Is this the case ?
The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : <provider of service defined. SAPLOOK is often used> (used by BTS or SAP when performing problem analysis) : Userid type is dialog. Is this the case ?
YES
YES
17 1.1 Userids
The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : <provider of service defined. SAPLOOK is often used> (used by BTS or SAP when performing problem analysis) : Userid is locked or set to have the validity date in the past when not in use. Is this the case ?
YES
18 1.1 Userids
The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : <provider of service defined. SAPLOOK is often used> (used by BTS or SAP when performing problem analysis) : SAP native roles/profiles can be assigned with the exception of SAP_ALL and/or SAP_NEW and/or equivalent. Is this the case ?
YES
19 1.1 Userids
The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : <provider of service defined. CSTORE is often used> : Userid type is CPIC or Communication. Is this the case ?
YES
20 1.1 Userids
The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : <provider of service defined. CSTORE is often used> : Profile Z9_CSTORE or equivalent must be assigned. Is this the case ?
YES
21 1.1 Userids
22 1.1 Userids
The following ids may be required for the operation of SAP. The Application Owner must define and The following ids may be required for the operation of document the controls surrounding approvals, SAP. The Application Owner must define and issuance, audit trails, and usage of these ids. document the controls surrounding approvals, Individual accountability must be maintained for dialog issuance, audit trails, and usage of these ids. ids: Individual accountability must be maintained for dialog ids : <Customer defined> <Customer defined> Dialog ID for emergency use (May be stand-alone emergency access ID or existing end-user ID) : Userid type is dialog. Is this the case ? Dialog ID for emergency use (May be stand-alone emergency access ID or existing end-user ID) : SAP native roles/profiles can be assigned with the exception of SAP_ALL and/or SAP_NEW and/or equivalent. Is this the case ?
YES
YES
23 1.1 Userids
24 1.1 Userids
The following ids may be required for the operation of SAP. The Application Owner must define and The following ids may be required for the operation of document the controls surrounding approvals, SAP. The Application Owner must define and issuance, audit trails, and usage of these ids. document the controls surrounding approvals, Individual accountability must be maintained for dialog issuance, audit trails, and usage of these ids. ids: Individual accountability must be maintained for dialog ids: <Customer defined> <Customer defined> Dialog ID for emergency use (May be stand-alone emergency access ID or existing end-user ID) : The use of prohibited system administrative authorization objects specified in section 5.2 may be necessary or required for emergency access. Is this the case ? Dialog ID for emergency use (May be stand-alone emergency access ID or existing end-user ID) : If stand-alone emergency access IDs are used: userid must be locked (or controlled by the validity date) when not in use, and relocked when access is complete. password must be changed after each use. Is this the case ?
YES
YES
25 1.1 Userids
26 1.1 Userids
Shared SAP application userids - Application owner SAP non-dialog operational userids
The following ids may be required for the operation of SAP. The Application Owner must define and document the controls surrounding approvals, issuance, audit trails, and usage of these ids. Individual accountability must be maintained for dialog ids:
<Customer defined> Dialog ID for emergency use (May be stand-alone emergency access ID or existing end-user ID) : If existing end-user id Roles/profiles must be added prior to use and removed when access is complete. The following ids may be required for the operation of SAP. The Application Owner must define the controls surrounding these ids : <Customer defined> (Used for running batch jobs) : Userid type is Background or BDC or System. Is this the case ? Is this the case ?
YES
YES
27 1.1 Userids
28 1.1 Userids
Shared SAP application userids - Application owner SAP non-dialog operational userids
Shared SAP application userids - Application owner SAP non-dialog operational userids
The following ids may be required for the operation of The following ids may be required for the operation of SAP. The Application Owner must define the controls SAP. The Application Owner must define the controls surrounding these ids : surrounding these ids : <Customer defined> (Used for running batch jobs) : <Customer defined> (Used for running batch jobs) : Userid must not have SAP_ALL and/or SAP_NEW Only access required per job description is allowed. and/or equivalent assigned. Is this the case ? Is this the case ?
YES
YES
29 1.1 Userids
30 1.1 Userids
Shared SAP application userids - Application owner SAP non-dialog operational userids
Shared SAP application userids - Application owner SAP non-dialog operational userids
The following ids may be required for the operation of The following ids may be required for the operation of SAP. The Application Owner must define the controls SAP. The Application Owner must define the controls surrounding these ids : surrounding these ids : WF-BATCH (Workflow Batch ID) : Userid type is Background or BDC or System. Is this the case ? WF-BATCH (Workflow Batch ID) : Only access required per job description is allowed. Is this the case ?
YES
YES
31 1.1 Userids
32 1.1 Userids
Shared SAP application userids - Application owner SAP non-dialog operational userids
Shared SAP application userids - Application owner SAP non-dialog operational userids
The following ids may be required for the operation of SAP. The Application Owner must define the controls The following ids may be required for the operation of surrounding these ids : SAP. The Application Owner must define the controls surrounding these ids : WF-BATCH (Workflow Batch ID) : <Customer defined> (Communication ID) : Userid must not have SAP_ALL and/or SAP_NEW and/or equivalent assigned. Userid type is CPIC or Communication. Is this the case ? Is this the case ?
YES
YES
33 1.1 Userids
Shared SAP application userids - Application owner SAP non-dialog operational userids
The following ids may be required for the operation of SAP. The Application Owner must define the controls surrounding these ids : <Customer defined> (Communication ID) : Only access required per job description is allowed. Is this the case ?
YES
34 1.1 Userids
35 1.1 Userids
Shared SAP application userids - Application owner SAP non-dialog operational userids
Shared SAP application userids - Application owner SAP application test userids
The following ids may be used to test SAP access. The Application Owner must define the controls surrounding use of these userids : The following ids may be required for the operation of SAP. The Application Owner must define the controls <Customer defined> (Used for testing project defined roles or profiles) : surrounding these ids : <Customer defined> (Communication ID) : Userid must not have SAP_ALL and/or SAP_NEW and/or equivalent assigned. Is this the case ? Must not exist on production client. Note: see section 5.2 for information on shared privileged SAP userids. Is this the case ?
YES
YES
36 1.1 Userids
37 1.1 Userids
Shared SAP application userids - Application Shared SAP application userids - Application owner SAP application test userids owner SAP application test userids
The following ids may be used to test SAP access. The Application Owner must define the controls surrounding use of these userids : <Customer defined> (Used for testing project defined roles or profiles) : Production role(s)/profile(s) will be assigned to an id. Note: see section 5.2 for information on shared privileged SAP userids. Is this the case ?
The following ids may be used to test SAP access. The Application Owner must define the controls surrounding use of these userids : <Customer defined> (Used for testing project defined roles or profiles) : Passwords may be shared. Note: see section 5.2 for information on shared privileged SAP userids. Is this the case ?
YES
YES
38 1.1 Userids
39 1.1 Userids
40 1.1 Userids
Operating system Shared SAP application userids - Application userids owner SAP application test userids AIX
The following ids may be used to test SAP access. The Application Owner must define the controls surrounding use of these userids : <Customer defined> (Used for testing project defined roles or profiles) : Individual accountability does not have to be maintained. Note: see section 5.2 for information on shared privileged SAP userids. Is this the case ? Must be limited to approved systems and application support personnel. Note: see section 5.2 for information on shared privileged operating system userids. Is this the case ? No DB2 users except db2<sid>, <sid>adm, or DB2 Replication userids. Note: see section 5.2 for information on shared privileged operating system userids. Is this the case ?
YES
YES
N/A
41 1.1 Userids
42 1.1 Userids
43 1.1 Userids
44 1.1 Userids
If DB2 replication is used, the following rules must apply: If DB2 replication is used, 1. The gecos field in the If DB2 replication is used, the following rules must etc/passwd file must be the following rules must 3. Userids using only the apply: updated to include a apply: Apply process must be description of the purpose limited to only having 4. The same userid using of the id (without removing 2. Userids using only the SELECT access to the both Capture and Apply or modifying any existing Capture process must be SAPR3 or SAP<sid> table processes must be limited data in the field.) limited to DBADM auth. schemas. to DBADM auth. Is this the case ? Is this the case ? Is this the case ? Is this the case ?
N/A
N/A
N/A
N/A
45 1.1 Userids
46 1.1 Userids
47 1.1 Userids
48 1.1 Userids
System clients
The DB2 Replication Capture userid must not update any tables in the SAPR3 or SAP<sid> table schemas. Note: see section 5.2 for information on shared privileged operating system userids. Is this the case ?
Client 000 (SAP Reference client) : DB2 Replication (Capture DB2 Replication (Capture must exist on system. and/or Apply process: and/or Apply process: applicable system types : DB2I ID : rlogin=false DB2I ID :login=false S,D,C,E,R,P Is this the case ? Is this the case ? Is this the case ?
N/A
N/A
N/A
YES
49 1.1 Userids
50 1.1 Userids
51 1.1 Userids
52 1.1 Userids
System clients
System clients
System clients
System clients
Client 001 (SAP sample client) : must exist on system. applicable system types : S,D,C,E,R,P Is this the case ?
Client 066 (EarlyWatch client) : must exist on system. applicable system types : S,D,C,E,R,P Is this the case ?
Production client <other>: must exist on system. applicable system types : P Is this the case ?
Production client <other>: Client number defined as required by project applicable system types : P Is this the case ?
YES
YES
N/A
N/A
53 1.1 Userids
54 1.1 Userids
55 1.1 Userids
System clients
System profile
login/no_automatic_user_ sapstar : Client <other>: must be defined as required by project. applicable system types : S,D,C,E,R Is this the case ? must be set optional 0 or 1 applicable system types : S,D,C,E,R (if 0, must have control surrounding SAP* userid to ensure it's not deleted.) Is this the case ? Quarterly employment verification checks must be done on all clients. applicable system types : S,D,C,E,R,P Is this the case ? login/min_password_lng : must be set to 8. applicable system types : S,D,C,E,R,P Is this the case ?
YES
YES
YES
YES
57
58
System profile
System profile
System profile
login/password_expiration For SAP 4.7 and higher : _time : llogin/min_password_diff : login/min_password_digits must be must be set to 90. must be set to 1. set to 1. applicable system types : S,D,C,E,R,P Is this the case ? applicable system types : S,D,C,E,R,P Is this the case ? applicable system types : S,D,C,E,R,P Is this the case ?
YES
YES
NA
System profile
System profile
System profile
For SAP 4.7 and higher : login/min_password_letters must be set to 1. applicable system types : S,D,C,E,R,P Is this the case ?
For Basis 7.0 and ECC 6.0, and higher : login/password_change_waittime must be set to 1. applicable system types : S,D,C,E,R,P Is this the case ?
For Basis 7.0 and ECC 6.0, and higher : login/password_history_size must be set to 8. applicable system types : S,D,C,E,R,P Is this the case ?
NA
NA
NA
Business Use Notice must be implemented. SAP release 4.5 and lower: Go to transaction SE80 => Repository Information System => Program Library => Program Sub-Object => Screen Enter the program name (SAPMSYST) Enter the screen number (0020) SAP release 4.6 and higher: See SAP OSS note 205487 for instructions. The following notification (or equivalent statements, with concurrence of IBM counsel) must be presented to people logging onto IBM systems during the identification and authentication process if the IBM system is running an operating system that can provide such a notification: "IBM's internal systems must only be used for conducting IBM's business or for purposes authorized by IBM management" Is this the case ?
YES
YES
66 4.1 Encryption
Storage
For all SAP systems (non-production and production) that do not contain SPI, PI, or are not subject to export controls Native SAP Credit Card restrictions/prohibitions, the following text Encryption must be is required : used. "Unless previously authorized, this system must not include information that is subject to export control restrictions/prohibitions, Sensitive Personal Information (SPI) or Personal Information (PI). Refer to: Privacy and Data Protection (hyperlink in commentary cell) for detailed requirements." Is this the case ? As of 2007, SAP only supports encryption of passwords and credit card numbers. Password encryption is standard SAP functionality. Is this the case ?
YES
YES
67 4.1 Encryption
Storage
In order to implement encryption of credit card numbers, the following OSS notes must be evaluated and implemented if applicable : Release independent OSS notes: 455033, 690999, 894022, 1042745, 1034482 Core OSS notes for encryption on 4.6C system: 633462, 662340, 766703, 813198, 827347, 836079 Other OSS notes for consideration for 4.6C system: 663593, 738459, 790161, 791178, 812658, 840392, 858295, 874594, 978358 Note: This list is the minimum list of OSS notes to be reviewed for a 4.6C system. OSS should be searched for other releases and for other notes which may apply to functions in use for each SAP System. Is this the case ?
YES
AIX settings
AIX settings
AIX settings
YES
YES
YES
AIX settings
AIX settings
AIX settings
YES
YES
YES
AIX settings
AIX settings
AIX settings
YES
YES
YES
AIX settings
AIX settings
AIX settings
N/A
N/A
N/A
AIX settings
AIX settings
AIX settings
SUDO access list file /etc/sudoers Owner is root Is this the case?
SUDO access list file /etc/sudoers Group is system Is this the case?
SUDO access list file /etc/sudoers Permission is 440 Is this the case?
YES
YES
YES
73 5.1 Operating system resources 5.1 Operating system resources 5.1 Operating system resources
AIX settings
AIX settings
AIX settings
SUDO log SUDO log /var/adm/sudo.log : SUDO log /var/adm/sudo.log : /var/adm/sudo.log : Owner is root Is this the case ? Group is system Is this the case ? Permission must be 600 Is this the case ?
YES
YES
YES
AIX settings
AIX settings
AIX settings
AIX settings
<sid>adm, SAPR3, SAP<sid> password file for SAP 4.x and higher ; /sapmnt/<sid>/global/xxx x.conf : Owner is d2<sid> SU log /var/adm/sulog : Owner is root Is this the case ? SU log /var/adm/sulog : Group is system Is this the case ? Note: <sid> represents the system id of the SAP Permission must be 600 system. SU log /var/adm/sulog : Is this the case ? Is this the case ?
YES
YES
YES
YES
AIX settings
AIX settings
AIX settings
AIX settings
<sid>adm, SAPR3, SAP<sid> password file for SAP 4.x and higher ; <sid>adm, SAPR3, SAP<sid> password file /sapmnt/<sid>/global/xxx for SAP 4.x and higher ; x.conf : /sapmnt/<sid>/global/xxx Permission must be 740 x.conf : (<SAP 4.6) /sapmnt/<sid>/exe : Permission must be 640 Group is sapsys (SAP 4.6+). Owner is <sid>adm
Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?
YES
YES
YES
YES
AIX settings
AIX settings
AIX settings
AIX settings
/sapmnt/<sid>/exe/sapos /sapmnt/<sid>/exe/sapos /sapmnt/<sid>/exe/sapos col : /sapmnt/<sid>/exe : col : col : Permission must be Permission must be 775. Owner is root Group is sapsys 4755. Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?
YES
YES
YES
YES
AIX settings
AIX settings
AIX settings
AIX settings
/sapmnt/<sid>/global :
/sapmnt/<sid>/profile :
Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?
YES
YES
YES
YES
AIX settings
AIX settings
AIX settings
AIX settings
/sapmnt/<sid>/profile :
/usr/sap/<sid> :
/usr/sap/<sid><instance id> :
Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?
YES
YES
YES
YES
AIX settings
AIX settings
AIX settings
AIX settings
/usr/sap/<sid><instance id>/* :
/usr/sap/<sid><instance id>/sec :
Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?
YES
YES
YES
YES
AIX settings
AIX settings
AIX settings
AIX settings
/usr/sap/<sid><instance id>/sec :
/usr/sap/<sid>/SYS :
Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?
YES
YES
YES
YES
AIX settings
AIX settings
AIX settings
AIX settings
/usr/sap/<sid>/SYS :
/usr/sap/<sid>/SYS/* :
Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?
YES
YES
YES
YES
AIX settings
AIX settings
AIX settings
AIX settings
/usr/sap/trans :
/usr/sap/trans/* :
Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?
YES
YES
YES
N/A
AIX settings
AIX settings
AIX settings
AIX settings
/usr/sap/trans/* :
Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?
N/A
N/A
N/A
N/A
AIX settings
AIX settings
AIX settings
AIX settings
Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?
N/A
N/A
N/A
N/A
AIX settings
AIX settings
AIX settings
AIX settings
/db2/<sid> :
Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?
N/A
N/A
N/A
N/A
AIX settings
AIX settings
AIX settings
AIX settings
/db2/<sid> :
/db2/<sid>/log_dir :
Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?
N/A
N/A
N/A
N/A
AIX settings
AIX settings
AIX settings
AIX settings
/db2/<sid>/log_archive : Group is sysadm (SAP /db2/<sid>/log_archive : <4.6) Group is db<sid>adm Permission must be 755. Owner is db2<sid> (SAP 4.6+) /db2/<sid>/log_dir :
Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?
N/A
N/A
N/A
N/A
AIX settings
AIX settings
AIX settings
AIX settings
/db2/<sid>/log_retrieve : /db2/<sid>/log_retrieve : (SAP <4.6) Group is db<sid>adm Owner is db2<sid> (SAP 4.6+) /db2/<sid>/log_retrieve : /db2/<sid>/sapdata<x> : Permission must be 755. Owner is db2<sid>
Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?
N/A
N/A
N/A
N/A
AIX settings
AIX settings
AIX settings
AIX settings
/db2/<sid>/sapdata<x> : /db2/<sid>/sapdata<x> : ~/db2<dbsid>/<db2_soft ware> : Group is sysadm (SAP Permission must be <4.6) (<=SAP 4.7) For SAP installations Group is db<sid>adm Permission must be 750 write access to these (SAP 4.6+) (SAP NW 7.0+) directories / files is not restricted to DB2 Note: <sid> represents Note: <sid> represents Instance owner and the the system id of the SAP the system id of the SAP SYSADM/SYSCTRL/SY system. system. SMAINT group Is this the case ? Is this the case ? Is this the case ?
Any directories / files used in creation of userids or assignment of access in SAP : Files must be protected by permissions of 774 or higher. Is this the case ?
N/A
N/A
N/A
YES
AIX settings
AIX settings
AIX settings
AIX settings
/.netrc (allows remote access) : /.netrc (allows remote access) : Owner has read and write access. Is this the case ? /.rhosts (allows remote sid<adm> must also access) : have read and/or write access if file is accessed must have read access from SAP application. only by root. Is this the case ? Is this the case ? /.rhosts (allows remote access) : must have write access only by root. Is this the case ?
YES
YES
YES
YES
AIX settings
AIX settings
AIX settings
The following AIX userid and primary AIX groupid combination may own OSRs in the SAP AIX environment : Userid: root Groupid: system Is this the case ?
The following AIX userid and primary AIX groupid combination may own OSRs in the SAP AIX environment : Userid: db2<sid> Groupid: sapsys Is this the case ?
The following AIX userid and primary AIX groupid combination may own OSRs in the SAP AIX environment : Userid: <sid>adm Groupid: sapsys Is this the case ?
YES
YES
YES
AIX settings
Shared SAP application userids Shared SAP application userids - Provider of service privileged Provider of service privileged SAP SAP application userids application userids
The following ids are required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is The following AIX userid and maintained. The Provider of primary AIX groupid combination Service must define the controls may own OSRs in the SAP AIX surrounding this access : environment : SAP* Application owner userids Application owner groups Userid type is dialog. Is this the case ? Is this the case ?
The following ids are required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAP* Userid must exist in all clients. Is this the case ?
YES
YES
YES
Shared SAP application userids Provider of service privileged SAP application userids
Shared SAP application userids Provider of service privileged SAP application userids
The following ids are required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAP* Userid must never be deleted. Is this the case ?
The following ids are required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAP* Userid must be locked in all clients except when required for system maintenance. Is this the case ?
YES
YES
Shared SAP application userids Provider of service privileged SAP application userids
Shared SAP application userids Provider of service privileged SAP application userids
The following ids are required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAP* Userid must be assigned to group SUPER in each client. Is this the case ?
The following ids are required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAP* Profiles SAP_ALL and SAP_NEW, or equivalent are assigned. Is this the case ?
YES
YES
Shared SAP application userids Provider of service privileged SAP application userids
Shared SAP application userids Provider of service privileged SAP application userids
The following ids are required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : DDIC Userid type is dialog. Is this the case ?
The following ids are required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : DDIC Userid must exist in client 000, 001, 100 (or the production client) and any client in the CTS path. Is this the case ?
YES
YES
Shared SAP application userids Provider of service privileged SAP application userids
Shared SAP application userids Provider of service privileged SAP application userids
The following ids are required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : DDIC Userid must never be deleted. Is this the case ?
The following ids are required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : DDIC Userid must never be locked. Is this the case ?
YES
YES
Shared SAP application userids Provider of service privileged SAP application userids
Shared SAP application userids Provider of service privileged SAP application userids
The following ids are required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : DDIC Userid must be assigned to group SUPER. Is this the case ?
The following ids are required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : DDIC Profiles SAP_ALL and SAP_NEW, or equivalent are assigned. Is this the case ?
YES
YES
158
159
5.2 System and security administrative authority 5.2 System and security administrative authority
Shared SAP application userids - Provider of service privileged SAP application userids
Shared SAP application userids - Provider of service privileged SAP application userids
The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : <provider of service defined> (Used for installing Hotpacks or system upgrades.) : Userid type is dialog. Is this the case ?
The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : <provider of service defined> (Used for installing Hotpacks or system upgrades.) : Userid must be assigned to group SUPER. Is this the case ?
YES
N/A
160
161
5.2 System and security administrative authority 5.2 System and security administrative authority
Shared SAP application userids - Provider of service privileged SAP application userids
Shared SAP application userids - Provider of service privileged SAP application userids
The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : <provider of service defined> (Used for installing Hotpacks or system upgrades.) : Userid must only exist in client 000. Is this the case ?
The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : <provider of service defined> (Used for installing Hotpacks or system upgrades.) : Profiles SAP_ALL and SAP_NEW, or equivalent can be assigned. Is this the case ?
N/A
N/A
162
163
5.2 System and security administrative authority 5.2 System and security administrative authority
Shared SAP application userids - Provider of service privileged SAP application userids
Shared SAP application userids - Provider of service privileged SAP application userids
The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : EARLYWATCH (Used by SAP / BTS when Earlywatch sessions are conducted.) : Userid type is dialog. Is this the case ?
The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : EARLYWATCH (Used by SAP / BTS when Earlywatch sessions are conducted.) : Userid must only exist in client 066. Is this the case ?
N/A
N/A
164
165
5.2 System and security administrative authority 5.2 System and security administrative authority
Shared SAP application userids - Provider of service privileged SAP application userids
Shared SAP application userids - Provider of service privileged SAP application userids
The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : EARLYWATCH (Used by SAP / BTS when Earlywatch sessions are conducted.) : Userid must be locked when not in use. Is this the case ?
The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : EARLYWATCH (Used by SAP / BTS when Earlywatch sessions are conducted.) : Profile S_TOOLS_EX_A is assigned. Is this the case ?
N/A
N/A
Shared SAP application userids - Provider of service privileged SAP application userids
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual The following ids may be required for the operation accountability is maintained. The Provider of SAP. The password of these ids may be provided of Service must define the controls to the System Administrative group supporting the surrounding this access. Any additional SAP instance provided that individual accountability AIX privileged userids in support of Bolt on is maintained for dialog ids. The Provider of Service applications must be identified and must define the controls surrounding this access : documented. Support personnel must use SUDO from their personal id to connect to EARLYWATCH (Used by SAP / BTS when any shared AIX userids : Earlywatch sessions are conducted.) : ROOT (AIX) : If SDCCN is used, profile S_SDCC_ADM_N must also be assigned. rlogin=false Is this the case ? Is this the case ?
N/A
N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : ROOT (AIX) : login=true (on SAP instance where there are no sensitive programs). Is this the case ?
N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : ROOT (AIX) : login=false (on SAP instances where sensitive programs reside). Is this the case ?
N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : ROOT (AIX) : Root must be included in /etc/ftpusers file. Is this the case ?
N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : <DB2<sid> (AIX with DB2) : rlogin=true Is this the case ?
N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : <DB2<sid> (AIX with DB2) : login=true (when using DB02 for DB connections functions) Is this the case ?
N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : <DB2<sid> (AIX with DB2) : login=false (otherwise) Is this the case ?
N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : <sid>ADM (AIX with DB2) : rlogin=true Is this the case ?
N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : <sid>ADM (AIX with DB2) : login=false Is this the case ?
N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : <sid>ADM (AIX with DB2) : NOCHECK must be set in /etc/security/passwd Is this the case ?
N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAPR3 (AIX with DB2) : May be the DB2 owner of SAP database. Is this the case ?
N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAPR3 (AIX with DB2) : Userid cannot connect / sign on to DB2 and is not a DB2 user. Is this the case ?
N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAPR3 (AIX with DB2) : rlogin=true Is this the case ?
N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAPR3 (AIX with DB2) : login=true Is this the case ? N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAPR3 (AIX with DB2) : NOCHECK must be set in /etc/security/passwd. Is this the case ? N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAP<sid> (AIX with DB2) : May be the DB2 owner of SAP database. Is this the case ? N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAP<sid> (AIX with DB2) : Userid cannot connect / sign on to DB2 and is not a DB2 user. Is this the case ? N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAP<sid> (AIX with DB2) : rlogin=true Is this the case ? N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAP<sid> (AIX with DB2) : login=true Is this the case ? N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAP<sid> (AIX with DB2) : NOCHECK must be set in /etc/security/passwd. Is this the case ? N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAP<sid>DB (AIX with DB2) : May be the DB2 owner of SAP database. Is this the case ? N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAP<sid>DB (AIX with DB2) : Userid cannot connect / sign on to DB2 and is not a DB2 user. Is this the case ? N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAP<sid>DB (AIX with DB2) : rlogin=true Is this the case ? N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAP<sid>DB (AIX with DB2) : login=true Is this the case ? N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAP<sid>DB (AIX with DB2) : NOCHECK must be set in /etc/security/passwd. Is this the case ? N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : cstore : rlogin=false Is this the case ? N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : cstore : login=false Is this the case ? N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : General: RACF logging must be enabled. Is this the case ? N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAPR3 (RACF group) :
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAPR3 (RACF group) :
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAPR3 (RACF group) : DB2 user exit must be active. Is this the case ? N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAPR3 (RACF group) : RACF list of groups checking must be enabled. Is this the case ? N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAPR3 (RACF group) :
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access :
SAP<sid> (RACF group) : System administrator access to resources is done via PERMITs to resources, which are Must not be an operating system controlled by RACF. userid. Is this the case ? N/A Is this the case ? N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAP<sid> (RACF group) : Must be a RACF group. Is this the case ? N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAP<sid> (RACF group) : DB2 user exit must be active. Is this the case ? N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAP<sid> (RACF group) : RACF list of groups checking must be enabled. Is this the case ? N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAP<sid> (RACF group) : System administrator access to resources is done via PERMITs to resources, which are controlled by RACF. Is this the case ? N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : ICLI<sid> (OpenEdition) : Runs the ICLI server. Is this the case ? N/A
The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : ICLI<sid> (OpenEdition) : Requires OMVS segment in RACF definition. Is this the case ? N/A
zOS/OS390 provider of service shared userids End of Checklist - Part 1 The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : ICLI<sid> (OpenEdition) : Must not have TSO segment (in RACF definition). Is this the case ? N/A
INSTRUCTIONS:
If the server value is NOT COMPLIANT to the value specified in the question, (ie the answer is NO or N/A) You MUST enter the actual server setting or a comment to explain why the question is not applicable
Heading
Machine Name/Identifier
Date Checked
Comments
FMC
20/06/2012
Nil
System profile
System profile
System profile
System profile
System profile
auth/tcodes_not_ auth/system_access_ auth/rfc_authority_ch auth/no_check_in_ auth/object_disa checked : check_off : eck : some_cases : bling_active : must be set to must be set to 0. must be set to 1. must be set to Y. must be set to N. (empty string). applicable system types : S,D,C,E,R,P Is this the case ? applicable system types : S,D,C,E,R,P Is this the case ? applicable system types : S,D,C,E,R,P Is this the case ? applicable system types : S,D,C,E,R,P applicable system types : S,D,C,E,R,P
YES
YES
YES
YES
YES
215
System settings
System profile
System profile
Transaction SCC4 / Transaction Cross-Client Object SE06 / System Changes : Change Option Global No changes to Change Setting Repository and : cross-client no changes customizing Not modifiable. allowed. objects. applicable applicable applicable system system types : system types : types : C,R,P C,R,P C,R,P Is this the case Is this the case ? Is this the case ? ? Transaction SCC4 / Change and Transports for Client-Specific Objects :
login/failed_user login/fails_to_use _auto_unlock : r_lock : must be set to 0. must be set to 5. applicable system types : S,D,C,E,R,P applicable system types : S,D,C,E,R,P
YES
YES
YES
YES
YES
System profile parameter settings Transport profile parameter settings Table Logging - all SAP (TP_DOMAIN_<sid>.PFL) - Table Logging versions All SAP versions
System profile parameter settings Security Audit Log Setup - Version 4.6 or higher
rec/client : rec/client : Update TMS configuration adding the One of the following RECCLIENT parameter in the Transport Tool options must be selected Tab. Required Settings: (select one of the : following 3 options) :1. xxx = the production client number (one client only) . 2. comma separated list of clients including the production client. 3. ALL (for all clients in system) applicable system type : P Is this the case ? 1. xxx = the production client number (one client only) 2. comma separated list of clients including the production client DIR_AUDIT : 3. ALL (for all clients in system) must be set to or Note: In the production client, the same setting /secaudit/logs or should be selected for the rec/client and /secaudit/<SID>/logs recclient parameters. applicable system applicable system type : P types : P Is this the case ? Is this the case ?
N/A
N/A
N/A
System profile parameter settings Security Audit Log Setup - Version 4.6 or higher
System profile parameter settings Security Audit Log Setup - Version 4.6 or higher
System profile parameter settings Security Audit Log Setup - Version 4.6 or higher
System profile parameter settings Security Audit Log Setup - Version 4.6 or higher
FN_AUDIT : must be set to rsau/enable : <SERVER>_+++++++ +###### must be set to 1. applicable system types : P Is this the case ? applicable system types : P Is this the case ?
rsau/max_diskspace/p rsau/max_diskspace/p er_day : er_file : must be set to 3M or higher. applicable system types : P Is this the case ? must be set to 1M or higher. applicable system types : P Is this the case ?
N/A
N/A
N/A
N/A
System profile parameter settings Security Audit Log Setup - Version 4.6 or higher
System profile System profile System profile System profile parameter settings - parameter settings - parameter settings - parameter settings Security Audit Log Security Audit Log Security Audit Log Security Audit Log Setup - Version 4.5 Setup - Version 4.5 Setup - Version 4.5 Setup - Version 4.5
rsau/local/file : must be set to /secaudit/logs/<SER VER>_++++++++## #### or /secaudit/<SID>/logs /<SERVER>_+++++ +++###### applicable system types : P Is this the case ?
rsau/selection_slots : rsau/enable : must be set to 2 or higher. applicable system types : P Is this the case ? must be set to 1. applicable system types : P Is this the case ?
rsau/max_diskspace rsau/max_diskspace /local : /per_day : must be set to 1000000. applicable system types : P Is this the case ? must be set to 3M or higher. applicable system types : P Is this the case ?
N/A
N/A
N/A
N/A
N/A
System profile System profile parameter settings - parameter settings - Transaction SM19 / Security Security Audit Log Security Audit Log Audit Log Filter (SAP Setup - Version 4.5 Setup - Version 4.5 Version ECC 6.0)
Transaction SM19 / Security Audit Log Filter (SAP Version ECC 6.0)
At least one filter must be set as follows: 1. Filter active box must be checked 2. Selection Criteria: Client = * User = * 3. Audit classes: Dialog logon System (defaults, unchangeable) rsau/max_diskspace rsau/selection_slots : /per_file : 4. Events: Severe and critical must be set to 2 or must be set to 0. higher. 5. Detail Configuration = Audit Class: Dialog Logon applicable system applicable system types : P types : P applicable system types : P Is this the case ? Is this the case ? Is this the case ? Event class: Important Message Long Text: Logon Successful (Type=&A) Logon failed (Reason = &B, Type = &A) applicable system types : P Is this the case ?
N/A
N/A
N/A
N/A
Transaction SM19 / Security Audit Log Filter (SAP Version ECC 6.0)
System settings - Transaction Transaction SM19 / Security SM19 / Security Audit Log Audit Log Filter (SAP Filter (SAP Versions 4.6x Version ECC 6.0) through 4.7x)
Event class: Critical Message Long Text: Logon failed (Reason = &B, Type = &A) User &B Locked in Client &A After Erroneous Password Checks User &B in Client &A Unlocked After Being Locked Due to Inval.Password Audit Class: System Event class: Critical
At least one filter must be set as follows: 1. Filter active box must be checked 2. Selection Criteria: Client = * User = * 3. Audit classes: Dialog logon 4. Events: Important and critical 5. Detail Configuration = Audit Class: Dialog Logon applicable system types : P Is this the case ?
Message Long Text: Audit Configuration Changed Audit: Slot &A: Class &B, Severity &C, User &D, Client &E, &F Application Server Started Application Server Stopped applicable system types Audit: Slot &A Inactive :P Audit: Active Status Set to &1 Is this the case ? Is this the case?
N/A
N/A
N/A
System settings Transaction SM19 / Security Audit Log Filter (SAP Versions 4.6x through 4.7x)
System settings Transaction SM19 / Security Audit Log Filter (SAP Versions 4.6x through 4.7x)
System settings - Transaction SM19 / Security Audit Log Filter Selection (SAP Versions 4.5x)
At least one selection must be set as follows: 1. Selection Active box must be checked Event class: Critical Event class: Important Message Long Text: Logon failed (Reason = &B, Type = &A) Message Long Text: User Locked After Logon Successful Incorrect Logon (Type=&A) User lock because of Logon failed (Reason incorrect logon = &B, Type = &A) removed applicable system types : P Is this the case ? applicable system types : P Is this the case ? 2. Selection Tab: Client = * ,User = * 3. Audit classes: Logon 4. Security Levels: Average 5. To ensure the minimum required audit messages are logged, the following 4 records must be present and the importance indicator value must not be changed. (Transaction code SE92(N), Tables TSL1D/TSL1T) (see separate sheet for 4 records) applicable system types : P Is this the case ?
N/A
N/A
N/A
Health Checking
Health Checking
.rhost file
.rhost file
.rhost file
List users who hold security administrative and system authority. applicable system types : C,P or Any Internet Reachable
Must contain only specific hostnames of the SAP servers required to have the Confirm that the rsh capability. These SAP Security Audit hostnames must be either log exists? the short hostname defined in the local /etc/hosts file or applicable system the fully qualified hostnames types : of the servers that are registered to DNS. P or Any Internet Reachable Is this the case ?
The only machines and ids that are able to rsh into a Each hostname server are those in the .rhost file listed in the must be servers .rhost qualified with a file must be valid userid. qualified with a valid userid. Is this the case ? Is this the case ?
N/A
N/A
YES
YES
YES
.rhost file
.netrc file
.netrc file
/etc/exports : Must contain specific hostnames for NFS NFS clients that are either the short hostnames defined in the local /etc/hosts file on the NFS server or only the fully qualified machine hostnames of the servers that are registered to DNS.
The only machines and ids that are able to rsh into a server are those Owner has listed in the read and write servers .rhost access. file. Is this the case Is this the case ? ?
sid<adm> must also have read and/or write access if file is accessed from SAP.
YES
YES
YES
YES
YES
Record 1 Group = AU Sub-Name = 1 Class = X Sub-Group = 2 Importance = 5 Category = RA Category = SH Message = "Logon Successful (Type=&A)" Record 2 Group = AU Sub-Name = 2 Class = X Sub-Group = 2 Importance = 9 Category = RA Category = SH Message = "Logon failed (Reason = &B, Type = &A)" Record 3 Group = AU Sub-Name = M Class = X Sub-Group = 34 Importance = 9 Category = RA Category = SH Message = "User Locked After Incorrect Logon" Record 4 Group = AU Sub-Name = N Class = X Sub-Group = 34 Importance = 9 Category = RA Category = SH Message = "User Lock Deleted Due to Incorrect Logon"
SAP security administrative and system administrative authorization objects & values The values listed constitute prohibited security or system administrative authority. Values classified as "allowed" are not a complete listing of all possible values. Applicable to both dialog and non-dialog userids. The use of prohibited system administrative authorization objects may be necessary or required for emergency access. Security administrative authorization objects S_ADMI_FCD S_USER_AGR S_USER_AUT S_USER_GRP S_USER_PRO S_USER_SYS S_USER_TCD Field Values
UBUF *, 01, 02, 21, 36, 59, 64, 68, 78, UL 06, 22, 79 *, 01, 02, 22, 24 06, 07 * 01, 02, 05, 06, 22, 24, 68, 78 *, 01, 02, 24 06, 07, 22 *, 90 59, 68, 78 *, ALL VALUES RESTRICTED
Field
Values
S_ADMI_FCD
*, TRNL, TRNR AUDA, UADM, BTCH, COLA, CONV, F4MX, LC02, LC03, LC04, MEMO, NADM, PADM, QDEL, SCP1, SCP2, SLIC, SPAA, SPAB, SPAC, SPAD, SPAM, SPAR, SPTD, SPTR, SYNC, T000, TCTR, TLCK, TOUC, X25 *, 06 * Y * DELE *
S_CLNT_IMP S_CTS_ADMI
ACTVT CTS_ADMFCT
S_DB2_ADM
ACTVT
*, ALL VALUES RESTRICTED * TABL, INIT, PROJ, IMPT, IMPA, IMPS, SYSC, TADD, TDEL, TQAS, TADM, QTEA, EPS1, EPS2 *
S_DB2_ADM S_DB2_COMM
ACTVT ACTVT 02, 06, 16, 33, 36 *, 04, 05, 07, 10, 11, 12, 13, 14, 15, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 30, 31, 32, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 55, 57, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, A1, A2, A3, A4, A7, A8, A9, AA, AB, B2, B3, B9, BD, BE, C1, C2, C3, C4, C8, D1, DK, DL, DP, E0, E6, E7, EP, FP, G1, G2, G3, G4, G5, G6, GL, H1, H2, H3, KA, KI, KO, SK, DU, LM, LS, L0, L1, L3, MA, PA, PB, PC, PD, P0, P1, P2, P3, S1, S2, U2, U3, U4, UL, VF, V1, V2, V3, V4, V5, V6, VE 01, 02, 06, 16 * DLFU, ALL * 02, 05, 16, 30, 61 * *, BRARCHIVE, BRBACKUP, BRCONNECT, BRTOOLS, BTC_CHECK_STAT, CAT, CHECK_DSPMSGQ, CHECK_PRTERRLOG, CHECK_QXDAEDRSQL, CHECK_R3RMTDB, DB24DD, DBHOSTCHECK, DBMCLI, DBMGETF, DBMRFC, DISPLAY_DIAGLOG, DSPOBJD_SQLPKG, ENV, INFARCEXE, INFBAREXE, INFCFGCHECK, INFUGPSTAT, IRCONF, IRTRACE, LDAP_REGISTER, LIST_DB2DUMP, LSNRCTL, MSSTATS, NET_ROUTING, NIPING, PRECVERSION, PRTSQLINF, RRR_PRTERRLOG, RRR_PTF, RRR_R3RMTDB, RRR_ROUTER_INFO, RRR_ROUTER_NEW, RRR_ROUTER_START, RRR_ROUTER_STOP, SAA_TP_CHECK, SAA_TP_CLEAROLD, SAPDBA, SAPNTCHK, SEND_SNMP_TRAP, SQLCLI, UPDCOL, WWI_GET_DIR, XBACKUP, XCONS, XKERNPROT, XPU, XSQL, XUSER, XWIZ, XWIZARD, XWIZSTOP, X_PYTHON
CONTAINER_INFO, DB2CLP, DB_SERVER_OPSYS, GET_DEADLOCK, SNAPSHOT_DB6, TABLESPACE_INFO, TABLE_SNAPSHOT, TABSPACE_SNAPSHOT, ARCAUTO, DB6CLP, DB6_DBBACKUP, REORGCHK_ALL, REORGCHK_CALL, REORGCHK_CHECK, REORGCHK_DBSTAT, REORGCHK_UONE, REORG_TABLESPACE *, QDEL QAEN, QANL, QSTA * 1 * ADM, PROJ, USER *, ADMIN, WRITE
SDCC_RUN
S_SDCC_ADD
S_SDCC_DAT
ACTVT
READ *, 06
3 S_SKOM_SRV S_SPO_ACT AUTH SPOACTION ALL VALUES RESTRICTED * ATTR, AUTH, BASE, COMP, DELE, DOWN, EDIT, USER, DISP, PRNT, REDI, REPR, SEND * CRE, REA, DEL, APP, MOD *, 01, 02, 05, 06, 23, 43, 50, 65, 75, 78 60, 90 *, 02, 07, 21
S_TMS_ACT S_TRANSPRT
STMSACTION ACTVT
S_USER_OBJ
ACTVT
ited system administrative access. Prohibited or Allowed in Production Prohibited Prohibited Allowed Prohibited Allowed Prohibited Allowed Prohibited Allowed Prohibited Allowed Prohibited
Prohibited Prohibited Allowed Prohibited Allowed Prohibited (with the exception MAESTROCPIC userid) Prohibited Prohibited Allowed
Prohibited
Allowed Prohibited
Allowed Prohibited Allowed Prohibited Allowed Prohibited - SAP Release below 4.7 Prohibited
Allowed
Prohibited Allowed Prohibited Allowed Prohibited Allowed Prohibited (with the exception of EarlyWatch userid on client 066) Allowed Prohibited (with the exception of EarlyWatch userid on client 066) Allowed Prohibited (with the exception of EarlyWatch userid on client 066) Allowed Prohibited (with the exception of EarlyWatch userid on client 066) Allowed Prohibited (with the exception of EarlyWatch userid on client 066) Allowed Prohibited Prohibited Allowed
5.6.1 Security, integrity APAR, advisory process for SAP environments requirements 1. SAP security advisories are not maintained on the GSSD website. 2. SAP AG maintains the repository of security advisories at their website on www.service.sap.com in the security notes section under customer portal. 3. Security OSS notes can also be viewed by using the RSECNOTE tool. 4. The SAP Enterprise Management Office (EPMO) may override the severity rating assigned by the application owner. 5. SAP security advisories will be implemented per the time limits in ITCS104 Chapter 3.5.3 .