You are on page 1of 130

ITCS104 v9.

1 SAP Application Health Checking Proforma


Intended Users

This document has been designed for conducting health checking activities, on SAP Application platform, as defined withi

Further contacts and information For clarification of questions or any further information relating to this checklist, please send an email to the uksechc@uk.ibm.com tas Owner & Administrators IBM Security Instructions Please ensure that you fill in ALL questions on tabs that are relevant to devices for the months health check.

Author
Name Clive Gabel

Revision History
Version Number 5.1 Revision Date 8-Feb-08

v6.0

1-Aug-08

v6.1

9-Apr-09

v7

8-Sep-09

v7.1

15-Mar-10

v8.0

8-Sep-10

v8.2

8-Jul-11

v9.0

11-Oct-11

v9.1

13-Apr-12

Approvals
Name Title

pattabiraman veeramony pattabiraman veeramony pattabiraman veeramony pattabiraman veeramony pattabiraman veeramony pattabiraman veeramony pattabiraman veeramony pattabiraman

ation Health Checking Proforma

ed for conducting health checking activities, on SAP Application platform, as defined within the the ITCS104 v9.1 Chapter 2.2.28

urther information relating to this checklist, please send an email to the uksechc@uk.ibm.com taskid.

estions on tabs that are relevant to devices for the months health check.

Date 8-Feb-08

Summary of Changes Initial version

Updated by: Clive Gabel

Updated as per ITCS104 v6.0 dated 15/07/2008: 1.1: Updated DB2 Replication for AIX Operating System Userids; Updated CommonStore userid to match current practices; Removed db2as since is only used in DB2 V7 or below; 2.1: reusable passwords - wait times and history size changes added; removed need for login/min_password_specials parm; 5.2: AIX provider of service shared userids - removed the use of SU (ITCS104 new requirements); updated CommonStore's userid to match current practices; total review and updates to SAP security administrative and system administrative authorization objects and values (including values that are prohibited due to the authorization sensitivity - see Tables tab); 6: Corrected parm names; allowed values to gave latitude for project-specific growth and specified applicable SAP Releases; updated to allow rec/client parm options and now only required logging for production environment; Corrected SM19 system settings per SAP Release; 7.1: Removed requirement/row to "Verify that only approved users are included in the access lists of OSRs beyond that allowed to general users;

Clive Gabel

Updated as per ITCS104 v6.1 dated 28/02/2009: Sect 1.1 Added clarification statements surrounding Shared SAP application userids Application owner SAP application userids for emergency use. System Clients - Allow for multiple production clients and production client number may be other than 100. Allowed project latitude for System profile parameter setting of parm login/no_automatic_user_sapstar in non-production systems. Removed zOS/TSO operating system userid entry due to it being covered under zOS, OS390 and MVS Platforms Tech Spec (ITCS104 Chp. 2.1.8). Removed MS Windows operating system userid entry due to it being covered under the Microsoft Windows 2000 Servers Tech Spec (ITCS104 Chp. 2.1.3). Sect 5.2 Added clarification statements on security administrative and system administrative authorization objects & values matrix related to "prohibited" and "allowed". Corrected an oversight for AIX provider of service shared userids SAPR3, SAP<sid> and SAP<sid>DB to allow the necessary DB2 connection for SAP kernel to be able to start. Sect 6 Added new RECCLIENT system parm to enable logging of table changes made from imported or transported entries to production. Updated Activity auditing system settings for the different SAP release levels. Updated as per ITCS104 v7 dated 15/07/2009: Sect 5.1 - Added clarification to SAP Release for applicable operating system resource AIX settings. Updated as per ITCS104 v7.1 dated 31/01/2010: Sect 1.1 - For CPIC or Communication userids, added clarification on passwords that are contained in a file. (Q.11) Sect 5.2 - For the EarlyWatch Userid added new native SAP authorization profile and clarifications on System Administrative authorization objects. (Q166) Updated to reflect changes in ITCS104 v8.0: Sect 5.2 - Updated AIX provider of service shared userids for the DB2<sid> parameters to align with SAP's recommendation. (Q172-173) Sect 5.2 - System and security administrative authority under SAP security administrative and system administrative authorization objects & values added S_SDCC_ADD and S_SDCC_DAT (Secuirty Admin 5.2 - tab) Sect 5.6 - Added new sub-section 5.6.1 Security, integrity APAR, advisory process for SAP environments requirements to specify SAP application specifics for ITCS104 chapter 3 section 3.5.3 Security advisory patch management. (see Apar 5.6.1 - tab) Sect 6 - Activity auditing - added the ability for multiple file system names under the DIR_AUDIT and rsau/local/file parameters. (Q220 & 227)

Nick Saxon

Nick Saxon

Nick Saxon

Nick Saxon

Updated to reflect changes in ITCS104 v8.2: * Sect 1.1 - Updated the use of Reference Userids. * Sect 3.1 - Corrected a link URL. Updated to reflect changes in ITCS104 v9.0: * Sect 7.1 - Change "P" to "P or Any Internet Reachable" * Added four new controls to 5.1 Operating system resources for SECAUDIT log directory * Update 1.1 Userids definition of Reference Updated version number only to reflect ITCS104 v9.1. There are no changes from ITCS104v9.0

Adam Kasprzak

Adam Kasprzak

Adam Kasprzak

Role

Date Approved

IGA-INDIA SAP BASIS-Team Leader IGA-INDIA SAP BASIS-Team Leader IGA-INDIA SAP BASIS-Team Leader IGA-INDIA SAP BASIS-Team Leader IGA-INDIA SAP BASIS-Team Leader IGA-INDIA SAP BASIS-Team Leader IGA-INDIA SAP BASIS-Team Leader IGA-INDIA SAP BASIS-Team Leader

25-Mar-08 25-Sep-08 4-Jun-09 12-Oct-09 14-Apr-10 06/10/2010 by default 28/072011 14-Dec-11

Chapter 2.2.28

INSTRUCTIONS:

If the server value is NOT COMPLIANT to the value specified in the question, (ie the answer is NO or N/A) You MUST enter the actual server setting or a comment to explain why the question is not applicable

Machine Name/Identifier

Server Team & Contact

Date Checked

FMC

AHS SAP BASIS

20/06/2012

Question No. Appendix ref: Health Check Tool / Script

1 1.1 Userids

2 1.1 Userids

Heading

SAP Application Userids

SAP Application Userids

Userid owners 6 character employee serial number and 3 character personnel system code must be present in Account No. Field. Note: Applies to all types listed below: 1. Dialog 2. BDC / Background / System 3. CPIC / Communication 4. Service 5. Reference Comments Is this the case ?

Sponsored userids must have * at the beginning of the userid owners 6 character employee serial number and 3 character personnel system code. Note: Applies to all types listed below: 1. Dialog 2. BDC / Background / System 3. CPIC / Communication 4. Service 5. Reference Is this the case ?

Nil

YES

YES

3 1.1 Userids

4 1.1 Userids

5 1.1 Userids

SAP Application Userids

SAP Application Userids

SAP Application Userids

No SAP native profiles/role can be assigned to any userid in production except for the exceptions noted within this table or the userid table in section 5.2 (see Tables control tab). Interactive dialog: Note: Applies to all types listed below: 1. Dialog 2. BDC / Background / System 3. CPIC / Communication 4. Service 5. Reference Is this the case ?

BDC / Background/ System : Non-loggable (used for running jobs, system Sponsored userids operations such as ALE, on a Production workflow, batch jobs, etc.) system must have : the full name of the employee who will Userid is allowed to have be using the userid. a non-expiring password. Is this the case ? Is this the case ?

YES

YES

YES

6 1.1 Userids

7 1.1 Userids

8 1.1 Userids

9 1.1 Userids

SAP Application SAP Application Userids Userids

SAP Application Userids

SAP Application Userids

BDC / Background/ System : Non-loggable (used for running jobs, system CPIC / Communication : operations such as ALE, workflow, batch jobs, etc.) Non-loggable (used for : system to system communication) : Expired or initial passwords are not Userid is allowed to have checked. a non-expiring password. Is this the case ? Is this the case ?

CPIC / Communication : Non-loggable (used for CPIC / Communication : system to system communication) : Non-loggable (used for system to system Password on a Production communication) : userid must be different from the password for the Expired or initial same userid on all nonpasswords are not production systems in the checked. landscape. Is this the case ? Is this the case ?

YES

YES

YES

YES

10 1.1 Userids

11 1.1 Userids

SAP Application Userids SAP Application Userids

CPIC / Communication : CPIC / Communication : Non-loggable (used for system to system communication) : Non-loggable (used for system to system communication) :

If the password of this userid is contained in a file(s) at the operating Password on a test userid system level then the location of that on test clients may be the file(s) needs to be documented and the same, but the password permissions of the file(s) need to be set must be different from to 700 (i.e. permissions for Production userid and any read/write/execute are for the owning id other non-Test of the file(s) only). systems/clients. Is this the case ? Is this the case ?

YES

YES

12 1.1 Userids

SAP Application Userids

Service (4.6 C and higher) : Service IDs should generally not be used since they are not compliant with ITCS104 and adequate protections are not available in SAP to minimize the risk of users logging on to the IDs. However, if service IDs are absolutely necessary, the following three conditions must be met: 1. The ID must be set up with read only access. 2. The BPO must document the mitigating controls to ensure the IDs are not misused. 3. The SAP technical specification owner must approve the use of the service IDs. Is this the case ?

N/A

13 1.1 Userids

14 1.1 Userids

SAP Application Userids

Shared SAP application userids Provider of service SAP application userids

Reference (4.6 C and higher) :

Non-person user that allows for the assignment of identical users such as internet users. (used for CRM and SRM systems) A Reference ID cannot directly log on to the system. 1. Userid is allowed to have a non-expiring password. 2. Expired or initial passwords are not checked. 3. All reference userids must be assigned to secure user group REFID<xx>. 4. Access to update userids in secure user group(s) is prohibited, except through a defined and controlled emergency process. Is this the case ?

The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : SAPCPIC : Userid type is CPIC or Communication. Is this the case ?

N/A

YES

15 1.1 Userids

16 1.1 Userids

Shared SAP application userids Provider of service SAP application Shared SAP application userids - Provider of userids service SAP application userids

The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : SAPCPIC : Profile S_A.CPIC must be assigned. Is this the case ?

The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : <provider of service defined. SAPLOOK is often used> (used by BTS or SAP when performing problem analysis) : Userid type is dialog. Is this the case ?

YES

YES

17 1.1 Userids

Shared SAP application userids - Provider of service SAP application userids

The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : <provider of service defined. SAPLOOK is often used> (used by BTS or SAP when performing problem analysis) : Userid is locked or set to have the validity date in the past when not in use. Is this the case ?

YES

18 1.1 Userids

Shared SAP application userids - Provider of service SAP application userids

The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : <provider of service defined. SAPLOOK is often used> (used by BTS or SAP when performing problem analysis) : SAP native roles/profiles can be assigned with the exception of SAP_ALL and/or SAP_NEW and/or equivalent. Is this the case ?

YES

19 1.1 Userids

Shared SAP application userids - Provider of service SAP application userids

The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : <provider of service defined. CSTORE is often used> : Userid type is CPIC or Communication. Is this the case ?

YES

20 1.1 Userids

Shared SAP application userids - Provider of service SAP application userids

The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : <provider of service defined. CSTORE is often used> : Profile Z9_CSTORE or equivalent must be assigned. Is this the case ?

YES

21 1.1 Userids

22 1.1 Userids

Shared SAP application userids - Application owner SAP application userids

Shared SAP application userids - Application owner SAP application userids

The following ids may be required for the operation of SAP. The Application Owner must define and The following ids may be required for the operation of document the controls surrounding approvals, SAP. The Application Owner must define and issuance, audit trails, and usage of these ids. document the controls surrounding approvals, Individual accountability must be maintained for dialog issuance, audit trails, and usage of these ids. ids: Individual accountability must be maintained for dialog ids : <Customer defined> <Customer defined> Dialog ID for emergency use (May be stand-alone emergency access ID or existing end-user ID) : Userid type is dialog. Is this the case ? Dialog ID for emergency use (May be stand-alone emergency access ID or existing end-user ID) : SAP native roles/profiles can be assigned with the exception of SAP_ALL and/or SAP_NEW and/or equivalent. Is this the case ?

YES

YES

23 1.1 Userids

24 1.1 Userids

Shared SAP application userids - Application owner SAP application userids

Shared SAP application userids - Application owner SAP application userids

The following ids may be required for the operation of SAP. The Application Owner must define and The following ids may be required for the operation of document the controls surrounding approvals, SAP. The Application Owner must define and issuance, audit trails, and usage of these ids. document the controls surrounding approvals, Individual accountability must be maintained for dialog issuance, audit trails, and usage of these ids. ids: Individual accountability must be maintained for dialog ids: <Customer defined> <Customer defined> Dialog ID for emergency use (May be stand-alone emergency access ID or existing end-user ID) : The use of prohibited system administrative authorization objects specified in section 5.2 may be necessary or required for emergency access. Is this the case ? Dialog ID for emergency use (May be stand-alone emergency access ID or existing end-user ID) : If stand-alone emergency access IDs are used: userid must be locked (or controlled by the validity date) when not in use, and relocked when access is complete. password must be changed after each use. Is this the case ?

YES

YES

25 1.1 Userids

26 1.1 Userids

Shared SAP application userids - Application owner SAP application userids

Shared SAP application userids - Application owner SAP non-dialog operational userids

The following ids may be required for the operation of SAP. The Application Owner must define and document the controls surrounding approvals, issuance, audit trails, and usage of these ids. Individual accountability must be maintained for dialog ids:

<Customer defined> Dialog ID for emergency use (May be stand-alone emergency access ID or existing end-user ID) : If existing end-user id Roles/profiles must be added prior to use and removed when access is complete. The following ids may be required for the operation of SAP. The Application Owner must define the controls surrounding these ids : <Customer defined> (Used for running batch jobs) : Userid type is Background or BDC or System. Is this the case ? Is this the case ?

YES

YES

27 1.1 Userids

28 1.1 Userids

Shared SAP application userids - Application owner SAP non-dialog operational userids

Shared SAP application userids - Application owner SAP non-dialog operational userids

The following ids may be required for the operation of The following ids may be required for the operation of SAP. The Application Owner must define the controls SAP. The Application Owner must define the controls surrounding these ids : surrounding these ids : <Customer defined> (Used for running batch jobs) : <Customer defined> (Used for running batch jobs) : Userid must not have SAP_ALL and/or SAP_NEW Only access required per job description is allowed. and/or equivalent assigned. Is this the case ? Is this the case ?

YES

YES

29 1.1 Userids

30 1.1 Userids

Shared SAP application userids - Application owner SAP non-dialog operational userids

Shared SAP application userids - Application owner SAP non-dialog operational userids

The following ids may be required for the operation of The following ids may be required for the operation of SAP. The Application Owner must define the controls SAP. The Application Owner must define the controls surrounding these ids : surrounding these ids : WF-BATCH (Workflow Batch ID) : Userid type is Background or BDC or System. Is this the case ? WF-BATCH (Workflow Batch ID) : Only access required per job description is allowed. Is this the case ?

YES

YES

31 1.1 Userids

32 1.1 Userids

Shared SAP application userids - Application owner SAP non-dialog operational userids

Shared SAP application userids - Application owner SAP non-dialog operational userids

The following ids may be required for the operation of SAP. The Application Owner must define the controls The following ids may be required for the operation of surrounding these ids : SAP. The Application Owner must define the controls surrounding these ids : WF-BATCH (Workflow Batch ID) : <Customer defined> (Communication ID) : Userid must not have SAP_ALL and/or SAP_NEW and/or equivalent assigned. Userid type is CPIC or Communication. Is this the case ? Is this the case ?

YES

YES

33 1.1 Userids

Shared SAP application userids - Application owner SAP non-dialog operational userids

The following ids may be required for the operation of SAP. The Application Owner must define the controls surrounding these ids : <Customer defined> (Communication ID) : Only access required per job description is allowed. Is this the case ?

YES

34 1.1 Userids

35 1.1 Userids

Shared SAP application userids - Application owner SAP non-dialog operational userids

Shared SAP application userids - Application owner SAP application test userids

The following ids may be used to test SAP access. The Application Owner must define the controls surrounding use of these userids : The following ids may be required for the operation of SAP. The Application Owner must define the controls <Customer defined> (Used for testing project defined roles or profiles) : surrounding these ids : <Customer defined> (Communication ID) : Userid must not have SAP_ALL and/or SAP_NEW and/or equivalent assigned. Is this the case ? Must not exist on production client. Note: see section 5.2 for information on shared privileged SAP userids. Is this the case ?

YES

YES

36 1.1 Userids

37 1.1 Userids

Shared SAP application userids - Application Shared SAP application userids - Application owner SAP application test userids owner SAP application test userids

The following ids may be used to test SAP access. The Application Owner must define the controls surrounding use of these userids : <Customer defined> (Used for testing project defined roles or profiles) : Production role(s)/profile(s) will be assigned to an id. Note: see section 5.2 for information on shared privileged SAP userids. Is this the case ?

The following ids may be used to test SAP access. The Application Owner must define the controls surrounding use of these userids : <Customer defined> (Used for testing project defined roles or profiles) : Passwords may be shared. Note: see section 5.2 for information on shared privileged SAP userids. Is this the case ?

YES

YES

38 1.1 Userids

39 1.1 Userids

40 1.1 Userids

Operating system Shared SAP application userids - Application userids owner SAP application test userids AIX

Operating system userids AIX

The following ids may be used to test SAP access. The Application Owner must define the controls surrounding use of these userids : <Customer defined> (Used for testing project defined roles or profiles) : Individual accountability does not have to be maintained. Note: see section 5.2 for information on shared privileged SAP userids. Is this the case ? Must be limited to approved systems and application support personnel. Note: see section 5.2 for information on shared privileged operating system userids. Is this the case ? No DB2 users except db2<sid>, <sid>adm, or DB2 Replication userids. Note: see section 5.2 for information on shared privileged operating system userids. Is this the case ?

YES

YES

N/A

41 1.1 Userids

42 1.1 Userids

43 1.1 Userids

44 1.1 Userids

Operating system userids AIX

Operating system userids AIX

Operating system userids AIX

Operating system userids AIX

If DB2 replication is used, the following rules must apply:

If DB2 replication is used, the following rules must apply: If DB2 replication is used, 1. The gecos field in the If DB2 replication is used, the following rules must etc/passwd file must be the following rules must 3. Userids using only the apply: updated to include a apply: Apply process must be description of the purpose limited to only having 4. The same userid using of the id (without removing 2. Userids using only the SELECT access to the both Capture and Apply or modifying any existing Capture process must be SAPR3 or SAP<sid> table processes must be limited data in the field.) limited to DBADM auth. schemas. to DBADM auth. Is this the case ? Is this the case ? Is this the case ? Is this the case ?

N/A

N/A

N/A

N/A

45 1.1 Userids

46 1.1 Userids

47 1.1 Userids

48 1.1 Userids

Operating system userids AIX

Operating system userids DB2 Replication

Operating system userids DB2 Replication

System clients

The DB2 Replication Capture userid must not update any tables in the SAPR3 or SAP<sid> table schemas. Note: see section 5.2 for information on shared privileged operating system userids. Is this the case ?

Client 000 (SAP Reference client) : DB2 Replication (Capture DB2 Replication (Capture must exist on system. and/or Apply process: and/or Apply process: applicable system types : DB2I ID : rlogin=false DB2I ID :login=false S,D,C,E,R,P Is this the case ? Is this the case ? Is this the case ?

N/A

N/A

N/A

YES

49 1.1 Userids

50 1.1 Userids

51 1.1 Userids

52 1.1 Userids

System clients

System clients

System clients

System clients

Client 001 (SAP sample client) : must exist on system. applicable system types : S,D,C,E,R,P Is this the case ?

Client 066 (EarlyWatch client) : must exist on system. applicable system types : S,D,C,E,R,P Is this the case ?

Production client <other>: must exist on system. applicable system types : P Is this the case ?

Production client <other>: Client number defined as required by project applicable system types : P Is this the case ?

YES

YES

N/A

N/A

53 1.1 Userids

54 1.1 Userids

55 1.1 Userids

56 2.1 Reusable passwords

System clients

System profile

Employment verification System profile

login/no_automatic_user_ sapstar : Client <other>: must be defined as required by project. applicable system types : S,D,C,E,R Is this the case ? must be set optional 0 or 1 applicable system types : S,D,C,E,R (if 0, must have control surrounding SAP* userid to ensure it's not deleted.) Is this the case ? Quarterly employment verification checks must be done on all clients. applicable system types : S,D,C,E,R,P Is this the case ? login/min_password_lng : must be set to 8. applicable system types : S,D,C,E,R,P Is this the case ?

YES

YES

YES

YES

57

58

59 2.1 Reusable passwords

2.1 Reusable passwords 2.1 Reusable passwords

System profile

System profile

System profile

login/password_expiration For SAP 4.7 and higher : _time : llogin/min_password_diff : login/min_password_digits must be must be set to 90. must be set to 1. set to 1. applicable system types : S,D,C,E,R,P Is this the case ? applicable system types : S,D,C,E,R,P Is this the case ? applicable system types : S,D,C,E,R,P Is this the case ?

YES

YES

NA

60 2.1 Reusable passwords

61 2.1 Reusable passwords

62 2.1 Reusable passwords

System profile

System profile

System profile

For SAP 4.7 and higher : login/min_password_letters must be set to 1. applicable system types : S,D,C,E,R,P Is this the case ?

For Basis 7.0 and ECC 6.0, and higher : login/password_change_waittime must be set to 1. applicable system types : S,D,C,E,R,P Is this the case ?

For Basis 7.0 and ECC 6.0, and higher : login/password_history_size must be set to 8. applicable system types : S,D,C,E,R,P Is this the case ?

NA

NA

NA

63 3.1 Business Use Notice

64 3.1 Business Use Notice (Chapter 1.3.3 Authorization)

Business Use Notice

Business Use Notice

Business Use Notice must be implemented. SAP release 4.5 and lower: Go to transaction SE80 => Repository Information System => Program Library => Program Sub-Object => Screen Enter the program name (SAPMSYST) Enter the screen number (0020) SAP release 4.6 and higher: See SAP OSS note 205487 for instructions. The following notification (or equivalent statements, with concurrence of IBM counsel) must be presented to people logging onto IBM systems during the identification and authentication process if the IBM system is running an operating system that can provide such a notification: "IBM's internal systems must only be used for conducting IBM's business or for purposes authorized by IBM management" Is this the case ?

Is this the case ?

YES

YES

65 3.1 Business Use Notice

66 4.1 Encryption

Business Use Notice

Storage

For all SAP systems (non-production and production) that do not contain SPI, PI, or are not subject to export controls Native SAP Credit Card restrictions/prohibitions, the following text Encryption must be is required : used. "Unless previously authorized, this system must not include information that is subject to export control restrictions/prohibitions, Sensitive Personal Information (SPI) or Personal Information (PI). Refer to: Privacy and Data Protection (hyperlink in commentary cell) for detailed requirements." Is this the case ? As of 2007, SAP only supports encryption of passwords and credit card numbers. Password encryption is standard SAP functionality. Is this the case ?

YES

YES

67 4.1 Encryption

Storage

In order to implement encryption of credit card numbers, the following OSS notes must be evaluated and implemented if applicable : Release independent OSS notes: 455033, 690999, 894022, 1042745, 1034482 Core OSS notes for encryption on 4.6C system: 633462, 662340, 766703, 813198, 827347, 836079 Other OSS notes for consideration for 4.6C system: 663593, 738459, 790161, 791178, 812658, 840392, 858295, 874594, 978358 Note: This list is the minimum list of OSS notes to be reviewed for a 4.6C system. OSS should be searched for other releases and for other notes which may apply to functions in use for each SAP System. Is this the case ?

YES

5.1 Operating system resources

5.1 Operating system resources

5.1 Operating system resources

AIX settings

AIX settings

AIX settings

/secaudit Owner is <sid>adm Is this the case?

/secaudit Group is sapsys Is this the case?

/secaudit Permission is 750 Is this the case?

YES

YES

YES

5.1 Operating system resources

5.1 Operating system resources

5.1 Operating system resources

AIX settings

AIX settings

AIX settings

/secaudit/<sid> Owner is <sid>adm Is this the case?

/secaudit/<sid> Group is sapsys Is this the case?

/secaudit/<sid> Permission is 750 Is this the case?

YES

YES

YES

5.1 Operating system resources

5.1 Operating system resources

5.1 Operating system resources

AIX settings

AIX settings

AIX settings

/secaudit/* Owner is <sid>adm Is this the case?

/secaudit/* Group is sapsys Is this the case?

/secaudit/* Permission is xx0 Is this the case?

YES

YES

YES

5.1 Operating system resources

5.1 Operating system resources

5.1 Operating system resources

AIX settings

AIX settings

AIX settings

/secaudit/<sid>/* Owner is <sid>adm Is this the case?

/secaudit/<sid>/* Group is sapsys Is this the case?

/secaudit/<sid>/* Permission is xx0 Is this the case?

N/A

N/A

N/A

5.1 Operating system resources

5.1 Operating system resources

5.1 Operating system resources

AIX settings

AIX settings

AIX settings

SUDO access list file /etc/sudoers Owner is root Is this the case?

SUDO access list file /etc/sudoers Group is system Is this the case?

SUDO access list file /etc/sudoers Permission is 440 Is this the case?

YES

YES

YES

73 5.1 Operating system resources 5.1 Operating system resources 5.1 Operating system resources

AIX settings

AIX settings

AIX settings

SUDO log SUDO log /var/adm/sudo.log : SUDO log /var/adm/sudo.log : /var/adm/sudo.log : Owner is root Is this the case ? Group is system Is this the case ? Permission must be 600 Is this the case ?

YES

YES

YES

74 5.1 Operating system resources

75 5.1 Operating system resources

76 5.1 Operating system resources

77 5.1 Operating system resources

AIX settings

AIX settings

AIX settings

AIX settings

<sid>adm, SAPR3, SAP<sid> password file for SAP 4.x and higher ; /sapmnt/<sid>/global/xxx x.conf : Owner is d2<sid> SU log /var/adm/sulog : Owner is root Is this the case ? SU log /var/adm/sulog : Group is system Is this the case ? Note: <sid> represents the system id of the SAP Permission must be 600 system. SU log /var/adm/sulog : Is this the case ? Is this the case ?

YES

YES

YES

YES

78 5.1 Operating system resources

79 5.1 Operating system resources

80 5.1 Operating system resources

81 5.1 Operating system resources

AIX settings

AIX settings

AIX settings

AIX settings

<sid>adm, SAPR3, SAP<sid> password file for SAP 4.x and higher ; <sid>adm, SAPR3, SAP<sid> password file /sapmnt/<sid>/global/xxx for SAP 4.x and higher ; x.conf : /sapmnt/<sid>/global/xxx Permission must be 740 x.conf : (<SAP 4.6) /sapmnt/<sid>/exe : Permission must be 640 Group is sapsys (SAP 4.6+). Owner is <sid>adm

/sapmnt/<sid>/exe : Group is sapsys

Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?

YES

YES

YES

YES

82 5.1 Operating system resources

83 5.1 Operating system resources

84 5.1 Operating system resources

85 5.1 Operating system resources

AIX settings

AIX settings

AIX settings

AIX settings

/sapmnt/<sid>/exe/sapos /sapmnt/<sid>/exe/sapos /sapmnt/<sid>/exe/sapos col : /sapmnt/<sid>/exe : col : col : Permission must be Permission must be 775. Owner is root Group is sapsys 4755. Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?

YES

YES

YES

YES

86 5.1 Operating system resources

87 5.1 Operating system resources

88 5.1 Operating system resources

89 5.1 Operating system resources

AIX settings

AIX settings

AIX settings

AIX settings

/sapmnt/<sid>/global : Owner is <sid>adm

/sapmnt/<sid>/global : Group is sapsys

/sapmnt/<sid>/global :

/sapmnt/<sid>/profile :

Permission must be 700. Owner is <sid>adm

Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?

YES

YES

YES

YES

90 5.1 Operating system resources

91 5.1 Operating system resources

92 5.1 Operating system resources

93 5.1 Operating system resources

AIX settings

AIX settings

AIX settings

AIX settings

/sapmnt/<sid>/profile : Group is sapsys

/sapmnt/<sid>/profile :

/usr/sap/<sid> :

/usr/sap/<sid><instance id> :

Permission must be 755. Permission must be 751. Permission must be 755.

Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?

YES

YES

YES

YES

94 5.1 Operating system resources

95 5.1 Operating system resources

96 5.1 Operating system resources

97 5.1 Operating system resources

AIX settings

AIX settings

AIX settings

AIX settings

/usr/sap/<sid><instance id>/* : Owner is <sid>adm

/usr/sap/<sid><instance id>/* : Group is sapsys

/usr/sap/<sid><instance id>/* :

/usr/sap/<sid><instance id>/sec :

Permission must be 750. Owner is <sid>adm

Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?

YES

YES

YES

YES

98 5.1 Operating system resources

99 5.1 Operating system resources

100 5.1 Operating system resources

101 5.1 Operating system resources

AIX settings

AIX settings

AIX settings

AIX settings

/usr/sap/<sid><instance id>/sec : Group is sapsys

/usr/sap/<sid><instance id>/sec :

/usr/sap/<sid>/SYS :

/usr/sap/<sid>/SYS : Group is sapsys

Permission must be 700. Owner is <sid>adm

Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?

YES

YES

YES

YES

102 5.1 Operating system resources

103 5.1 Operating system resources

104 5.1 Operating system resources

105 5.1 Operating system resources

AIX settings

AIX settings

AIX settings

AIX settings

/usr/sap/<sid>/SYS :

/usr/sap/<sid>/SYS/* :

/usr/sap/<sid>/SYS/* : Group is sapsys

/usr/sap/<sid>/SYS/* : Permission must be 755.

Permission must be 755. Owner is <sid>adm

Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?

YES

YES

YES

YES

106 5.1 Operating system resources

107 5.1 Operating system resources

108 5.1 Operating system resources

109 5.1 Operating system resources

AIX settings

AIX settings

AIX settings

AIX settings

/usr/sap/trans : Owner is <sid>adm

/usr/sap/trans : Group is sapsys

/usr/sap/trans :

/usr/sap/trans/* :

Permission must be 775. Owner is <sid>adm

Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?

YES

YES

YES

N/A

110 5.1 Operating system resources

111 5.1 Operating system resources

112 5.1 Operating system resources

113 5.1 Operating system resources

AIX settings

AIX settings

AIX settings

AIX settings

/usr/sap/trans/* : Group is sapsys

/usr/sap/trans/* :

/usr/sap/trans/.sapconf : /usr/sap/trans/.sapconf : Group is sapsys

Permission must be 770. Owner is <sid>adm

Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?

N/A

N/A

N/A

N/A

114 5.1 Operating system resources

115 5.1 Operating system resources

116 5.1 Operating system resources

117 5.1 Operating system resources

AIX settings

AIX settings

AIX settings

AIX settings

/<home directory of /usr/sap/trans/.sapconf : <sid>adm> : Permission must be 775. Owner is <sid>adm

/<home directory of <sid>adm> : Group is sapsys

/<home directory of <sid>adm> : Permission must be 700.

Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?

N/A

N/A

N/A

N/A

118 5.1 Operating system resources

119 5.1 Operating system resources

120 5.1 Operating system resources

121 5.1 Operating system resources

AIX settings

AIX settings

AIX settings

AIX settings

/<home directory of <sid>adm>/* : Owner is <sid>adm

/<home directory of <sid>adm>/* : Group is sapsys

/<home directory of <sid>adm>/* :

/db2/<sid> :

Permission must be 700. Owner is db2<sid>

Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?

N/A

N/A

N/A

N/A

122 5.1 Operating system resources

123 5.1 Operating system resources

124 5.1 Operating system resources

125 5.1 Operating system resources

AIX settings

AIX settings

AIX settings

AIX settings

/db2/<sid> : Group is sysadm (SAP <4.6) Group is db<sid>adm (SAP 4.6+)

/db2/<sid>/log_dir : Group is sysadm (SAP <4.6) Group is db<sid>adm (SAP 4.6+)

/db2/<sid> :

/db2/<sid>/log_dir :

Permission must be 755. Owner is db2<sid>

Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?

N/A

N/A

N/A

N/A

126 5.1 Operating system resources

127 5.1 Operating system resources

128 5.1 Operating system resources

129 5.1 Operating system resources

AIX settings

AIX settings

AIX settings

AIX settings

/db2/<sid>/log_archive : Group is sysadm (SAP /db2/<sid>/log_archive : <4.6) Group is db<sid>adm Permission must be 755. Owner is db2<sid> (SAP 4.6+) /db2/<sid>/log_dir :

/db2/<sid>/log_archive : Permission must be 755.

Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?

N/A

N/A

N/A

N/A

130 5.1 Operating system resources

131 5.1 Operating system resources

132 5.1 Operating system resources

133 5.1 Operating system resources

AIX settings

AIX settings

AIX settings

AIX settings

/db2/<sid>/log_retrieve : /db2/<sid>/log_retrieve : (SAP <4.6) Group is db<sid>adm Owner is db2<sid> (SAP 4.6+) /db2/<sid>/log_retrieve : /db2/<sid>/sapdata<x> : Permission must be 755. Owner is db2<sid>

Note: <sid> represents Note: <sid> represents Note: <sid> represents Note: <sid> represents the system id of the SAP the system id of the SAP the system id of the SAP the system id of the SAP system. system. system. system. Is this the case ? Is this the case ? Is this the case ? Is this the case ?

N/A

N/A

N/A

N/A

134 5.1 Operating system resources

135 5.1 Operating system resources

136 5.1 Operating system resources

137 5.1 Operating system resources

AIX settings

AIX settings

AIX settings

AIX settings

/db2/<sid>/sapdata<x> : /db2/<sid>/sapdata<x> : ~/db2<dbsid>/<db2_soft ware> : Group is sysadm (SAP Permission must be <4.6) (<=SAP 4.7) For SAP installations Group is db<sid>adm Permission must be 750 write access to these (SAP 4.6+) (SAP NW 7.0+) directories / files is not restricted to DB2 Note: <sid> represents Note: <sid> represents Instance owner and the the system id of the SAP the system id of the SAP SYSADM/SYSCTRL/SY system. system. SMAINT group Is this the case ? Is this the case ? Is this the case ?

Any directories / files used in creation of userids or assignment of access in SAP : Files must be protected by permissions of 774 or higher. Is this the case ?

N/A

N/A

N/A

YES

138 5.1 Operating system resources

139 5.1 Operating system resources

140 5.1 Operating system resources

141 5.1 Operating system resources

AIX settings

AIX settings

AIX settings

AIX settings

/.netrc (allows remote access) : /.netrc (allows remote access) : Owner has read and write access. Is this the case ? /.rhosts (allows remote sid<adm> must also access) : have read and/or write access if file is accessed must have read access from SAP application. only by root. Is this the case ? Is this the case ? /.rhosts (allows remote access) : must have write access only by root. Is this the case ?

YES

YES

YES

YES

142 5.1 Operating system resources

143 5.1 Operating system resources

144 5.1 Operating system resources

AIX settings

AIX settings

AIX settings

The following AIX userid and primary AIX groupid combination may own OSRs in the SAP AIX environment : Userid: root Groupid: system Is this the case ?

The following AIX userid and primary AIX groupid combination may own OSRs in the SAP AIX environment : Userid: db2<sid> Groupid: sapsys Is this the case ?

The following AIX userid and primary AIX groupid combination may own OSRs in the SAP AIX environment : Userid: <sid>adm Groupid: sapsys Is this the case ?

YES

YES

YES

145 5.1 Operating system resources

146 5.2 System and security administrative authority

147 5.2 System and security administrative authority

AIX settings

Shared SAP application userids Shared SAP application userids - Provider of service privileged Provider of service privileged SAP SAP application userids application userids

The following ids are required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is The following AIX userid and maintained. The Provider of primary AIX groupid combination Service must define the controls may own OSRs in the SAP AIX surrounding this access : environment : SAP* Application owner userids Application owner groups Userid type is dialog. Is this the case ? Is this the case ?

The following ids are required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAP* Userid must exist in all clients. Is this the case ?

YES

YES

YES

148 5.2 System and security administrative authority

149 5.2 System and security administrative authority

Shared SAP application userids Provider of service privileged SAP application userids

Shared SAP application userids Provider of service privileged SAP application userids

The following ids are required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAP* Userid must never be deleted. Is this the case ?

The following ids are required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAP* Userid must be locked in all clients except when required for system maintenance. Is this the case ?

YES

YES

150 5.2 System and security administrative authority

151 5.2 System and security administrative authority

Shared SAP application userids Provider of service privileged SAP application userids

Shared SAP application userids Provider of service privileged SAP application userids

The following ids are required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAP* Userid must be assigned to group SUPER in each client. Is this the case ?

The following ids are required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAP* Profiles SAP_ALL and SAP_NEW, or equivalent are assigned. Is this the case ?

YES

YES

152 5.2 System and security administrative authority

153 5.2 System and security administrative authority

Shared SAP application userids Provider of service privileged SAP application userids

Shared SAP application userids Provider of service privileged SAP application userids

The following ids are required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : DDIC Userid type is dialog. Is this the case ?

The following ids are required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : DDIC Userid must exist in client 000, 001, 100 (or the production client) and any client in the CTS path. Is this the case ?

YES

YES

154 5.2 System and security administrative authority

155 5.2 System and security administrative authority

Shared SAP application userids Provider of service privileged SAP application userids

Shared SAP application userids Provider of service privileged SAP application userids

The following ids are required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : DDIC Userid must never be deleted. Is this the case ?

The following ids are required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : DDIC Userid must never be locked. Is this the case ?

YES

YES

156 5.2 System and security administrative authority

157 5.2 System and security administrative authority

Shared SAP application userids Provider of service privileged SAP application userids

Shared SAP application userids Provider of service privileged SAP application userids

The following ids are required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : DDIC Userid must be assigned to group SUPER. Is this the case ?

The following ids are required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : DDIC Profiles SAP_ALL and SAP_NEW, or equivalent are assigned. Is this the case ?

YES

YES

158

159

5.2 System and security administrative authority 5.2 System and security administrative authority

Shared SAP application userids - Provider of service privileged SAP application userids

Shared SAP application userids - Provider of service privileged SAP application userids

The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : <provider of service defined> (Used for installing Hotpacks or system upgrades.) : Userid type is dialog. Is this the case ?

The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : <provider of service defined> (Used for installing Hotpacks or system upgrades.) : Userid must be assigned to group SUPER. Is this the case ?

YES

N/A

160

161

5.2 System and security administrative authority 5.2 System and security administrative authority

Shared SAP application userids - Provider of service privileged SAP application userids

Shared SAP application userids - Provider of service privileged SAP application userids

The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : <provider of service defined> (Used for installing Hotpacks or system upgrades.) : Userid must only exist in client 000. Is this the case ?

The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : <provider of service defined> (Used for installing Hotpacks or system upgrades.) : Profiles SAP_ALL and SAP_NEW, or equivalent can be assigned. Is this the case ?

N/A

N/A

162

163

5.2 System and security administrative authority 5.2 System and security administrative authority

Shared SAP application userids - Provider of service privileged SAP application userids

Shared SAP application userids - Provider of service privileged SAP application userids

The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : EARLYWATCH (Used by SAP / BTS when Earlywatch sessions are conducted.) : Userid type is dialog. Is this the case ?

The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : EARLYWATCH (Used by SAP / BTS when Earlywatch sessions are conducted.) : Userid must only exist in client 066. Is this the case ?

N/A

N/A

164

165

5.2 System and security administrative authority 5.2 System and security administrative authority

Shared SAP application userids - Provider of service privileged SAP application userids

Shared SAP application userids - Provider of service privileged SAP application userids

The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : EARLYWATCH (Used by SAP / BTS when Earlywatch sessions are conducted.) : Userid must be locked when not in use. Is this the case ?

The following ids may be required for the operation of SAP. The password of these ids may be provided to the System Administrative group supporting the SAP instance provided that individual accountability is maintained for dialog ids. The Provider of Service must define the controls surrounding this access : EARLYWATCH (Used by SAP / BTS when Earlywatch sessions are conducted.) : Profile S_TOOLS_EX_A is assigned. Is this the case ?

N/A

N/A

166 5.2 System and security administrative authority

167 5.2 System and security administrative authority

Shared SAP application userids - Provider of service privileged SAP application userids

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual The following ids may be required for the operation accountability is maintained. The Provider of SAP. The password of these ids may be provided of Service must define the controls to the System Administrative group supporting the surrounding this access. Any additional SAP instance provided that individual accountability AIX privileged userids in support of Bolt on is maintained for dialog ids. The Provider of Service applications must be identified and must define the controls surrounding this access : documented. Support personnel must use SUDO from their personal id to connect to EARLYWATCH (Used by SAP / BTS when any shared AIX userids : Earlywatch sessions are conducted.) : ROOT (AIX) : If SDCCN is used, profile S_SDCC_ADM_N must also be assigned. rlogin=false Is this the case ? Is this the case ?

N/A

N/A

168 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : ROOT (AIX) : login=true (on SAP instance where there are no sensitive programs). Is this the case ?

N/A

169 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : ROOT (AIX) : login=false (on SAP instances where sensitive programs reside). Is this the case ?

N/A

170 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : ROOT (AIX) : Root must be included in /etc/ftpusers file. Is this the case ?

N/A

171 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : <DB2<sid> (AIX with DB2) : rlogin=true Is this the case ?

N/A

172 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : <DB2<sid> (AIX with DB2) : login=true (when using DB02 for DB connections functions) Is this the case ?

N/A

173 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : <DB2<sid> (AIX with DB2) : login=false (otherwise) Is this the case ?

N/A

174 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : <sid>ADM (AIX with DB2) : rlogin=true Is this the case ?

N/A

175 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : <sid>ADM (AIX with DB2) : login=false Is this the case ?

N/A

176 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : <sid>ADM (AIX with DB2) : NOCHECK must be set in /etc/security/passwd Is this the case ?

N/A

177 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAPR3 (AIX with DB2) : May be the DB2 owner of SAP database. Is this the case ?

N/A

178 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAPR3 (AIX with DB2) : Userid cannot connect / sign on to DB2 and is not a DB2 user. Is this the case ?

N/A

179 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAPR3 (AIX with DB2) : rlogin=true Is this the case ?

N/A

180 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAPR3 (AIX with DB2) : login=true Is this the case ? N/A

181 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAPR3 (AIX with DB2) : NOCHECK must be set in /etc/security/passwd. Is this the case ? N/A

182 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAP<sid> (AIX with DB2) : May be the DB2 owner of SAP database. Is this the case ? N/A

183 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAP<sid> (AIX with DB2) : Userid cannot connect / sign on to DB2 and is not a DB2 user. Is this the case ? N/A

184 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAP<sid> (AIX with DB2) : rlogin=true Is this the case ? N/A

185 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAP<sid> (AIX with DB2) : login=true Is this the case ? N/A

186 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAP<sid> (AIX with DB2) : NOCHECK must be set in /etc/security/passwd. Is this the case ? N/A

187 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAP<sid>DB (AIX with DB2) : May be the DB2 owner of SAP database. Is this the case ? N/A

188 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAP<sid>DB (AIX with DB2) : Userid cannot connect / sign on to DB2 and is not a DB2 user. Is this the case ? N/A

189 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAP<sid>DB (AIX with DB2) : rlogin=true Is this the case ? N/A

190 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAP<sid>DB (AIX with DB2) : login=true Is this the case ? N/A

191 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : SAP<sid>DB (AIX with DB2) : NOCHECK must be set in /etc/security/passwd. Is this the case ? N/A

192 5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : cstore : rlogin=false Is this the case ? N/A

193 5.2 System and security administrative authority

194 5.2 System and security administrative authority

AIX provider of service shared userids

zOS/OS390 provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access. Any additional AIX privileged userids in support of Bolt on applications must be identified and documented. Support personnel must use SUDO from their personal id to connect to any shared AIX userids : cstore : login=false Is this the case ? N/A

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : General: RACF logging must be enabled. Is this the case ? N/A

195 5.2 System and security administrative authority

196 5.2 System and security administrative authority

zOS/OS390 provider of service shared userids

zOS/OS390 provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAPR3 (RACF group) :

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAPR3 (RACF group) :

Must not be an operating system userid. Is this the case ? N/A

Must be a RACF group. Is this the case ? N/A

197 5.2 System and security administrative authority

198 5.2 System and security administrative authority

zOS/OS390 provider of service shared userids

zOS/OS390 provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAPR3 (RACF group) : DB2 user exit must be active. Is this the case ? N/A

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAPR3 (RACF group) : RACF list of groups checking must be enabled. Is this the case ? N/A

199 5.2 System and security administrative authority

200 5.2 System and security administrative authority

zOS/OS390 provider of service shared userids

zOS/OS390 provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAPR3 (RACF group) :

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access :

SAP<sid> (RACF group) : System administrator access to resources is done via PERMITs to resources, which are Must not be an operating system controlled by RACF. userid. Is this the case ? N/A Is this the case ? N/A

201 5.2 System and security administrative authority

202 5.2 System and security administrative authority

zOS/OS390 provider of service shared userids

zOS/OS390 provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAP<sid> (RACF group) : Must be a RACF group. Is this the case ? N/A

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAP<sid> (RACF group) : DB2 user exit must be active. Is this the case ? N/A

203 5.2 System and security administrative authority

204 5.2 System and security administrative authority

zOS/OS390 provider of service shared userids

zOS/OS390 provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAP<sid> (RACF group) : RACF list of groups checking must be enabled. Is this the case ? N/A

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : SAP<sid> (RACF group) : System administrator access to resources is done via PERMITs to resources, which are controlled by RACF. Is this the case ? N/A

205 5.2 System and security administrative authority

206 5.2 System and security administrative authority

zOS/OS390 provider of service shared userids

zOS/OS390 provider of service shared userids

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : ICLI<sid> (OpenEdition) : Runs the ICLI server. Is this the case ? N/A

The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : ICLI<sid> (OpenEdition) : Requires OMVS segment in RACF definition. Is this the case ? N/A

207 5.2 System and security administrative authority

zOS/OS390 provider of service shared userids End of Checklist - Part 1 The following ids are required for the operation of SAP. The password of these ids may be shared among the System Administrative group supporting the SAP instance provided that individual accountability is maintained. The Provider of Service must define the controls surrounding this access : ICLI<sid> (OpenEdition) : Must not have TSO segment (in RACF definition). Is this the case ? N/A

INSTRUCTIONS:

Question No. Appendix ref:

If the server value is NOT COMPLIANT to the value specified in the question, (ie the answer is NO or N/A) You MUST enter the actual server setting or a comment to explain why the question is not applicable

Health Check Tool / Script

Heading

Machine Name/Identifier

Server Team & Contact

Date Checked

Comments

FMC

AHS SAP BASIS

20/06/2012

Nil

208 5.5 Software modifications

209 5.5 Software modifications

210 5.5 Software modifications

211 5.5 Software modifications

212 5.5 Software modifications

System profile

System profile

System profile

System profile

System profile

auth/tcodes_not_ auth/system_access_ auth/rfc_authority_ch auth/no_check_in_ auth/object_disa checked : check_off : eck : some_cases : bling_active : must be set to must be set to 0. must be set to 1. must be set to Y. must be set to N. (empty string). applicable system types : S,D,C,E,R,P Is this the case ? applicable system types : S,D,C,E,R,P Is this the case ? applicable system types : S,D,C,E,R,P Is this the case ? applicable system types : S,D,C,E,R,P applicable system types : S,D,C,E,R,P

Is this the case ? Is this the case ?

YES

YES

YES

YES

YES

213 5.5 Software modifications

214 5.5 Software modifications

215

216 5.6 Service 5.5 Software availability modifications management

217 5.6 Service availability management

System settings System settings

System settings

System profile

System profile

Transaction SCC4 / Transaction Cross-Client Object SE06 / System Changes : Change Option Global No changes to Change Setting Repository and : cross-client no changes customizing Not modifiable. allowed. objects. applicable applicable applicable system system types : system types : types : C,R,P C,R,P C,R,P Is this the case Is this the case ? Is this the case ? ? Transaction SCC4 / Change and Transports for Client-Specific Objects :

login/failed_user login/fails_to_use _auto_unlock : r_lock : must be set to 0. must be set to 5. applicable system types : S,D,C,E,R,P applicable system types : S,D,C,E,R,P

Is this the case ? Is this the case ?

YES

YES

YES

YES

YES

218 6 Activity auditing

219 6 Activity auditing

220 6 Activity auditing

System profile parameter settings Transport profile parameter settings Table Logging - all SAP (TP_DOMAIN_<sid>.PFL) - Table Logging versions All SAP versions

System profile parameter settings Security Audit Log Setup - Version 4.6 or higher

rec/client : rec/client : Update TMS configuration adding the One of the following RECCLIENT parameter in the Transport Tool options must be selected Tab. Required Settings: (select one of the : following 3 options) :1. xxx = the production client number (one client only) . 2. comma separated list of clients including the production client. 3. ALL (for all clients in system) applicable system type : P Is this the case ? 1. xxx = the production client number (one client only) 2. comma separated list of clients including the production client DIR_AUDIT : 3. ALL (for all clients in system) must be set to or Note: In the production client, the same setting /secaudit/logs or should be selected for the rec/client and /secaudit/<SID>/logs recclient parameters. applicable system applicable system type : P types : P Is this the case ? Is this the case ?

N/A

N/A

N/A

221 6 Activity auditing

222 6 Activity auditing

223 6 Activity auditing

224 6 Activity auditing

System profile parameter settings Security Audit Log Setup - Version 4.6 or higher

System profile parameter settings Security Audit Log Setup - Version 4.6 or higher

System profile parameter settings Security Audit Log Setup - Version 4.6 or higher

System profile parameter settings Security Audit Log Setup - Version 4.6 or higher

FN_AUDIT : must be set to rsau/enable : <SERVER>_+++++++ +###### must be set to 1. applicable system types : P Is this the case ? applicable system types : P Is this the case ?

rsau/max_diskspace/p rsau/max_diskspace/p er_day : er_file : must be set to 3M or higher. applicable system types : P Is this the case ? must be set to 1M or higher. applicable system types : P Is this the case ?

N/A

N/A

N/A

N/A

225 6 Activity auditing

226 6 Activity auditing

227 6 Activity auditing

228 6 Activity auditing

229 6 Activity auditing

System profile parameter settings Security Audit Log Setup - Version 4.6 or higher

System profile System profile System profile System profile parameter settings - parameter settings - parameter settings - parameter settings Security Audit Log Security Audit Log Security Audit Log Security Audit Log Setup - Version 4.5 Setup - Version 4.5 Setup - Version 4.5 Setup - Version 4.5

rsau/local/file : must be set to /secaudit/logs/<SER VER>_++++++++## #### or /secaudit/<SID>/logs /<SERVER>_+++++ +++###### applicable system types : P Is this the case ?

rsau/selection_slots : rsau/enable : must be set to 2 or higher. applicable system types : P Is this the case ? must be set to 1. applicable system types : P Is this the case ?

rsau/max_diskspace rsau/max_diskspace /local : /per_day : must be set to 1000000. applicable system types : P Is this the case ? must be set to 3M or higher. applicable system types : P Is this the case ?

N/A

N/A

N/A

N/A

N/A

230 6 Activity auditing

231 6 Activity auditing

232 6 Activity auditing

233 6 Activity auditing

System profile System profile parameter settings - parameter settings - Transaction SM19 / Security Security Audit Log Security Audit Log Audit Log Filter (SAP Setup - Version 4.5 Setup - Version 4.5 Version ECC 6.0)

Transaction SM19 / Security Audit Log Filter (SAP Version ECC 6.0)

At least one filter must be set as follows: 1. Filter active box must be checked 2. Selection Criteria: Client = * User = * 3. Audit classes: Dialog logon System (defaults, unchangeable) rsau/max_diskspace rsau/selection_slots : /per_file : 4. Events: Severe and critical must be set to 2 or must be set to 0. higher. 5. Detail Configuration = Audit Class: Dialog Logon applicable system applicable system types : P types : P applicable system types : P Is this the case ? Is this the case ? Is this the case ? Event class: Important Message Long Text: Logon Successful (Type=&A) Logon failed (Reason = &B, Type = &A) applicable system types : P Is this the case ?

N/A

N/A

N/A

N/A

234 6 Activity auditing

235 6 Activity auditing

236 6 Activity auditing

Transaction SM19 / Security Audit Log Filter (SAP Version ECC 6.0)

System settings - Transaction Transaction SM19 / Security SM19 / Security Audit Log Audit Log Filter (SAP Filter (SAP Versions 4.6x Version ECC 6.0) through 4.7x)

Event class: Critical Message Long Text: Logon failed (Reason = &B, Type = &A) User &B Locked in Client &A After Erroneous Password Checks User &B in Client &A Unlocked After Being Locked Due to Inval.Password Audit Class: System Event class: Critical

At least one filter must be set as follows: 1. Filter active box must be checked 2. Selection Criteria: Client = * User = * 3. Audit classes: Dialog logon 4. Events: Important and critical 5. Detail Configuration = Audit Class: Dialog Logon applicable system types : P Is this the case ?

Message Long Text: Audit Configuration Changed Audit: Slot &A: Class &B, Severity &C, User &D, Client &E, &F Application Server Started Application Server Stopped applicable system types Audit: Slot &A Inactive :P Audit: Active Status Set to &1 Is this the case ? Is this the case?

N/A

N/A

N/A

237 6 Activity auditing

238 6 Activity auditing

239 6 Activity auditing

System settings Transaction SM19 / Security Audit Log Filter (SAP Versions 4.6x through 4.7x)

System settings Transaction SM19 / Security Audit Log Filter (SAP Versions 4.6x through 4.7x)

System settings - Transaction SM19 / Security Audit Log Filter Selection (SAP Versions 4.5x)

At least one selection must be set as follows: 1. Selection Active box must be checked Event class: Critical Event class: Important Message Long Text: Logon failed (Reason = &B, Type = &A) Message Long Text: User Locked After Logon Successful Incorrect Logon (Type=&A) User lock because of Logon failed (Reason incorrect logon = &B, Type = &A) removed applicable system types : P Is this the case ? applicable system types : P Is this the case ? 2. Selection Tab: Client = * ,User = * 3. Audit classes: Logon 4. Security Levels: Average 5. To ensure the minimum required audit messages are logged, the following 4 records must be present and the importance indicator value must not be changed. (Transaction code SE92(N), Tables TSL1D/TSL1T) (see separate sheet for 4 records) applicable system types : P Is this the case ?

N/A

N/A

N/A

240 7.1 Health Checking

241 7.1 Health Checking

242 8 Network settings

243 8 Network settings

244 8 Network settings

Health Checking

Health Checking

.rhost file

.rhost file

.rhost file

List users who hold security administrative and system authority. applicable system types : C,P or Any Internet Reachable

Must contain only specific hostnames of the SAP servers required to have the Confirm that the rsh capability. These SAP Security Audit hostnames must be either log exists? the short hostname defined in the local /etc/hosts file or applicable system the fully qualified hostnames types : of the servers that are registered to DNS. P or Any Internet Reachable Is this the case ?

The only machines and ids that are able to rsh into a Each hostname server are those in the .rhost file listed in the must be servers .rhost qualified with a file must be valid userid. qualified with a valid userid. Is this the case ? Is this the case ?

N/A

N/A

YES

YES

YES

245 8 Network settings

246 8 Network settings

247 8 Network settings

248 8 Network settings

249 8 Network settings

.rhost file

.netrc file

.netrc file

/etc/exports : Must contain specific hostnames for NFS NFS clients that are either the short hostnames defined in the local /etc/hosts file on the NFS server or only the fully qualified machine hostnames of the servers that are registered to DNS.

The only machines and ids that are able to rsh into a server are those Owner has listed in the read and write servers .rhost access. file. Is this the case Is this the case ? ?

sid<adm> must also have read and/or write access if file is accessed from SAP.

/etc/exports : Must only use NFS access servers in SAP environment.

Is this the case ? Is this the case ? Is this the case ?

YES

YES

YES

YES

YES

End of Checklist - Part 2

Network File System (NFS)

Network File System (NFS)

Record 1 Group = AU Sub-Name = 1 Class = X Sub-Group = 2 Importance = 5 Category = RA Category = SH Message = "Logon Successful (Type=&A)" Record 2 Group = AU Sub-Name = 2 Class = X Sub-Group = 2 Importance = 9 Category = RA Category = SH Message = "Logon failed (Reason = &B, Type = &A)" Record 3 Group = AU Sub-Name = M Class = X Sub-Group = 34 Importance = 9 Category = RA Category = SH Message = "User Locked After Incorrect Logon" Record 4 Group = AU Sub-Name = N Class = X Sub-Group = 34 Importance = 9 Category = RA Category = SH Message = "User Lock Deleted Due to Incorrect Logon"

SAP security administrative and system administrative authorization objects & values The values listed constitute prohibited security or system administrative authority. Values classified as "allowed" are not a complete listing of all possible values. Applicable to both dialog and non-dialog userids. The use of prohibited system administrative authorization objects may be necessary or required for emergency access. Security administrative authorization objects S_ADMI_FCD S_USER_AGR S_USER_AUT S_USER_GRP S_USER_PRO S_USER_SYS S_USER_TCD Field Values

S_ADMI_FCD ACTVT ACTVT ACTVT ACTVT ACTVT TCD

UBUF *, 01, 02, 21, 36, 59, 64, 68, 78, UL 06, 22, 79 *, 01, 02, 22, 24 06, 07 * 01, 02, 05, 06, 22, 24, 68, 78 *, 01, 02, 24 06, 07, 22 *, 90 59, 68, 78 *, ALL VALUES RESTRICTED

System administrative authorization objects S_ADMI_FCD

Field

Values

S_ADMI_FCD

S_APPL_LOG S_BTCH_ADM S_BTCH_JOB S_BTCH_NAM

ACTVT BTCADMIN JOBACTION BTCUNAME

*, TRNL, TRNR AUDA, UADM, BTCH, COLA, CONV, F4MX, LC02, LC03, LC04, MEMO, NADM, PADM, QDEL, SCP1, SCP2, SLIC, SPAA, SPAB, SPAC, SPAD, SPAM, SPAR, SPTD, SPTR, SYNC, T000, TCTR, TLCK, TOUC, X25 *, 06 * Y * DELE *

S_CLNT_IMP S_CTS_ADMI

ACTVT CTS_ADMFCT

S_DB2_ADM

ACTVT

*, ALL VALUES RESTRICTED * TABL, INIT, PROJ, IMPT, IMPA, IMPS, SYSC, TADD, TDEL, TQAS, TADM, QTEA, EPS1, EPS2 *

S_DB2_ADM S_DB2_COMM

ACTVT ACTVT 02, 06, 16, 33, 36 *, 04, 05, 07, 10, 11, 12, 13, 14, 15, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 30, 31, 32, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 55, 57, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, A1, A2, A3, A4, A7, A8, A9, AA, AB, B2, B3, B9, BD, BE, C1, C2, C3, C4, C8, D1, DK, DL, DP, E0, E6, E7, EP, FP, G1, G2, G3, G4, G5, G6, GL, H1, H2, H3, KA, KI, KO, SK, DU, LM, LS, L0, L1, L3, MA, PA, PB, PC, PD, P0, P1, P2, P3, S1, S2, U2, U3, U4, UL, VF, V1, V2, V3, V4, V5, V6, VE 01, 02, 06, 16 * DLFU, ALL * 02, 05, 16, 30, 61 * *, BRARCHIVE, BRBACKUP, BRCONNECT, BRTOOLS, BTC_CHECK_STAT, CAT, CHECK_DSPMSGQ, CHECK_PRTERRLOG, CHECK_QXDAEDRSQL, CHECK_R3RMTDB, DB24DD, DBHOSTCHECK, DBMCLI, DBMGETF, DBMRFC, DISPLAY_DIAGLOG, DSPOBJD_SQLPKG, ENV, INFARCEXE, INFBAREXE, INFCFGCHECK, INFUGPSTAT, IRCONF, IRTRACE, LDAP_REGISTER, LIST_DB2DUMP, LSNRCTL, MSSTATS, NET_ROUTING, NIPING, PRECVERSION, PRTSQLINF, RRR_PRTERRLOG, RRR_PTF, RRR_R3RMTDB, RRR_ROUTER_INFO, RRR_ROUTER_NEW, RRR_ROUTER_START, RRR_ROUTER_STOP, SAA_TP_CHECK, SAA_TP_CLEAROLD, SAPDBA, SAPNTCHK, SEND_SNMP_TRAP, SQLCLI, UPDCOL, WWI_GET_DIR, XBACKUP, XCONS, XKERNPROT, XPU, XSQL, XUSER, XWIZ, XWIZARD, XWIZSTOP, X_PYTHON

S_ENQUE S_LANG_ADM S_LOG_COM

S_ENQ_ACT ACTVT COMMAND

S_QIO_MONI S_RZL_ADM S_SAA_ADMI S_SDCC

QIOAKTI ACTVT SAAFKT SDCC_DEV

CONTAINER_INFO, DB2CLP, DB_SERVER_OPSYS, GET_DEADLOCK, SNAPSHOT_DB6, TABLESPACE_INFO, TABLE_SNAPSHOT, TABSPACE_SNAPSHOT, ARCAUTO, DB6CLP, DB6_DBBACKUP, REORGCHK_ALL, REORGCHK_CALL, REORGCHK_CHECK, REORGCHK_DBSTAT, REORGCHK_UONE, REORG_TABLESPACE *, QDEL QAEN, QANL, QSTA * 1 * ADM, PROJ, USER *, ADMIN, WRITE

SDCC_RUN

READ *, ADMIN, WRITE

S_SDCC_ADD

READ SDCC_DEV_N *, ADMIN, WRITE

READ SDCC_RUN_N *, ADMIN, WRITE

S_SDCC_DAT

ACTVT

READ *, 06

3 S_SKOM_SRV S_SPO_ACT AUTH SPOACTION ALL VALUES RESTRICTED * ATTR, AUTH, BASE, COMP, DELE, DOWN, EDIT, USER, DISP, PRNT, REDI, REPR, SEND * CRE, REA, DEL, APP, MOD *, 01, 02, 05, 06, 23, 43, 50, 65, 75, 78 60, 90 *, 02, 07, 21

S_TMS_ACT S_TRANSPRT

STMSACTION ACTVT

S_USER_OBJ

ACTVT

orization objects & values

rative authority. Values classified as

ited system administrative access. Prohibited or Allowed in Production Prohibited Prohibited Allowed Prohibited Allowed Prohibited Allowed Prohibited Allowed Prohibited Allowed Prohibited

Prohibited or Allowed in Production Prohibited Allowed

Prohibited Prohibited Allowed Prohibited Allowed Prohibited (with the exception MAESTROCPIC userid) Prohibited Prohibited Allowed

Prohibited

Allowed Prohibited

Allowed Prohibited Allowed Prohibited Allowed Prohibited - SAP Release below 4.7 Prohibited

Allowed - SAP Release below 4.7

Allowed

Prohibited Allowed Prohibited Allowed Prohibited Allowed Prohibited (with the exception of EarlyWatch userid on client 066) Allowed Prohibited (with the exception of EarlyWatch userid on client 066) Allowed Prohibited (with the exception of EarlyWatch userid on client 066) Allowed Prohibited (with the exception of EarlyWatch userid on client 066) Allowed Prohibited (with the exception of EarlyWatch userid on client 066) Allowed Prohibited Prohibited Allowed

Prohibited Allowed Prohibited Allowed Prohibited

5.6.1 Security, integrity APAR, advisory process for SAP environments requirements 1. SAP security advisories are not maintained on the GSSD website. 2. SAP AG maintains the repository of security advisories at their website on www.service.sap.com in the security notes section under customer portal. 3. Security OSS notes can also be viewed by using the RSECNOTE tool. 4. The SAP Enterprise Management Office (EPMO) may override the severity rating assigned by the application owner. 5. SAP security advisories will be implemented per the time limits in ITCS104 Chapter 3.5.3 .

You might also like