SAP Baseline Security Audit
by Rajesh Gopinath|, GCIH
Discuss this article
A SAP Baseline Security Audit tells enterprises how their SAP security posture stacks
up against industry best practices. The Baseline Security Audit is the first step in a
comprehensive security audit program and is ideal for generating a quick win early.
This article outlines the areas covered under the SAP Baseline Security Audit we
perform. The audit covers two high-level areas:
1.
Essential Technical Controls
2.
Essential Process Controls
Essential Technical Controls
The key components of the SAP infrastructure are checked for technical
vulnerabilities. These components include:
SAP web servers
SAP ECC servers
SAP database servers
Firewalls
The technical controls we examine are categorized as:
Authentication and Access controls
Server controls
Network controls
Next, we drill down into a few specific checks to illustrate the type of checks that are
performed in practice:
Authentication and Access Controls
Has a minimum password length (login/min_password_lng) been enforced?
Have the default passwords for default users (SAP, DDIC, etc) been
changed?
Has an expiration time been set for passwords?
(login/password_expiration_time)
Is the maximum number of failed logins before an account is locked set?
(login/fails_to_user_lock)
Are multiple user sessions suppressed?
Have the password of default database accounts been changed?
Access protection and requisite authorisations
Network Controls
Has RFC communication in the SAP gateway been secured with the secinfo
file?
Is SSL or SNC in place to encrypt traffic for DIAG or RFC connections?
Has the network been segmented with adequate isolation for various SAP
elements?
Does the firewall rulebase have insecure rules?
Are blocked connections logged?
Server Controls
Have the latest patches been applied on the server?
Are unnecessary and unsecured Internet services running?
Are the OS file permissions adequately restrictive?
Have OS commands that can be executed from SAP via SM49 been
prevented?
Essential Process Controls
Key processes for administering the SAP environment are checked for compliance
with the enterprise policy and industry best practices in this phase of the audit.
The area that are covered under this are:
Backup and Recovery Processes
Change Management Processes
Identity Management Processes
Incident Management Processes
Next, we drill down into a few specific checks to illustrate the type of checks that are
performed in practice:
Key Roles and Responsibilities
Have responsibilities been defined for key roles?
Are key administrative roles separated? Eg. User creation and approval
Backup and Recovery Processes
Does the backup schedule adhere to policy?
Are backups encrypted?
Are backup tapes labeled?
Are offsite copies of backups maintained?
Is recovery tested periodically in line with policy?
Change Management Processes
Are well-defined processes adhered to for change management?
Does a change management committee review and approve all changes to
production?
Are changes to production tested in staging before being migrated to
production?
Identity Management Processes
Is the administrative process for communicating passwords to new users
secure?
Incident Management Processes
Are incident management procedures defined and communicated to all key
personnel?
The above are sample checks performed as part of the baseline audit.
What a Baseline Security Audit Does Not Cover
The Baseline Security Audit focuses on quick wins; it does not cover the following
audits which require greater investment in time and effort:
Authorizations audit, to check if authorizations have been given correctly
Business process audit, to check if frauds can be permitted within the
business processes in SAP
Transactions
- ABAP programs
- Tables
- Files
- Authorizations, authorization profiles and user master records
- Data carriers
- Other security measures (such as table types and separating different
clients)
, Naming conventions when altering transactions ABAPs, tables, files and
other SAP objects. determine whether they function properly and are
sufficiently documented.
Workbench Organizer and Transport System
Registration and documentation of all changes to system objects (objects in
the development environment, or ODEs). This includes Data Dictionary
elements (such as tables), ABAP/4 programs, screen templates, and userdefined
objects (UDOs) and customizing objects.
- Avoidance of concurrent changes to a system object made by different
developers.
- Orderly transfer and release of ODEs between different SAP systems or
various clients within a SAP system
Changes made to tables and programs-traceablity
binding rules must be established for job submission (such as the
creation of an ABAP) and implementation of changes, as well as for testing,
acceptance, and transferring changes to the productive system
Correction and repair
�- original objects and
- copies of original objects
Transport logs-For success or failure
authorizations to change an ODE
Causes of and reasons for changing a table
- Consequences of changing a table
Functional Scope
A)Project Preparation Phase
project organization
project schedule
Project charter
Standards and procedures
Scope
Training Plans
B)Business Blue Print Phase
As-Is Study
To-Be Process
Business Blue Print
Idetification of gaps
Work arounds for gaps
Organizational Structure
Business Process Master List
Baseline Scope Definition (80/20 rule)
Interfaces Required
Conversions required
Reports needed
Authorizations
Enhancements Needed
Level 1 Training and feed back reports
BBP Signoff
Issue log maintenance ,addressing and escalation
Risk analysis and mitigation
Backup and Recovery plans
C)Realization Phase
Level-2 traing and Feed back reports
Unit Testing plans
Unit test by consultants and core team members and test scripts acceptance.
Base line integration test scripts and results.
User acceptance tests and results.
Testing of reports and acceptance.
Testing of developments and acceptance.
Base line configuration documents.
Functional and technical specs for developments.
D)Final Preparation
Final Configuration and documentation
Completion of Interface development and testing and user acceptance.
Cutover strategy preparation and documentation.
Level 3 traing of core team members.Traing feed back.
Training of End users and feed back
Retraining as per feed back.
Test scripts for Integration testing and user testing and acceptance.
Closure of open issues.
Volume testing and stress testing of SAP system and Interphases.
Preparation for Go-live
Setting up of Help desk and issue redressal mechanism and SLAs
E)Go live Review of support desk activities
SAP IMPLEMENTATION AUDIT
Scope of audit comprises of two parts
o Technical Audit
o Functional Audit
TECHNICAL AUDIT
o
