Professional Documents
Culture Documents
SAP Audit Guide Basis PDF
SAP Audit Guide Basis PDF
for Basis
This audit guide is designed to assist the
review of middleware components that
support the administration and integration of
SAP applications, commonly referred to as
SAP Basis.
Network Security
Web Services
Password Security
Patch Management
Monitoring
Network Security
Web Services
Trusted RFC
Password Security
connections should
SAP passwords are stored as one-way hashes in tables USR02,
USH02 and USRPWDHISTORY. There are multiple hashing
not be used between
algorithms used by SAP, each identified by a unique code systems with differing
version. Algorithms are vulnerable to brute force and dictionary
attacks, particularly code versions such as B and F. The risk of security classifications
such attacks should be mitigated by implementing the latest 3
Upgrade to the latest hashing mechanism,
disable downwards compatibility and delete
redundant hashes
4
Central User Management (CUA) The assignment of roles should be separated from the
modification of roles in ECC 5.0 and above through
CUA is the central instance for profile, user and PRG_CUST settings. This will ensure that an administrator
authorization maintenance in SAP landscapes. It is used to cannot perform both functions. Furthermore, the parameter
distribute and manage user access across all connected
for authorization object disabling should be monitored to
systems, known as child or dependent clients, through ensure that authorization checks for program execution are
RFC connections. Transactions SCUA and SCUM are used enabled. The SAP Menu should be disabled. This menu
to define CUA models and fields and therefore, should only providers visibility to all transactions available in a client and
be assigned to security administrators. The CUA model therefore increases the risk of unauthorized access. The
should be assessed to ensure that all required systems are
SAP User Menu is preferred since it provides users with
administered through the central instance. information for only those areas to which they have been
Access to the transactions specified in table 1.3 used for assigned access. Menu options are configured in the
user management in ABAP systems should be restricted. SSM_CUST table.
Relevant authorization objects include S_USER_GRP, Transaction SUIM should be used to identify users
S_USER_PRO, S_USER_AUT, S_USER_SYS and
assigned the SAP_NEW profile. The results should be
S_USER_AGR. For Java systems, access to User investigated and reviewed with security personnel. The
Management Engine (UME) actions such as Manage_All, assignment of authorizations for newly created objects to
Read_All, Manage_Users, Manage_Groups, and users that do not require such access may indicate
Manage_All_User_Passwords should be controlled. The underlying issues related to role upgrade procedures.
permission AclSUperUser and Visual Administrator roles
used to manage the UME should only be granted to select,
authorized administrators. This includes
Change and Transport Management
SAP_JAVA_NWADMIN_CENTRAL and
SAP_JAVA_NWADMIN_LOCAL. UME permissions and The movement of changes between environments is
roles should be reviewed in the UMErole.xml file. performed through transports managed by the Transport
Management System (TMS). Transports in SAP landscapes
TRANSACTION DESCRIPTION should follow a defined path from development, test and
production environments. This should be verified through
PFCG Profile Generator review of transport domains, routes, strategies and
SU01 Maintain User workflows in SAP systems within each landscape that act
as transport domain controllers. Transport requests and
SU02 Profile Maintenance header information are logged in table E070. A sample of
changes should be selected from the table and examined
SU03 Authorization Maintenance to verify compliance with established release management
procedures. Samples can also be selected from transport
SU10 User Mass Maintenance
logs available through transaction SE03. Transports for
SU20 Maintain Authorization Fields changes to IMG settings and parameters may only be
logged in development and test systems.
SU21 Maintain Authorization Objects
Configuration changes should be locked in production
Authorization Object usage in systems. This is achieved through restrictions on the use of
SU22
transactions transaction SPRO in production and the selection of the
parameter 'no changes allowed' for client-specific objects,
Mass Changes to User Master accessible through transaction SCC4. Certain changes are
SU12
Records not transportable and are therefore implemented directly in
production clients. Such changes should be documented,
PO13 Role Assignment to Positions pre-approved and performed through special-purpose
temporary IDs. Repository and client independent changes
Table 1.3 User Management Transactions should also be disabled in table T000. This will prevent
changes to ABAP code in production.
Critical change control transactions should be locked in
productive environments. This includes SCC0 (Client Copy) and
SCC5 (Client Delete). Locked transactions are maintained
through transaction SM31. Access to this transaction with the
authorization object S_ADMI_FCD and field TLCK (lock/ unlock)
should be restricted.
Custom programs
Table Maintenance and System Administration
should be subject to
Access to the table maintenance transactions SM30 and SM31,
and table browsing functions through SE16, should be restricted security reviews to
to authorized users based on role requirements. This includes the
authorization objects S_TABU_CLI and S_TABU_DIS.
detect code-level
Authorization groups should be used to control access to critical vulnerabilities
tables. 6
7
Address Web
Westbury Corporate Centre www.layersevensecurity.com
Suite 101 Email
2275 Upper Middle Road info@layersevensecurity.com
Oakville, Ontario Telephone
L6H 0C3, Canada 1 888 995 0993
© Copyright Layer Seven Security 2013 - All rights reserved.
No portion of this document may be reproduced in whole or in part without the prior written
permission of Layer Seven Security.
Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the
information presented, but the professional staff of Layer Seven Security makes every reasonable
effort to present the most reliable information available to it and to meet or exceed any applicable
industry standards.
This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP
NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and
services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in
several other countries all over the world. Business Objects and the Business Objects logo,
BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business
Objects products and services mentioned herein are trademarks or registered trademarks of Business
Objects in the United States and/or other countries.