Category: Security

security

Audit log integrity protection

This blog will explain how to switch on integrity protection for file based audit log. For full explanation of the SAP audit log, read this blog.

The main OSS note for this feature is 2033317 – Integrity protection format for Security Audit Log.

Activation steps

Step 1. In RZ11 set parameter rsau/integrity to 1.

Step 2. In transaction RSAU_CONFIG set the Protection format active tick box in the Parameter section:

Step 3. In transaction RSAU_ADMIN and create the HMAC key:

Step 4. Save this HMAC key properly including the passphrase!

Checking and validation steps

To validate if the audit log files integrity is ok (no tampering has been done), start transaction RSAU_ADMIN and select the option: Check Integrity of the Files:

Now run and see the results.

You can also run program RSAU_FILE_ADMIN in batch mode (for example every weekend), so that the integrity checking is done on regular basis. In that case, you can use the faster option to Display the Last Integrity Check Status.

Reference OSS notes

Solving generic SM30 and SE16 access with dedicated transactions

In a high secure environment data access to SE16 and SM30 needs to be restricted. In many cases either IT or business still needs to maintain data via SM30 mechanism or some support people still need to see certain table data.

This blog will explain a more dedicated approach to create a dedicated transaction for each table. The generic SM30 and SE16 access can be revoked and replaced with targeted authorizations for the specific table and transaction.

Setup transaction to call SM30 for single table

Start transaction SE93 and enter the transaction you want to created and push the Create button:

On the next screen provide a description and choose the option Transaction with Parameters:

Now fill out the transaction detail:

The text is free of choice. In the transaction put SM30 (we will create a parameterized version) and select to skip initial screen. You can inherit the GUI attributes. In the default values put VIEWNAME and in the value the table you want to update. Add the second value for UPDATE with value X.

Save your work and test the transaction.

By entering the transaction code you now jump to the maintenance of the table (in our case the ZTESTTABLE as specified).

Setup transaction to call SE16 for single table

For SE16 repeat the above steps:

The text is free of choice. In the transaction put SE16 (we will create a parameterized version) and select to skip initial screen. You can inherit the GUI attributes. In the default values put DATABROWSE-TABLENAME and in the value the table you want to update.

Authorization team work

The authorization team can now remove SM30, SE16 and generic table access. Only table maintenance for this specific table is required along with access the newly created Z transaction.

Security Services Tools

SAP offers on GitHub some extra Security Service Tools. These are custom Z ABAPs you can download and modify to your needs.

Link to GitHub:

GitHub – SAP-samples/security-services-tools: If you use security-related services and tools such as EWA, SOS, System Recommendations, Configuration Validation, or a security dashboard in SAP Solution Manager, the ABAP reports in this repository can help with further analysis and development.

Interesting programs from Security Service Tools

Some highlights from the Security Service Tools page:

  • Extensive cleanup program for weak hashes (including the password history data)
  • Workload statistics of RFC calls
  • Show SNC status of active users on application server
  • Show RFC gateway and logging settings
  • History of dynamic profile parameters
  • ….
  • Many more

STUSERTRACE: User trace for authorization checks

ST01 and STAUTHTRACE transactions can be used for short term in-depth authorization traces. The problem is that these traces are very detailed and generate a lot of data.

For some use cases, you need to know what authorizations are needed for a user for longer period of time. Example: you have some background users with too many authorizations and your are tasked to reduce this. Then you want to enable a long term trace that records which authorizations are used by this user ID. You are not interested in how many times and when, but just need a complete list over a very long time (for example 2 months). Another example is when you are tasked to S_TABU_NAM full * authorization with actual table names. How to find out which tables are actually needed?

This is the goal of the STUSERTRACE: long term recording of authorization checks called including detailed table level.

STUSERTRACE enabling settings

The activation is described in OSS note 2220030 – STUSERTRACE: User trace for authorization checks. The first step is to switch parameter auth/auth_user_trace to value F. There is an option to set to Y for full, but don’t do this since then you might run into performance issues. F is the value where filtering happens.

As explained in OSS note 2220030 there is a minor performance impact. To limit the impact, use filtering.

Now start transaction STUSERTRACE to set the filters:

Choose the Change Filter button to add filters:

In this case we add the standard SAP workflow user to trace.

STUSERTRACE results

After you let the trace run, you can use the STUSERTRACE transaction to see which authorization checks were executed for this user ID:

STUSERTRACE will also capture detailed table access down to actual table level:

This means this transaction STUSERTRACE can also be used help replace * values in S_TABU_NAM with the actual tables.

Reorganization of data

Reorganization of data to clean up can be done using menu function Goto/Reorganize:

Relevant OSS notes

SUIM_CHDOC_USER: new transaction to show user changes

In SUIM there is a function to show changes for users, but this transaction can be performing very poor with higher data volumes.

SAP has developed successor transaction SUIM_CHDOC_USER that is giving the same data, but faster.

How to get transaction SUIM_CHDOC_USER?

It is import to know transaction SUIM_CHDOC_USER only works on HANA database. If you are not running on HANA, don’t continue.

Implementation steps:

  1. Apply OSS note 3399100 – SUIM | change history calculation for user/profile assignment
  2. Apply OSS note 3418682 – SUIM_CHDOC_USER | Implementation prerequisite for SAP Note 3405921. Run the generation program.
  3. Apply OSS note 3405921 – SUIM | Read Change Documents for User. Important here: do execute the manual steps here first. These final steps are NOT covered in the previous note.

Transaction SUIM_CHDOC_USER

Now you can start transaction SUIM_CHDOC_USER:

Input is the same as you were used to. Output as well. The new transaction is simply faster.

Bug fix notes

PFCGMASSDELETE: mass deletion of roles

To get the function for mass role deletion, you first need to apply OSS note 3360981 – PFCGMASSDELETE: Mass deletion of roles.

Mass deletion of roles

After the note is applied transaction code PFCGMASSDELETE can be started:

The I information button provides the description of the functions of the program:

The SCC4 functions are described in OSS note 1723881 – Application of client-specific customizing settings to role maintenance.

New way of activating super user SAP*

In SAP note 3303172 – Activating a Super-User SAP* SAP is describing a new alternative to activate user SAP*.

The SAP* activation is required in some cases. Systems that are protected well have the parameter login/no_automatic_user_sapstar set to 1 which will forbid the logon with SAP* (see also blog on SAP standard users). To use SAP* this parameter has to be set to 0, followed by system restart to activate it (the parameter is not dynamic). Often after using SAP* it is forgotten to undo the SAP* activation or to set the parameter login/no_automatic_user_sapstar to the secure 1 status again.

The new way described is available as of kernel release 790 and a separate tool with a short lived password only.

SAP Focused Run security notes validation

In the blog on security and configuration validation overview, we have explained to run a validation of ABAP security notes against your systems using Focused Run configuration and security validation.

Questions that will be answered in this blog are:

  • How can I quickly run an entire year of security OSS notes versus my systems?

SAP github with security policy source files

SAP publishes files for the ABAP security notes each month on the SAP Focused Run Best Practices GitHub:

Here the policy files for the ABAP security notes are stored per year and per month.

Not all security notes for ABAP stack are in these files: only the ABAP notes which can be applied via SNOTE. Security notes for ABAP stacks which require parameter changes or patches are not part of this check!

For convenience I have collected the files per year.

2020-security-OSS-notesDownload
2021-security-OSS-notesDownload
2022-security-OSS-notesDownload
2023-security-OSS-notesDownload
These files are for convenience only. It can be I made a mistake in assembling them.

Uploading the files

Goto the Configuration validation policy maintenance Fiori tile:

Create new policy and copy paste the text from the file:

Do this by choosing Edit and copy and paste the text in the editing section:

Now Save the policy. Check the XML. Generate the policy and check it by pressing Test Policy. Note that these are large files with many checks, so the testing can take some time. Run can be done via the Validate button or by following the instructions below.

Running the Security notes checks against the connected systems

To run the checks, goto the Configuration and Security Analytics Fiori tile:

Select the policy file to run:

Now be patient until the results are ready.

Make sure you expand the amount of columns.

If an ABAP notes is not applied it does not mean your system is not safe. You have define for which CVSS score and which systems you want to apply the security OSS notes, within which timeframe.

More on CVSS score see OSS note 2463332 – Security Note CVSS vector computation – SAP Solution Manager 7.1 and 7.2 and this SAP blog explaining the CVSS scoring in general.

<< This blog was originally posted on SAP Focused Run Guru by Frank Umans. Repost done with permission. >>

SAP password hash hacking Part VI: extended wordlists

As explained in the previous blogs many people use a word followed by a rule like add special and digit. Or use a word and replace character with digit or special character.

In the first blog the 10.000 word list was used.

This blog will make you aware of the existence of far more word lists and how to counter these.

Wordlists

Wordlists available:

  • Dictionaries for each language, like Webster for English. Each language has their own preferred dictionary
  • Keyboard walk list: contains fragments like QWER, UIOP, ASDF etc. These fragments are used in so-called combination attacks by using multiple fragments like: Qwer1234!@#$ (which is 3 keyboard walks)
  • Wikipedia list; this list is huge and simply contains a list of ALL words ever used on Wikipedia
  • Public site or intranet site keywords; comparable to Wikipedia, but targeted towards a single organization. Many people use the company name, department name, project name or another internal name as part of their password
  • All placenames (cities, provinces, states, countries, rivers, etc) in the world
  • All movies, actors, actrices, characters
  • Sport names and sports players
  • Lists from previous password hacks: like the LinkedIn list, RockYou list, etc.

The creator of John The Ripper offers them for money on their site (for cracking, still use hascat…).

Counter measures for attacks done by word lists

Counter measures:

  • User education to use not a single word, but two or more words in the password
  • Use single sign on in stead of passwords
  • Use generated passwords in secure storage