Sos Hana Checks

7/25/2019 Sos Hana Checks

http://slidepdf.com/reader/full/sos-hana-checks 1/9

SAP SECURITY OPTIMIZATIONHANA

This documents shows the description of all checks which are executedby the SAP Security Optimization Service for a HANA database.

Author: Global Service and Support – Security Services

Contact: [email protected]

Date: 10.03.2016

mailto:[email protected]





<Service Name>, <Customer Namer> <date of session> 2

1 SC_INIT - INITIALIZATIONS FOR SECURITY CHECK ...................................................... 4

1.0.1 Preface .................................................................................................................. 4

2 SC_HANA - SECURITY CHECKS FOR THE SAP HANA DATABASE .............................. 5

2.1 V ALIDITY OF INITIAL P ASSWORDS........................................................................................................5

2.1.1 Extracted TABLES (from SDCCN) ......................................................................... 5

2.1.2 Interactive GRANTEES (from SDCCN) ................................................................. 5

2.1.3 SAP HANA System Privilege DATA ADMIN ........................................................... 5

2.1.3.1 Users with DATA ADMIN Privilege .............................................................................. 5

2.1.3.2 Role DBA_COCKPIT with DATA ADMIN Privilege .................................................... 5

2.1.3.3 Roles with DATA ADMIN Privilege .............................................................................. 6

2.1.4 SAP HANA Password Policy .................................................................................. 6

2.1.5 SAP HANA Audit Trail ............................................................................................ 6

2.1.5.1 Auditing Status ................................................................................................................ 7

2.1.5.2 Audit Trail Target ............................................................................................................ 7

2.1.5.3 Audit Policies .................................................................................................................. 7

2.1.6 SAP HANA SQL Trace Level ................................................................................. 7

2.1.7 SAP HANA Network Settings for Internal Services................................................. 8

2.1.8 SAP HANA SSFS Master Encryption Key .............................................................. 8






SC_INIT - Initializations for Security Check


1 SC_INIT - Initializations for Security Check

1.0.1 PrefaceThe SAP Security Optimization service is a comprehensive support service that identifiessecurity risks for your SAP system and helps you to determine the appropriate measures toprotect it from these risks.

Objective of the SAP Security Optimization Service The objectives of SAP Security Optimization are:- To analyze the technical configuration of your SAP system for security risks- To provide recommendations for implementing measures to mitigate security risks- To provide a compressed overview of the implemented security level- To enable you to protect your business systems from typical security risks

The security checks of SAP Security Optimization are performed for the following securityaspects:- Availability: ensuring that a system is operational and functional at any given moment- Integrity: ensuring that data is valid and cannot be compromised- Authenticity: ensuring that users are who they claim to be- Confidentiality: ensuring that information is not accessed by unauthorized persons- Compliance: ensuring that the system security setup is in accordance with establishedguidelines

Scope of SAP Security Optimization SAP Security Optimization includes a collection of several hundred checks. These checksidentify security vulnerabilities in the current setup and configuration of your SAP system. Thechecks are performed on the SAP software layer. For a security analysis of the underlyingoperating system and database, consult your vendor; for a security analysis of the network,contact your preferred network security provider.

The SAP Security Optimization service cannot cover customer-specific aspects that require adetailed on-site analysis, such as the following checks:- Segregation of duties for business-critical processes- Security organization (organizational security)- Security administration processes (operational security)

For a complete overview of existing security risks to your business system, the topics listed

above have to be taken into consideration. SAP's Security Consulting Team can assist youwith individual on-site consulting services to obtain guidance on aspects of security.



SC_HANA - Security Checks for the SAP HANA Database


2 SC_HANA - Security Checks for the SAP HANA

Database

2.1 Validity of Initial Passwords

2.1.1 Extracted TABLES (from SDCCN)

Purpose To convert the data from SDCCN downloads into check tablesRating Automatically rated as:GREEN if all data is found for all key figures – field G_RC and EXITCODE are 0 or INITIAL.YELLOW if not GREEN.

2.1.2 Interactive GRANTEES (from SDCCN)

2.1.3 SAP HANA System Privilege DATA ADMIN

2.1.3.1 Users with DATA ADMIN Privilege

Purpose To check whether there are known users with the DATA ADMIN privilege.Exclude the SYSTEM and _SYS_REPO users.Procedure Evaluate SDCCN key figure HDB_GRANTEES_DATA_ADMIN.Count lines with GRANTEE <> (SYSTEM, _SYS_REPO) and GRANTY_TYPE = USER.

Rating YELLOW if the count is not 0.GREEN if the count is 0.YELLOW: DATA ADMIN provides the authorization to modify and delete every object in every schema.Recommendation: Remove the DATA ADMIN privilege from all user accounts except theSYSTEM und _SYS_REPO users.Users in your SAP HANA database have the DATA ADMIN system privilege.The count considers direct grants to the users as well as indirect grants using roles. Usersare counted as activated if the validity time range matches the time of the evaluation and theuser is not deactivated.The SYSTEM and _SYS_REPO users are not considered, because these users have the

DATA ADMIN privilege by design and the privilege cannot be revoked from these users.

2.1.3.2 Role DBA_COCKPIT with DATA ADMIN Privilege

Purpose To check whether the DBA_COCKPIT role has the DATA ADMIN privilege.ProcedureEvaluate the SDCCN key figure 'HDB_GRANTEES_DATA_ADMIN'.Count the lines in 'HDB_GRANTEES_DATA_ADMIN' with GRANTEE = DBA_COCKPIT andGRANTEE_TYPE = ROLE.RatingYELLOW if the count is not 0.GREEN if the count is 0.

YELLOW: The DATA ADMIN system privilege was granted to the DBA_COCKPIT role, probably basedon the SAPINST installation procedure or on a former version of SAP Note 1640741.

http://service.sap.com/sap/support/notes/1640741








Recommendation: Remove the DATA ADMIN privilege from the DBA_COCKPIT role alsoaccording to the updated version of SAP Note 1640741, points 5 and 12.Note: The DBA_COCKPIT role is usually granted to the users DBACOCKPIT,DBA_COCKPIT_<calling_sid>, and/or SAP<sid>. If you revoke the DATA ADMIN privilegefrom the DBA_COCKPIT role, therefore, the number of users in the 'Users with DATA ADMINPrivilege' section may be reduced.

2.1.3.3 Roles with DATA ADMIN Privilege

Purpose To check whether there are known roles with the DATA ADMIN privilege.Procedure Evaluate the SDCCN key figure 'HDB_GRANTEES_DATA_ADMIN'.Count the lines in 'HDB_GRANTEES_DATA_ADMIN' with GRANTY_TYPE = ROLE andGRANTEE <> 'DBA_COCKPIT'.Rating YELLOW if the count is not 0.

GREEN if the count is 0.Note Role DBA_COCKPIT will be listed in the attached table if it is granted the DATA ADMINprivilege. However, it will not rate this check YELLOW.YELLOW: The DATA ADMIN privilege provides the authorization to modify and delete every object inevery schema.It must not be granted to any user in a production environment. Therefore, it should not beassigned to any particular role since it is not required and is at risk of being misused.Recommendation: Remove the DATA ADMIN privilege from all the above roles or deletethese roles.The DATA ADMIN system privilege is granted to the following roles.

2.1.4 SAP HANA Password Policy

Purpose To evaluate the SAP HANA password policy parameters.Procedure Read the M_PASSWORD_POLICY view and compare all data with the recommended values.If the current parameter is set weaker than the recommended one, rate the parameterYELLOW. If it is set stronger or equal to the recommendation, rate the parameter GREEN.Rating If one of the parameters force_first_password_change,maximum_unused_inital_password_lifetime, or minimal_password_length is rated YELLOW,rate the check YELLOW.If the check is not rated YELLOW, rate it GREEN.Note Disregard the ratings of the other parameters. They are shown for information purposes only.YELLOW: Recommendation: Adapt all values to the recommended or stronger settings.The following table provides an overview of the current values of the password policy and thecorresponding values recommended by SAP. A yellow rating indicates a setting that is weakerthan recommended, while a green rating indicates a recommended or stronger setting.This section only appears in the EWA report if at least one of the following parameters israted yellow.The following table provides an overview of the remaining password policy parameters.

2.1.5 SAP HANA Audit Trail

Sources of information for the SAP HANA audit trail:- SAP HANA Security Guide




http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf









- SAP HANA Administration Guide - SAP HANA Audit Trail Best Practice in the SCN

2.1.5.1 Auditing Status

Purpose To evaluate whether the SAP HANA audit trail is activated.Procedure Use the SDCCN key figure HDB_M_INIFILE_GLOBAL.Find the value for layer = 'SYSTEM', section = 'auditing configuration', and key ='global_auditing_state'.Rating YELLOW if the entry is not found or the value is 'false'.GREEN if the value is 'true'.YELLOW: Auditing is disabled in the security settings of your SAP HANA database.Recommendation: Activate the SAP HANA audit trail and define appropriate audit policies.

2.1.5.2 Audit Trail Target

Purpose To evaluate the SAP HANA audit trail target.Procedure Use the SDCCN key figure HDB_M_INIFILE_GLOBAL.Find the value for layer = 'SYSTEM', section = 'auditing configuration', and key ='default_audit_trail_type'.Rating YELLOW if the entry is found and is equal to 'CSVTEXTFILE'.GREEN if not YELLOW.YELLOW:

The audit trail target is currently set to 'CSV Text File'. This is not secure enough and shouldonly be used for test purposes. CSV text files are not sufficiently protected againstunauthorized modifications.Recommendation: Use the "Syslog" (default) or (as of SPS07) "Database Table" target.Note: If you use the "Syslog" option, you also need to configure the operation system syslogaccordingly so that you will not receive error messages in the event of issues with the OSsyslog.

2.1.5.3 Audit Policies

Purpose To evaluate whether at least one audit policy is defined.Procedure Count the lines in the SDCCN key figure HDB_AUDIT_POLICIES or the SAP HANA viewaudit_policies.Rating YELLOW if the number of lines is 0.GREEN if the number of lines is not 0.YELLOW: No customer-defined audit policies are enabled.Recommendation: Define audit policies according to your needs.

2.1.6 SAP HANA SQL Trace Level

Purpose

To evaluate the SQL trace level to ensure that no SQL statement result sets are written to thetrace file.Procedure Evaluate the indexserver.ini file. This is equal to the SDCCN key figure

http://help.sap.com/hana/SAP_HANA_Administration_Guide_en.pdf



http://scn.sap.com/docs/DOC-51098









HDB_M_INIFILE_ISERVER.Get the parameters for section = 'sqltrace' and key = 'trace' or 'level'. If a parameter isavailable for layer = 'SYSTEM', use this. Otherwise, use the value for layer = 'DEFAULT'.Rating YELLOW if the value of 'level' is equal to 'all_with_results'.GREEN if not YELLOW.YELLOW: The SQL trace level is currently set to 'ALL_WITH_RESULTS'. This setting will force the traceto write all result sets from SQL statements in the trace file. Persons who are not authorizedto see this information may still be able to read these trace files.Recommendation: Use SQL trace with results in exceptional cases only. Change the tracelevel to ALL or a lower trace level.Even if the SQL trace is switched off (trace=off), the trace level should not be set to ALL_WITH_RESULTS because someone could activate this critical trace level unintentionallyby switching on the SQL trace.

2.1.7 SAP HANA Network Settings for Internal ServicesPurpose Check the settings of the SAP HANA internal network configuration.Procedure The check is performed automatically.Check internal procedure:Get the parameters from global.ini for section [communication] parameter listeninterface andsection [internal_hostname_configuration].The parameters are rated one by one also if there are dependencies between the parametersfor the rating of a parameter.Some rules:- A host specific setting is not recommended -> YELLOW

- Value for key listeninterface = .local -> GREEN; = .global or .all -> RED; = .internal ->GREEN; = <Netmask> -> dependent on details; all other values -> GREEN- The key of internal_hostname_resolution is an IP. If it is identical to the net_publicname inthe m_host_information it’s rated RED - If a RED system or global parameter is overruled on all hosts it’s reset to YELLOW Rating If any parameter is rated RED, set a RED rating for the check.If any parameter is rated YELLOW, but no RED, set a YELLOW rating for the check.If all parameters are rated GREEN, set a GREEN rating for the check.Note IPv6 network masks as values for parameter listenenterface are not evaluated in detail andreceive a GREEN rating.RED: Your system internal network configuration is not secured against unauthorized access.Immediate action is required.Recommendation: Follow the instructions in the SAP Note 2183363. YELLOW: No obvious unsecure settings of the system internal network configuration were detected.However, some settings are not recommended and should be adjusted.Recommendation: Follow the instructions in the SAP Note 2183363.

2.1.8 SAP HANA SSFS Master Encryption Key

Purpose

Verify, that the SSFS Master Encryption Key was changed from the hard-coded default to anindividual value.Procedure The check is performed automatically without the need of manual interaction. It evaluates the













setting of parameter ssfs_key_file_path in the section [cryptography] of the configuration fileglobal.ini as well as the alerts with the IDs 84 and 85. Rating Set a YELLOW rating, if the parameter has the default value SPACE or one of the alerts hasbeen raised more than 8 times within the recent 10 days.Set a GREEN rating otherwise.Note The fact, whether parameter ssfs_key_file_path is maintained with a non-SPACE value isused as a good indicator on whether the default SSFS Master Encryption Key was changedor not. However, be aware, that this is only an indicator and not a proof.YELLOW: Recommendation: Change your SSFS Master Encryption Key as described in SAP SecurityNote 2183624 and SAP HANA Administration Guide, Section 'Change the SSFS Master Key'. The alerts in the following table have been raised by and for the SAP HANA Database andindicate that the SSFS Master Encryption Key has not been changed from its default value.The parameter ssfs_key_file_path is not set in the section [cryptography] of the global.ini file.

Most likely your SSFS Master Encryption Key has not been changed from its default value.





http://help.sap.com/saphelp_hanaplatform/helpdata/en/58/1593c48739431caaccc3d2ef55c23f/frameset.htm






Documents

Sos Hana Checks