Itcs104 Fmc

7/22/2019 Itcs104 Fmc

1/130

Intended Users

Further contacts and information

For clarification of questions or any further informa

Owner & Administrators

IBM Security

Instructions

Please ensure that you fill in ALL questions on tab

Author

Revision History

Version Number Revision Date

5.1 8-Feb-08

ITCS104 v9.1 SAP Application Heal

Name

This document has been designed for conduc

Clive Gabel

7/22/2019 Itcs104 Fmc

2/130

v6.0 1-Aug-08

7/22/2019 Itcs104 Fmc

3/130

8-Sep-10

15-Mar-10

v6.1 9-Apr-09

v7 8-Sep-09

v8.0

v7.1

7/22/2019 Itcs104 Fmc

4/130

Approvals

pattabiraman

pattabiramanveeramony

pattabiraman

veeramony

pattabiraman

veeramony

pattabiraman

veeramony

Name Title

pattabiraman

veeramony

pattabiraman

veeramony

pattabiraman

veeramony

8-Jul-11

11-Oct-11v9.0

v9.1 13-Apr-12

v8.2

7/22/2019 Itcs104 Fmc

5/130

tion relating to this checklist, please send an email to the [email protected] taskid.

s that are relevant to devices for the months health check.

Date

8-Feb-08

Summary of Changes

Initial version

Updated by:

Clive Gabel

h Checking Proforma

ting health checking activities, on SAP Application platform, as defined within the the ITCS104 v9.1 Chapter 2.2.

7/22/2019 Itcs104 Fmc

6/130

Updated as per ITCS104 v6.0 dated 15/07/2008:

1.1:

Updated DB2 Replication for AIX Operating System Userids;

Updated CommonStore userid to match current practices;

Removed db2as since is only used in DB2 V7 or below;

2.1:

reusable passwords - wait times and history size changes added;removed need for login/min_password_specials parm;

5.2:

AIX provider of service shared userids - removed the use of SU (ITCS104

new requirements); updated CommonStore's userid to match current

practices; total review and updates to SAP security administrative and

system administrative authorization objects and values (including values that

are prohibited due to the authorization sensitivity - see Tables tab);

6:

Corrected parm names; allowed values to gave latitude for project-specific

growth and specified applicable SAP Releases; updated to allow rec/client

parm options and now only required logging for production environment;

Corrected SM19 system settings per SAP Release;7.1:

Removed requirement/row to "Verify that only approved users are included in

the access lists of OSRs beyond that allowed

to general users;

Clive Gabel

7/22/2019 Itcs104 Fmc

7/130


Sect 1.1

Added clarification statements surrounding Shared SAP application userids -

Application owner SAP application userids for emergency use.

System Clients - Allow for multiple production clients and production client

number may be other than 100.

Allowed project latitude for System profile parameter setting of parmlogin/no_automatic_user_sapstar in non-production systems.

Removed zOS/TSO operating system userid entry due to it being covered

under zOS, OS390 and MVS Platforms Tech Spec (ITCS104 Chp. 2.1.8).

Removed MS Windows operating system userid entry due to it being

covered under the Microsoft Windows 2000 Servers Tech Spec (ITCS104

Chp. 2.1.3).

Sect 5.2

Added clarification statements on security administrative and system

administrative authorization objects & values matrix related to "prohibited"

and "allowed".

Corrected an oversight for AIX provider of service shared userids SAPR3,

SAP and SAPDB to allow the necessary DB2 connection for SAPkernel to be able to start.

Sect 6

Added new RECCLIENT system parm to enable logging of table changes

made from imported or transported entries to production.

Updated Activity auditing system settings for the different SAP release

levels.

Updated as per ITCS104 v7 dated 15/07/2009:

Sect 5.1 - Added clarification to SAP Release for applicable operating

system resource AIX settings.


Sect 1.1 - For CPIC or Communication userids, added clarification on

passwords that are contained in a file. (Q.11)

Sect 5.2 - For the EarlyWatch Userid added new native SAP authorization

profile and clarifications on System Administrative authorization objects.

(Q166)

Updated to reflect changes in ITCS104 v8.0:

Sect 5.2 - Updated AIX provider of service shared userids for the DB2

parameters to align with SAP's recommendation.

(Q172-173)

Sect 5.2 - System and security administrative authority under SAP security

administrative and system administrative authorization objects & values -

added S_SDCC_ADD and S_SDCC_DAT (Secuirty Admin 5.2 - tab)

Sect 5.6 - Added new sub-section 5.6.1 Security, integrity APAR, advisory

process for SAP environments requirements to specify SAP applicationspecifics for ITCS104 chapter 3 section 3.5.3 Security advisory patch

management. (see Apar 5.6.1 - tab)

Sect 6 - Activity auditing - added the ability for multiple file system names

under the DIR_AUDIT and rsau/local/file parameters.

(Q220 & 227)

Nick Saxon

Nick Saxon

Nick Saxon

Nick Saxon

7/22/2019 Itcs104 Fmc

8/130


* Sect 1.1 - Updated the use of Reference Userids.

* Sect 3.1 - Corrected a link URL.


* Sect 7.1 - Change "P" to "P or Any Internet Reachable"

* Added four new controls to 5.1 Operating system resources for

SECAUDIT log directory * Update 1.1 Userids definition of Reference

Updated version number only to reflect ITCS104 v9.1. There are no

changes from ITCS104v9.0

Role

IGA-INDIA SAP BASIS-Team Leader







IGA-INDIA SAP BASIS-Team Leader 14-Dec-11

Adam Kasprzak

25-Sep-08

28/072011

06/10/2010

by default

12-Oct-09

25-Mar-08

14-Apr-10

4-Jun-09

Adam Kasprzak

Date Approved

Adam Kasprzak

7/22/2019 Itcs104 Fmc

9/130

8

7/22/2019 Itcs104 Fmc

10/130

7/22/2019 Itcs104 Fmc

11/130

7/22/2019 Itcs104 Fmc

12/130

7/22/2019 Itcs104 Fmc

13/130

INSTRUCTIONS:

Machine Name/Identifier Server Team & Contact Date Checked

FMC AHS SAP BASIS 20/06/2012

If the server value is NOT COMPLIANT to the value specifiedin the question, (ie the answer is NO or N/A) You MUST

enter the actual server setting or a comment to explain why

the question is not applicable

7/22/2019 Itcs104 Fmc

14/130

Question No. 1 2

Appendix ref: 1.1 Userids 1.1 Userids

Health CheckTool / Script

Heading SAP Application Userids SAP Application Userids

Comments

Userid owners 6 character

employee serial number and 3

character personnel system code

must be present in Account No.

Field.

Note: Applies to all types listed

below:

1. Dialog

2. BDC / Background / System

3. CPIC / Communication

4. Service

5. Reference

Is this the case ?

Sponsored userids must have *

at the beginning of the userid

owners 6 character employee

serial number and 3 character

personnel system code.


below:

1. Dialog



4. Service

5. Reference

Is this the case ?

Nil YES YES

7/22/2019 Itcs104 Fmc

15/130

3 4 5

1.1 Userids 1.1 Userids 1.1 Userids

SAP Application Userids

SAP Application

Userids SAP Application Userids

No SAP native profiles/role can

be assigned to any userid in

production except for the

exceptions noted within this table

or the userid table in section 5.2

(see Tables control tab).


below:

1. Dialog



4. Service

5. Reference

Is this the case ?

Interactive dialog:

Sponsored userids

on a Production

system must have

the full name of the

employee who will

be using the userid.

Is this the case ?

BDC / Background/

System :

Non-loggable (used for

running jobs, system

operations such as ALE,

workflow, batch jobs, etc.)

:

Userid is allowed to have

a non-expiring password.

Is this the case ?

YES YES YES

7/22/2019 Itcs104 Fmc

16/130

6 7 8 9

1.1 Userids 1.1 Userids 1.1 Userids 1.1 Userids


SAP Application

Userids

SAP Application

Userids SAP Application Userids

BDC / Background/

System :


running jobs, system

operations such as ALE,

workflow, batch jobs, etc.)

:

Expired or initial

passwords are not

checked.

Is this the case ?

CPIC / Communication :


system to system

communication) :

Userid is allowed to have

a non-expiring password.

Is this the case ?



system to system

communication) :

Expired or initial

passwords are not

checked.

Is this the case ?



system to system

communication) :

Password on a Production

userid must be different

from the password for the

same userid on all non-

production systems in the

landscape.

Is this the case ?

YES YES YES YES

7/22/2019 Itcs104 Fmc

17/130

10 11

1.1 Userids 1.1 Userids

SAP Application Userids SAP Application Userids



system to system

communication) :

Password on a test userid

on test clients may be the

same, but the password

must be different from

Production userid and any

other non-Test

systems/clients.

Is this the case ?


Non-loggable (used for system to

system communication) :

If the password of this userid is

contained in a file(s) at the operating

system level then the location of that

file(s) needs to be documented and the

permissions of the file(s) need to be set

to 700 (i.e. permissions for

read/write/execute are for the owning id

of the file(s) only).

Is this the case ?

YES YES

7/22/2019 Itcs104 Fmc

18/130

12

1.1 Userids


Service

(4.6 C and higher) :

Service IDs should generally not be used since they are not

compliant with ITCS104 and adequate protections are not

available in SAP to minimize the risk of users logging on to

the IDs. However, if service IDs are absolutely necessary, the

following three conditions must be met:

1. The ID must be set up with read only access.

2. The BPO must document the mitigating controls to ensure

the IDs are not misused.

3. The SAP technical specification owner must approve the

use of the service IDs.

Is this the case ?

N/A

7/22/2019 Itcs104 Fmc

19/130

13 14



Shared SAP application userids -

Provider of service SAP application

userids

Reference

(4.6 C and higher) :

Non-person user that allows for the assignment of identical

users such as internet users.

(used for CRM and SRM systems)

A Reference ID cannot directly log on to the system.

1. Userid is allowed to have a non-expiring password.

2. Expired or initial passwords are not checked.

3. All reference userids must be assigned to secure user

group REFID.

4. Access to update userids in secure user group(s) is

prohibited, except through a defined and controlled

emergency process.

Is this the case ?

The following ids may be required for the

operation of SAP. The password of these

ids may be provided to the System

Administrative group supporting the SAP

instance provided that individual

accountability is maintained for dialog ids.

The Provider of Service must define the

controls surrounding this access :

SAPCPIC :

Userid type is CPIC or Communication.

Is this the case ?

N/A YES

7/22/2019 Itcs104 Fmc

20/130

15 16



Provider of service SAP application

userids

Shared SAP application userids - Provider of

service SAP application userids

The following ids may be required for

the operation of SAP. The password of

these ids may be provided to the

System Administrative group

supporting the SAP instance provided

that individual accountability is

maintained for dialog ids. The Provider

of Service must define the controls

surrounding this access :

SAPCPIC :

Profile S_A.CPIC must be assigned.

Is this the case ?

The following ids may be required for the operation

of SAP. The password of these ids may be provided

to the System Administrative group supporting the

SAP instance provided that individual accountability

is maintained for dialog ids. The Provider of Service

must define the controls surrounding this access :

(used by BTS or SAP when performing

problem analysis) :

Userid type is dialog.

Is this the case ?

YES YES

7/22/2019 Itcs104 Fmc

21/130

17

1.1 Userids









(used by BTS or SAP when performing

problem analysis) :

Userid is locked or set to have the validity date in

the past when not in use.

Is this the case ?

YES

7/22/2019 Itcs104 Fmc

22/130

18

1.1 Userids



The following ids may be required for the operation of

SAP. The password of these ids may be provided to the

System Administrative group supporting the SAP

instance provided that individual accountability is

maintained for dialog ids. The Provider of Service must

define the controls surrounding this access :

(used by BTS or SAP when performing problem

analysis) :

SAP native roles/profiles can be assigned with the

exception of SAP_ALL and/or SAP_NEW and/or

equivalent.

Is this the case ?

YES

7/22/2019 Itcs104 Fmc

23/130

19

1.1 Userids









:


Is this the case ?

YES

7/22/2019 Itcs104 Fmc

24/130

20

1.1 Userids









:

Profile Z9_CSTORE or equivalent must be assigned.

Is this the case ?

YES

7/22/2019 Itcs104 Fmc

25/130

21 22


Shared SAP application userids - Application

owner SAP application userids




SAP. The Application Owner must define and

document the controls surrounding approvals,

issuance, audit trails, and usage of these ids.

Individual accountability must be maintained for dialog

ids :

Dialog ID for emergency use (May be stand-alone

emergency access ID or existing end-user ID) :


Is this the case ?






ids:



SAP native roles/profiles can be assigned with the

exception of SAP_ALL and/or SAP_NEW and/or

equivalent.

Is this the case ?

YES YES

7/22/2019 Itcs104 Fmc

26/130

23 24











ids:



The use of prohibited system administrative

authorization objects specified in section 5.2 may be

necessary or required for emergency access.

Is this the case ?






ids:



If stand-alone emergency access IDs are used:

userid must be locked (or controlled by the validity

date) when not in use, and relocked when access is

complete.

password must be changed after each use.

Is this the case ?

YES YES

7/22/2019 Itcs104 Fmc

27/130

25 26





owner SAP non-dialog operational userids






ids:



If existing end-user id

Roles/profiles must be added prior to use and

removed when access is complete.

Is this the case ?


SAP. The Application Owner must define the controls

surrounding these ids :

(Used for running batch jobs) :

Userid type is Background or BDC or System.

Is this the case ?

YES YES

7/22/2019 Itcs104 Fmc

28/130

27 28










Only access required per job description is allowed.

Is this the case ?





Userid must not have SAP_ALL and/or SAP_NEW

and/or equivalent assigned.

Is this the case ?

YES YES

7/22/2019 Itcs104 Fmc

29/130

29 30









WF-BATCH (Workflow Batch ID) :

Userid type is Background or BDC or System.

Is this the case ?






Is this the case ?

YES YES

7/22/2019 Itcs104 Fmc

30/130

31 32












Is this the case ?




(Communication ID) :


Is this the case ?

YES YES

7/22/2019 Itcs104 Fmc

31/130

33

1.1 Userids








Is this the case ?

YES

7/22/2019 Itcs104 Fmc

32/130

34 35





owner SAP application test userids







Is this the case ?

The following ids may be used to test SAP

access. The Application Owner must define the

controls surrounding use of these userids :

(Used for testing project

defined roles or profiles) :

Must not exist on production client.

Note: see section 5.2 for information on shared

privileged SAP userids.

Is this the case ?

YES YES

7/22/2019 Itcs104 Fmc

33/130

36 37











Production role(s)/profile(s) will be assigned to

an id.



Is this the case ?






Passwords may be shared.



Is this the case ?

YES YES

7/22/2019 Itcs104 Fmc

34/130

38 39 40

1.1 Userids 1.1 Userids 1.1 Userids



Operating system

userids -

AIX

Operating system

userids -

AIX






Individual accountability does not have to be

maintained.



Is this the case ?

Must be limited to

approved systems and

application support

personnel.

Note: see section 5.2 for

information on shared

privileged operating

system userids.

Is this the case ?

No DB2 users except

db2, adm, or

DB2 Replication userids.

Note: see section 5.2 for



system userids.

Is this the case ?

YES YES N/A

7/22/2019 Itcs104 Fmc

35/130

41 42 43 44


Operating system

userids -

AIX

Operating system

userids -

AIX

Operating system

userids -

AIX

Operating system

userids -

AIX

If DB2 replication is used,

the following rules must

apply:

1. The gecos field in the

etc/passwd file must be

updated to include a

description of the purpose

of the id (without removing

or modifying any existing

data in the field.)

Is this the case ?



apply:

2. Userids using only the

Capture process must be

limited to DBADM auth.

Is this the case ?



apply:

3. Userids using only the

Apply process must be

limited to only having

SELECT access to the

SAPR3 or SAP table

schemas.

Is this the case ?



apply:

4. The same userid using

both Capture and Apply

processes must be limited

to DBADM auth.

Is this the case ?

N/A N/A N/A N/A

7/22/2019 Itcs104 Fmc

36/130

45 46 47 48


Operating system

userids -

AIX

Operating system

userids -

DB2 Replication

Operating system

userids -

DB2 Replication System clients

The DB2 Replication

Capture userid must not

update any tables in the

SAPR3 or SAP table

schemas.

Note:see section 5.2 for



system userids.

Is this the case ?

DB2 Replication (Capture

and/or Apply process:

DB2I ID : rlogin=false

Is this the case ?

DB2 Replication (Capture

and/or Apply process:

DB2I ID :login=false

Is this the case ?

Client 000 (SAP

Reference client) :

must exist on system.

applicable system types :

S,D,C,E,R,P

Is this the case ?

N/A N/A N/A YES

7/22/2019 Itcs104 Fmc

37/130

49 50 51 52


System clients System clients System clients System clients

Client 001 (SAP sample

client) :



S,D,C,E,R,P

Is this the case ?

Client 066 (EarlyWatch

client) :



S,D,C,E,R,P

Is this the case ?

Production client -

:



P

Is this the case ?

Production client -

:

Client number defined as

required by project


P

Is this the case ?

YES YES N/A N/A

7/22/2019 Itcs104 Fmc

38/130

53 54 55 56

1.1 Userids 1.1 Userids 1.1 Userids 2.1 Reusable passwords

System clients System profile Employment verification System profile

Client :

must be defined as

required by project.


S,D,C,E,R

Is this the case ?

login/no_automatic_user_

sapstar :

must be set optional 0 or 1


S,D,C,E,R (if 0, must have

control surrounding SAP*

userid to ensure it's not

deleted.)

Is this the case ?

Quarterly employment

verification checks must

be done on all clients.


S,D,C,E,R,P

Is this the case ?

login/min_password_lng :

must be set to 8.


S,D,C,E,R,P

Is this the case ?

YES YES YES YES

7/22/2019 Itcs104 Fmc

39/130

57 58 59

2.1 Reusable passwords 2.1 Reusable passwords 2.1 Reusable passwords

System profile System profile System profile

login/password_expiration

_time :

must be set to 90.


S,D,C,E,R,P

Is this the case ?

llogin/min_password_diff :

must be set to 1.


S,D,C,E,R,P

Is this the case ?

For SAP 4.7 and higher :

login/min_password_digits must be

set to 1.


S,D,C,E,R,P

Is this the case ?

YES YES NA

7/22/2019 Itcs104 Fmc

40/130

60 61 62

2.1 Reusable passwords 2.1 Reusable passwords 2.1 Reusable passwords

System profile System profile System profile

For SAP 4.7 and higher :

login/min_password_letters must

be set to 1.


S,D,C,E,R,P

Is this the case ?

For Basis 7.0 and ECC 6.0, and

higher :

login/password_change_waittime

must be set to 1.


S,D,C,E,R,P

Is this the case ?

For Basis 7.0 and ECC 6.0, and

higher :

login/password_history_size must

be set to 8.


S,D,C,E,R,P

Is this the case ?

NA NA NA

7/22/2019 Itcs104 Fmc

41/130

63 64

3.1 Business Use Notice3.1 Business Use Notice

(Chapter 1.3.3 Authorization)

Business Use Notice Business Use Notice

Business Use Notice must be

implemented.

SAP release 4.5 and lower:

Go to transaction SE80 => Repository

Information System => Program Library

=> Program Sub-Object => Screen

Enter the program name (SAPMSYST)

Enter the screen number (0020)

SAP release 4.6 and higher:

See SAP OSS note 205487 for

instructions.

Is this the case ?

The following notification (or equivalent

statements, with concurrence of IBM

counsel) must be presented to people

logging onto IBM systems during the

identification and authentication process if

the IBM system is running an operating

system that can provide such a

notification:

"IBM's internal systems must only be used

for conducting IBM's business or for

purposes authorized by IBM management"

Is this the case ?

YES YES

7/22/2019 Itcs104 Fmc

42/130

65 66

3.1 Business Use Notice 4.1 Encryption

Business Use Notice Storage

For all SAP systems (non-production and

production) that do not contain SPI, PI, or

are not subject to export controls

restrictions/prohibitions, the following text

is required :

"Unless previously authorized, this system

must not include information that is subject

to export control restrictions/prohibitions,

Sensitive Personal Information (SPI) or

Personal Information (PI). Refer to:

Privacy and Data Protection (hyperlink in

commentary cell) for detailed

requirements."

Is this the case ?

Native SAP Credit Card

Encryption must be

used.

As of 2007, SAP only

supports encryption of

passwords and credit

card numbers.

Password encryption is

standard SAP

functionality.

Is this the case ?

YES YES

7/22/2019 Itcs104 Fmc

43/130

67

4.1 Encryption

Storage

In order to implement encryption of credit card numbers, the following OSS notes

must be evaluated and implemented if applicable :

Release independent OSS notes: 455033, 690999, 894022, 1042745, 1034482

Core OSS notes for encryption on 4.6C system: 633462, 662340, 766703, 813198,

827347, 836079

Other OSS notes for consideration for 4.6C system: 663593, 738459, 790161,

791178, 812658, 840392, 858295, 874594, 978358

Note: This list is the minimum list of OSS notes to be reviewed for a 4.6C system.

OSS should be searched for other releases and for other notes which may apply to

functions in use for each SAP System.

Is this the case ?

YES

7/22/2019 Itcs104 Fmc

44/130

5.1 Operating system

resources


resources


resources

AIX settings AIX settings AIX settings

/secaudit

Owner is adm

Is this the case?

/secaudit

Group is sapsys

Is this the case?

/secaudit

Permission is 750

Is this the case?

YES YES YES

7/22/2019 Itcs104 Fmc

45/130


resources


resources


resources


/secaudit/

Owner is adm

Is this the case?

/secaudit/

Group is sapsys

Is this the case?

/secaudit/

Permission is 750

Is this the case?

YES YES YES

7/22/2019 Itcs104 Fmc

46/130


resources


resources


resources


/secaudit/*

Owner is adm

Is this the case?

/secaudit/*

Group is sapsys

Is this the case?

/secaudit/*

Permission is xx0

Is this the case?

YES YES YES

7/22/2019 Itcs104 Fmc

47/130


resources


resources


resources


/secaudit//*

Owner is adm

Is this the case?

/secaudit//*

Group is sapsys

Is this the case?

/secaudit//*

Permission is xx0

Is this the case?

N/A N/A N/A

7/22/2019 Itcs104 Fmc

48/130


resources


resources


resources


SUDO access list file

/etc/sudoers

Owner is root

Is this the case?


/etc/sudoers

Group is system

Is this the case?


/etc/sudoers

Permission is 440

Is this the case?

YES YES YES

7/22/2019 Itcs104 Fmc

49/130

73


resources


resources


resources


SUDO log /var/adm/sudo.log :

Owner is root

Is this the case ?

SUDO log /var/adm/sudo.log :

Group is system

Is this the case ?

SUDO log

/var/adm/sudo.log :

Permission must be 600

Is this the case ?

YES YES YES

7/22/2019 Itcs104 Fmc

50/130

74 75 76 77


resources


resources


resources


resources

AIX settings AIX settings AIX settings AIX settings

SU log /var/adm/sulog :

Owner is root

Is this the case ?


Group is system

Is this the case ?



Is this the case ?

adm, SAPR3,

SAP password file

for SAP 4.x and higher ;

/sapmnt//global/xxx

x.conf :

Owner is d2

Note: represents

the system id of the SAP

system.

Is this the case ?

YES YES YES YES

7/22/2019 Itcs104 Fmc

51/130

78 79 80 81


resources


resources


resources


resources


adm, SAPR3,

SAP password file


/sapmnt//global/xxx

x.conf :

Group is sapsys

Note: represents


system.

Is this the case ?

adm, SAPR3,

SAP password file


/sapmnt//global/xxx

x.conf :


(

7/22/2019 Itcs104 Fmc

52/130

82 83 84 85


resources


resources


resources


resources


/sapmnt//exe :

Permission must be 775.

Note: represents


system.

Is this the case ?

/sapmnt//exe/sapos

col :

Owner is root

Note: represents


system.

Is this the case ?

/sapmnt//exe/sapos

col :

Group is sapsys

Note: represents


system.

Is this the case ?

/sapmnt//exe/sapos

col :

Permission must be

4755.

Note: represents


system.

Is this the case ?

YES YES YES YES

7/22/2019 Itcs104 Fmc

53/130

86 87 88 89


resources


resources


resources


resources


/sapmnt//global :

Owner is adm

Note: represents


system.

Is this the case ?

/sapmnt//global :

Group is sapsys

Note: represents


system.

Is this the case ?

/sapmnt//global :


Note: represents


system.

Is this the case ?

/sapmnt//profile :

Owner is adm

Note: represents


system.

Is this the case ?

YES YES YES YES

7/22/2019 Itcs104 Fmc

54/130

90 91 92 93


resources


resources


resources


resources


/sapmnt//profile :

Group is sapsys

Note: represents


system.

Is this the case ?

/sapmnt//profile :


Note: represents


system.

Is this the case ?

/usr/sap/ :


Note: represents


system.

Is this the case ?

/usr/sap/ :


Note: represents


system.

Is this the case ?

YES YES YES YES

7/22/2019 Itcs104 Fmc

55/130

94 95 96 97


resources


resources


resources


resources


/usr/sap//* :

Owner is adm

Note: represents


system.

Is this the case ?

/usr/sap//* :

Group is sapsys

Note: represents


system.

Is this the case ?

/usr/sap//* :


Note: represents


system.

Is this the case ?

/usr/sap//sec :

Owner is adm

Note: represents


system.

Is this the case ?

YES YES YES YES

7/22/2019 Itcs104 Fmc

56/130

98 99 100 101


resources


resources


resources


resources


/usr/sap//sec :

Group is sapsys

Note: represents


system.

Is this the case ?

/usr/sap//sec :


Note: represents


system.

Is this the case ?

/usr/sap//SYS :

Owner is adm

Note: represents


system.

Is this the case ?

/usr/sap//SYS :

Group is sapsys

Note: represents


system.

Is this the case ?

YES YES YES YES

7/22/2019 Itcs104 Fmc

57/130

102 103 104 105


resources


resources


resources


resources


/usr/sap//SYS :


Note: represents


system.

Is this the case ?

/usr/sap//SYS/* :

Owner is adm

Note: represents


system.

Is this the case ?

/usr/sap//SYS/* :

Group is sapsys

Note: represents


system.

Is this the case ?

/usr/sap//SYS/* :


Note: represents


system.

Is this the case ?

YES YES YES YES

7/22/2019 Itcs104 Fmc

58/130

106 107 108 109


resources


resources


resources


resources


/usr/sap/trans :

Owner is adm

Note: represents


system.

Is this the case ?

/usr/sap/trans :

Group is sapsys

Note: represents


system.

Is this the case ?

/usr/sap/trans :


Note: represents


system.

Is this the case ?

/usr/sap/trans/* :

Owner is adm

Note: represents


system.

Is this the case ?

YES YES YES N/A

7/22/2019 Itcs104 Fmc

59/130

110 111 112 113


resources


resources


resources


resources


/usr/sap/trans/* :

Group is sapsys

Note: represents


system.

Is this the case ?

/usr/sap/trans/* :


Note: represents


system.

Is this the case ?

/usr/sap/trans/.sapconf :

Owner is adm

Note: represents


system.

Is this the case ?


Group is sapsys

Note: represents


system.

Is this the case ?

N/A N/A N/A N/A

7/22/2019 Itcs104 Fmc

60/130

114 115 116 117


resources


resources


resources


resources




Note: represents


system.

Is this the case ?

/ :

Owner is adm

Note: represents


system.

Is this the case ?

/ :

Group is sapsys

Note: represents


system.

Is this the case ?

/ :


Note: represents


system.

Is this the case ?

N/A N/A N/A N/A

7/22/2019 Itcs104 Fmc

61/130

118 119 120 121


resources


resources


resources


resources


//* :

Owner is adm

Note: represents


system.

Is this the case ?

//* :

Group is sapsys

Note: represents


system.

Is this the case ?

//* :


Note: represents


system.

Is this the case ?

/db2/ :

Owner is db2

Note: represents


system.

Is this the case ?

N/A N/A N/A N/A

7/22/2019 Itcs104 Fmc

62/130

122 123 124 125


resources


resources


resources


resources


/db2/ :

Group is sysadm (SAP

7/22/2019 Itcs104 Fmc

63/130

126 127 128 129


resources


resources


resources


resources


/db2//log_dir :


Note: represents


system.

Is this the case ?

/db2//log_archive :

Owner is db2

Note: represents


system.

Is this the case ?

/db2//log_archive :


7/22/2019 Itcs104 Fmc

64/130

130 131 132 133


resources


resources


resources


resources


/db2//log_retrieve :

Owner is db2

Note: represents


system.

Is this the case ?

/db2//log_retrieve :

(SAP

7/22/2019 Itcs104 Fmc

65/130

134 135 136 137


resources


resources


resources


resources


/db2//sapdata :


7/22/2019 Itcs104 Fmc

66/130

138 139 140 141


resources


resources


resources


resources


/.netrc (allows remote

access) :

Owner has read and

write access.

Is this the case ?

/.netrc (allows remote

access) :

sid must also

have read and/or write

access if file is accessed

from SAP application.

Is this the case ?

/.rhosts (allows remote

access) :

must have read access

only by root.

Is this the case ?

/.rhosts (allows remote

access) :

must have write access

only by root.

Is this the case ?

YES YES YES YES

7/22/2019 Itcs104 Fmc

67/130

142 143 144


resources


resources


resources


The following AIX userid

and primary AIX groupid

combination may own

OSRs in the SAP AIX

environment :

Userid: root

Groupid: system

Is this the case ?



combination may own

OSRs in the SAP AIX

environment :

Userid: db2

Groupid: sapsys

Is this the case ?



combination may own

OSRs in the SAP AIX

environment :

Userid: adm

Groupid: sapsys

Is this the case ?

YES YES YES

7/22/2019 Itcs104 Fmc

68/130

145 146 147


resources

5.2 System and security

administrative authority



AIX settings

Shared SAP application userids

- Provider of service privileged

SAP application userids


Provider of service privileged SAP

application userids

The following AIX userid and

primary AIX groupid combination

may own OSRs in the SAP AIX

environment :

Application owner userids

Application owner groups

Is this the case ?

The following ids are required for

the operation of SAP. The

password of these ids may be

provided to the System

Administrative group supporting

the SAP instance provided that

individual accountability is

maintained. The Provider of

Service must define the controls


SAP*


Is this the case ?

The following ids are required for the

operation of SAP. The password of





maintained. The Provider of Service

must define the controls surrounding

this access :

SAP*

Userid must exist in all clients.

Is this the case ?

YES YES YES

7/22/2019 Itcs104 Fmc

69/130

148 149

5.2 System and security administrative

authority

5.2 System and security administrative

authority



application userids



application userids






accountability is maintained. The Provider



SAP*

Userid must never be deleted.

Is this the case ?









SAP*

Userid must be locked in all clients except

when required for system maintenance.

Is this the case ?

YES YES

7/22/2019 Itcs104 Fmc

70/130

150 151







application userids



application userids









this access :

SAP*

Userid must be assigned to group

SUPER in each client.

Is this the case ?









this access :

SAP*

Profiles SAP_ALL and SAP_NEW, or

equivalent are assigned.

Is this the case ?

YES YES

7/22/2019 Itcs104 Fmc

71/130

152 153







application userids



application userids









this access :

DDIC


Is this the case ?









this access :

DDIC

Userid must exist in client 000, 001,

100 (or the production client) and any

client in the CTS path.

Is this the case ?

YES YES

7/22/2019 Itcs104 Fmc

72/130

154 155







application userids



application userids









this access :

DDIC

Userid must never be deleted.

Is this the case ?









this access :

DDIC

Userid must never be locked.

Is this the case ?

YES YES

7/22/2019 Itcs104 Fmc

73/130

156 157







application userids



application userids









this access :

DDIC

Userid must be assigned to group

SUPER.

Is this the case ?









this access :

DDIC

Profiles SAP_ALL and SAP_NEW, or

equivalent are assigned.

Is this the case ?

YES YES

7/22/2019 Itcs104 Fmc

74/130

158 159

5.2 System and security administrative authority 5.2 System and security administrative authority


service privileged SAP application userids









(Used for installing

Hotpacks or system upgrades.) :


Is this the case ?









Userid must be assigned to group SUPER.

Is this the case ?

YES N/A

7/22/2019 Itcs104 Fmc

75/130

160 161














Userid must only exist in client 000.

Is this the case ?









Profiles SAP_ALL and SAP_NEW, or equivalent

can be assigned.

Is this the case ?

N/A N/A

7/22/2019 Itcs104 Fmc

76/130

162 163












EARLYWATCH (Used by SAP / BTS when

Earlywatch sessions are conducted.) :


Is this the case ?









Userid must only exist in client 066.

Is this the case ?

N/A N/A

7/22/2019 Itcs104 Fmc

77/130

164 165














Userid must be locked when not in use.

Is this the case ?









Profile S_TOOLS_EX_A is assigned.

Is this the case ?

N/A N/A

7/22/2019 Itcs104 Fmc

78/130

166 167

5.2 System and security administrative authority5.2 System and security administrative

authority


service privileged SAP application userids AIX provider of service shared userids









If SDCCN is used, profile S_SDCC_ADM_N must

also be assigned.

Is this the case ?



ids may be shared among the System





surrounding this access. Any additional

AIX privileged userids in support of Bolt on

applications must be identified and

documented. Support personnel must use

SUDO from their personal id to connect to

any shared AIX userids :

ROOT (AIX) :

rlogin=false

Is this the case ?

N/A N/A

7/22/2019 Itcs104 Fmc

79/130

168

5.2 System and security administrative authority

AIX provider of service shared userids

The following ids are required for the operation of SAP. The

password of these ids may be shared among the System

Administrative group supporting the SAP instance provided

that individual accountability is maintained. The Provider of

Service must define the controls surrounding this access. Any

additional AIX privileged userids in support of Bolt on

applications must be identified and documented. Support

personnel must use SUDO from their personal id to connect to


ROOT (AIX) :

login=true (on SAP instance where there are no sensitive

programs).

Is this the case ?

N/A

7/22/2019 Itcs104 Fmc

80/130

169












ROOT (AIX) :

login=false (on SAP instances where sensitive programs

reside).

Is this the case ?

N/A

7/22/2019 Itcs104 Fmc

81/130

170



The following ids are required for the operation of SAP.

The password of these ids may be shared among the

System Administrative group supporting the SAP instance

provided that individual accountability is maintained. The

Provider of Service must define the controls surrounding

this access. Any additional AIX privileged userids in

support of Bolt on applications must be identified and

documented. Support personnel must use SUDO from

their personal id to connect to any shared AIX userids :

ROOT (AIX) :

Root must be included in /etc/ftpusers file.

Is this the case ?

N/A

7/22/2019 Itcs104 Fmc

82/130

171












7/22/2019 Itcs104 Fmc

83/130

172












7/22/2019 Itcs104 Fmc

84/130

173












7/22/2019 Itcs104 Fmc

85/130

174












ADM (AIX with DB2) :

rlogin=true

Is this the case ?

N/A

7/22/2019 Itcs104 Fmc

86/130

175













login=false

Is this the case ?

N/A

7/22/2019 Itcs104 Fmc

87/130

176













NOCHECK must be set in /etc/security/passwd

Is this the case ?

N/A

7/22/2019 Itcs104 Fmc

88/130

177












SAPR3 (AIX with DB2) :

May be the DB2 owner of SAP database.

Is this the case ?

N/A

7/22/2019 Itcs104 Fmc

89/130

178













Userid cannot connect / sign on to DB2 and is not a DB2 user.

Is this the case ?

N/A

7/22/2019 Itcs104 Fmc

90/130

179













rlogin=true

Is this the case ?

N/A

7/22/2019 Itcs104 Fmc

91/130

180













login=true

Is this the case ?

N/A

7/22/2019 Itcs104 Fmc

92/130

181













NOCHECK must be set in /etc/security/passwd.

Is this the case ?

N/A

7/22/2019 Itcs104 Fmc

93/130

182












SAP (AIX with DB2) :


Is this the case ?

N/A

7/22/2019 Itcs104 Fmc

94/130

183














Is this the case ?

N/A

7/22/2019 Itcs104 Fmc

95/130

184













rlogin=true

Is this the case ?

N/A

7/22/2019 Itcs104 Fmc

96/130

185













login=true

Is this the case ?

N/A

7/22/2019 Itcs104 Fmc

97/130

186














Is this the case ?

N/A

7/22/2019 Itcs104 Fmc

98/130

187












SAPDB (AIX with DB2) :


Is this the case ?

N/A

7/22/2019 Itcs104 Fmc

99/130

188














Is this the case ?

N/A

7/22/2019 Itcs104 Fmc

100/130

189













rlogin=true

Is this the case ?

N/A

7/22/2019 Itcs104 Fmc

101/130

190













login=true

Is this the case ?

N/A

7/22/2019 Itcs104 Fmc

102/130

191














Is this the case ?

N/A

7/22/2019 Itcs104 Fmc

103/130

192












cstore :

rlogin=false

Is this the case ?

N/A

7/22/2019 Itcs104 Fmc

104/130

193 194

5.2 System and security administrative authority5.2 System and security administrative

authority


zOS/OS390 provider of service shared

userids










cstore :

login=false

Is this the case ?


operation of SAP. The password of these ids

may be shared among the System



accountability is maintained. The Provider of

Service must define the controls surrounding

this access :

General:

RACF logging must be enabled.

Is this the case ?

N/A N/A

7/22/2019 Itcs104 Fmc

105/130

195 196





zOS/OS390 provider of service

shared userids

zOS/OS390 provider of service

shared userids



these ids may be shared among the






this access :

SAPR3 (RACF group) :

Must not be an operating system

userid.

Is this the case ?

The following ids are required for

the operation of SAP. The

password of these ids may be

shared among the System

Administrative group supporting

the SAP instance provided that

individual accountability is

maintained. The Provider of

Service must define the c

Date post:	10-Feb-2018
Category:	Documents
Upload:	sravan-kumar-p
View:	242 times
Download:	0 times

Itcs104 Fmc

Documents