[PEN-TEST] sap tools

From: Mike Ahern (mc_ahernat_private)
Date: Tue Apr 17 2001 - 07:47:50 PDT

  • Next message: c0ncept: "Re: [PEN-TEST] POSIX Subsystem on NT"

    Q.)Just wondering if someone is aware of tools for
    auditing SAP R/3 and MySAP.com? I'll probably will be
    involved in a audit of such systems
    ----------
    
    Fernando,
    
    From what I understand the settings for SAP are
    customer specific driven by their policies. Some big
    five accounting firm types have developed their own
    reporting tools that extract configuration data and
    present the information in customized reports. I hear
    that SAP has their own software available for this
    kind of reporting, tho I have not used it and hence
    don't know alot about it.
    
    Basically, SAP provides transactions and system
    parameters which it leaves to the user to use or
    configure, respectively. The transaction RSPARAM
    displays SAP logon parameters settings, e.g.,
    minimum/maximum password length, permissible # of
    logon failures, autolock reset parameters, etc. The
    installation can then determine whether the settings
    correspond to management's wishes or best practices.
    By the way, everything in SAP is system independant,
    and to a lesser extent, client independent. Running
    RSPARAM for one system does not show what the settings
    are in the other systems. A typical large deployment
    of SAP may have both development and production
    environments, running from 6 to 12 systems, and from 1
    to 7 clients in each system. Your systems may be
    different from those I have had exposure to.
    
    As far as the standard SAP reports go there are a
    large number of the RSUSRnnn which monitor sensitive
    transactions, authorization objects and other system
    activity, e.g., who can set up or modify user IDs, who
    can access tables and which ones, password character
    strings which are not permitted, who can execute batch
    jobs or even look at program code.
    
    There is a danger in executing any or all of these
    without thoroughly understanding the ramifications of
    combinations of these transactions and authorization
    objects. One could raise a red flag which gives the
    false impression that things are out of control, or it
    could raise the green flag that everything is Ok when
    knowing the consequences of combining certain
    seemingly innocuous transactions and authorization
    objects may open up a security exposure to a sensitive
    table.
    
    This is all application level security stuff. The O/S
    and database security issues may also be very
    interesting as well. One place to explore would be any
    "middleware" software used to interface between legacy
    databases and SAP. These need read/write permissions
    to access multiple legacy business databases and the
    SAP system. Account names and passwords for the
    various systems are sometimes stored within the
    middleware application files inside an unencrypted
    text file! If you snag that, you have access to many
    of their business databases.
    
    Good Luck,
    
       - Mike
    
    
    
    
    __________________________________________________
    Do You Yahoo!?
    Yahoo! Auctions - buy the things you want at great prices
    http://auctions.yahoo.com/
    



    This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 14:17:16 PDT