SAP Active Global Support
October, 2013
Security Patch Process
© 2013 SAP AG. All rights reserved. 2
Disclaimer
This presentation outlines our general product direction and should not be relied on in making a
purchase decision. This presentation is not subject to your license agreement or any other agreement
with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to
develop or release any functionality mentioned in this presentation. This presentation and SAP's
Abstract
Software security remains a critical topic of interest to all companies and to the information technology
industry.
The security of a specific system thereby also significantly depends on the secure installation and
operation of this system. SAP gained a lot of experience from its support for and engagement with
numerous customers. It uses the resulting best practices not only for further improvements and
enhancements of its support offering but also makes them available as recommendations, services and
tools directly to its customers.
In this presentation you will learn about the self services and tools available for security maintenance of
SAP delivered code, centered around the “Security Notes” section in the
EarlyWatch Alert report
.
Using the application
System Recommendations
within the SAP Solution Manager you can track down
critical Security Notes which are required for your systems.
© 2013 SAP AG. All rights reserved. 4
Agenda
Configuration
Validation
SOS
EWA
Security Notes Report
and System
Recommendations
Security Patch Process
Security Tools and Services
EarlyWatch Alert (EWA) – Security Chapter
Security Notes Report (RSECNOTE)
System Recommendations
Configuration Validation
© 2013 SAP AG. All rights reserved. 6
Where’s The Risk If Not Patching?
Without closing the addressed vulnerabilities
■
it cannot but ensured that business applications are operated in a duly manner
because standard security measures such as
■
authentication mechanisms
■
authorizations implementations
■
security settings (parameters)
can potentially be fully circumvented
■
This may in turn, negligently, lead to
■
system / application misuse for various purposes
■
loss of reputation (see the Sony incident as an example)
■
falsified financial data and reporting -> issue for financial audits
■
indirect losses through sabotage, direct losses through theft
Sep 2010: SAP Introduces Monthly Security Patch Day
Distribute, assess,
plan (& roll-out)
SAP
Other
vendors
NOW
© 2013 SAP AG. All rights reserved. 8
SAP Introduces Monthly Security Patch Day
SAP Security Patch Day
Regular Patch Day every second Tuesday of a month
Based on feedback from customers and SAP User Groups
Benefit 1:
Better planning for SAP Security Notes with dedicated, regular schedule
Benefit 3:
More efficient patching of SAP systems as it is on the same day
as with other software providers
Benefit 2:
Announcement Jul 8, 2013:
Implementing SAP security fixes
Important information and call for action
SAP is continuously investing in increasing the quality and security of its products. To improve the consumability of its
security fixes and to further adjust its deployment processes to industry standards, SAP has changed the way how security patches are provided.
SAP delivers important security fixes on its monthly Security Patch Day. SAP strongly recommends its customers to implement security fixes, flagged with priority 1 and priority 2, primarily fixing externally reported issues. The fixes are released on the second Tuesday of every month, and can be used to fix a particular vulnerability without needing to update a system to service packs.
In order to further reduce the implementation efforts for our customers, other security fixes like priority 3 and 4 will generally
be delivered with support packages. SAP strongly recommends its customers to apply Support Packages on their systems
as soon as a support pack is available. The Support Packages can be found on SAP Service Marketplace in the corresponding product area. Information about these improvements will also be published in security notes with priority 3 and 4 some
months after Support Packages have been released.
© 2013 SAP AG. All rights reserved. 10
Security Patch Process FAQ
http://scn.sap.com/community/security/blog/2012/03/27/security-patch-process-faq
Posted by
Frank Buchholz
in
Security
on Mar 27, 2012 5:12:28 PM
1. Where do I find SAP Security Notes?
2. Where do I find an overview about security services including the management of security notes?
3.
Where do I find information about the application “System Recommendations”?
4.
Where do I find information about the application “Configuration Validation”?
5. There are so many security notes which are relevant for my systems. How should I start implementing
them?
6. What is the difference between the various lists of security notes?
7. There are quite different security notes. How should I start classify them to optimize the
implementation process?
Security Notes
Security Notes
■
are standard SAP Notes / HotNews
■
with information about known security vulnerabilities
■
and appropriate countermeasures (correction instruction, configuration, service
pack, upgrade, manual measures)
■
whose corrections are contained in subsequently released Support Packages, if
possible
They can be found here:
http://service.sap.com/securitynotes
© 2013 SAP AG. All rights reserved. 12 0 10 20 30 40 50 60 70 80 90 100 20 02 .08 20 09 .09 20 09 .10 20 09 .11 20 09 .12 20 10 .01 20 10 .02 20 10 .03 20 10 .04 20 10 .05 20 10 .06 20 10 .07 20 10 .08 20 10 .09 20 10 .10 20 10 .11 20 10 .12 20 11 .01 20 11 .02 20 11 .03 20 11 .04 20 11 .05 20 11 .06 20 11 .07 20 11 .08 20 11 .09 20 11 .10 20 11 .11 20 11 .12 20 12 .01 20 12 .02 20 12 .03 20 12 .04 20 12 .05 20 12 .06 20 12 .07 20 12 .08 20 12 .09 20 12 .10 20 12 .11 20 12 .12 20 13 .01 20 13 .02 20 13 .03 20 13 .04 20 13 .05 (Le e r) 6 - Recommendations/additional info 4 - Correction with low priority 3 - Correction with medium priority 2 - Correction with high priority 1 - HotNews
Count of Security Notes per Month
Source: SMP /securitynotes
Covered by Support Package Upgrade Caution: There are exceptions!Status from Mai 2013: 2610 Notes in total
Average of ‘typical’
© 2013 SAP AG. All rights reserved. 14
CVSS
Common Vulnerability Scoring System
CVSS Base VectorsCVSS vectors containing only base metrics take the following form:
(AV:[L,A,N]/AC:[H,M,L]/Au:[N,S,M]/C:[N,P,C]/I:[N,P,C]/A:[ N,P,C])
The letters within brackets represent possible values of a CVSS metric. Exactly one option must be chosen for each set of brackets. Letters not within brackets are mandatory and must be included in order to create a valid CVSS vector. Each letter or pair of letters is an abbreviation for a metric or metric value within CVSS. These abbreviations are defined below.
Example 1: (AV:L/AC:H/Au:N/C:N/I:P/A:C)
Example 2: (AV:A/AC:L/Au:M/C:C/I:N/A:P)
Metric: AV = AccessVector (Related exploit range)
Possible Values: L = Local access, A = Adjacent network,
N = Network
Metric: AC = AccessComplexity (Required attack complexity) Possible Values: H = High, M = Medium, L = Low
Metric: Au = Authentication (Level of authentication needed
to exploit)
Possible Values: N= None required, S= Requires single
instance, M= Requires multiple instances
Metric: C = ConfImpact (Confidentiality impact)
Possible Values: N = None, P = Partial, C = Complete Metric: I = IntegImpact (Integrity impact)
Possible Values: N = None, P = Partial, C = Complete Metric: A = AvailImpact (Availability impact)
CVSS
Common Vulnerability Scoring System
Impact = 10.41*(1-(1-ConfImpact)(1-IntegImpact)*(1-AvailImpact)) Exploitability = 20*AccessComplexity*Authentication*AccessVector f(Impact) = 0 if Impact=0; 1.176 otherwise
BaseScore
= (.6*Impact +.4*Exploitability-1.5)*f(Impact)ConfImpact
= case ConfidentialityImpact of none: 0partial: 0.275 complete: 0.660
IntegImpact
= case IntegrityImpact of none: 0partial: 0.275 complete: 0.660
AvailImpact
= case AvailabilityImpact of none: 0partial: 0.275 complete: 0.660
AccessComplexity
= case AccessComplexity of high: 0.35medium: 0.61 low: 0.71
Authentication
= case Authentication of Requires no authentication: 0.704Requires single instance of authentication: 0.56 Requires multiple instances of authentication: 0.45
© 2013 SAP AG. All rights reserved. 16
Security Patch Day:
How to implement which note in which system?
Depending on the age of the system
very many
Security Notes
(up to hundreds) are relevant per
system
The
priority of the notes
is not a strong, selective
criteria as approximately 80% of all notes have
priority „HotNews“ or „high“
Depending on the size of the system landscape
you have to patch
many systems
. You have to
align exceptional security patches with regular
maintenance activities.
The
effort
to analyze and to implement security
notes, to identity the test requirements and to
document all activities is quite high
You don‘t get any guarantee that there are no notes
which produce massive
issues
during
implementation or usage in production systems
You cannot accept the
limitation
for a long time, to
rely on the strict selection of security notes
presented by RSECNOTE (for ABAP based
systems)
Different technologies
(especially ABAP, Kernel,
Java) require special patch processes
The 5 Stages of a Security Patch Process
Useful Documentation:
SAP Security Patch Day Working Paper service.sap.com/sos Media Library (Deutsch/Englisch)
Security Patch Process FAQ https://scn.sap.com/community/security/blog/2012/03/27/security-patch-process-faq
Details about System Recommendations: service.sap.com/sysrec
Demo of System Recommendations: Link
* BPCA – Business Process Change Analyzer (service.sap.com/testing)
2
4
1
5
3
List of Security Notes
service.sap.com/securitynotes
Monthly
execution of
RSECNOTE
Monthly execution of
„System Recommendations“
Continuous
Security Monitoring using
„Configuration Validation“
© 2013 SAP AG. All rights reserved. 20
Security Notes in the Service Marketplace
https://service.sap.com/securitynotes → “Security Notes Search”
Security Notes in the Service Marketplace
https://service.sap.com/securitynotes → “my Security Notes”
If your systems are registered in the SAP Service Market Place, than you can work with a filter “by System” easily.
If this is not the case than you cannot use the filter “by System” but we do not
recommend to use the filter “by Product” for searching for Security Notes.
Limitation: You have to
remove implemented notes manually from the list.
© 2013 SAP AG. All rights reserved. 22
Security Notes in the Service Marketplace
Classification of Security Notes by Type
1.
ABAP Correction Instructions
Use Note Assistant (transaction SNOTE) to implement the correction or apply the Support Package
2.
ABAP Software-like manual corrections
Implement the correction manually, e.g. deactivate a web-based service
3.
Kernel Notes
Install a new Kernel
4.
Java Notes
Install Java Support Packages or Patches
5.
Notes about other components
Individual procedure to update the Database, SAPGUI, RFC Library, Business Objects, Sybase, ...
6.
Other manual instructions
© 2013 SAP AG. All rights reserved. 24
Classification of Security Notes by Implementation Process
1. Implementation as part of a
monthly standard patch process
e.g. for ABAP Correction Instructions or ABAP software-like manual
corrections
2. Implementation as part of a
project
e.g. for notes about other components or other manual instructions
3. Implementation as
part of maintenance activities
e.g. Support Package upgrade, Kernel upgrade, Java upgrade
4. Implementation
after maintenance activities
Most Important: SAP Security (Patch) Policy
The best support to bring a patch process to live
Describes organization (responsibilities) and processes relevant for implementing security patches
Defines the mandatory timelines for published security patches and implementation of SPs
Often dependent on security classification of systems or applications
Should provide hard targets but should also allow for documented, approved exceptions
© 2013 SAP AG. All rights reserved. 26
Sample SAP Security Patch Policy
1.
Every system / application has to be put into a security category / classification
[Very High, High, Medium, Low]
2.
No SP level must be older than 1,5yrs
3.
Security Notes published by SAP must be assessed and classified by priority [Very High, High,
Medium, Low] and implementation process [Monthly, Maintenance, Project]
4.
The following timelines
apply (excerpt):
5.
Exceptions are allowed for good reason but must be documented and approved by IT Security
System Class [Max] Note Prio Impl Process Deadline
Very High Very High <any> 30 days
Very High High Monthly 30 days
Very High High Maintenance 90 days
High High Project 180 days
Preparation for the Patch Process
Define the „Patch Day Roadmap“
Define the responsible person (CERT) who decides about (not) implementing SAP Security Notes
Define the responsible person (IT) for the security patch process of your SAP systems
Register the responsible person in the SAP Service Marketplace as the Security Contact:
(
https://www.service.sap.com/securitycontacts
)
Check the status des SAP Solution Manager (release and SP level, plan for upgrade if required)
Define the methods and tools for identifying and analyzing new SAP Security Notes
Define the teams, testing methods and tools for regression testing of productive business processes
Define the workflow about exceptional and regular transports
© 2013 SAP AG. All rights reserved. 28
Security Maintenance Management
General Process Overview for testing SP’s and Security Notes
No Action needed Testing Deploy Changes Go Live Solution Manager Test Management Regression tests
Solution Manager Quality Gate Management No add. functional test
Integration into Maintenance
Download & Apply
Support Packages Latest Sec. Notes
Manual Adjust- ments Apply Support Packages Change of potential bug Apply Single Correction(s) Monthly Security Patches Testing Solution Manager Test Management Individual testing
Immediate risk mitigation Security Notes(s)
Exceptions
Manual Adjust-
Security Patch Day of SAP Monthly on 2nd Tuesday Check System Recommendations in Solution Manager Check Service Marketplace /securitynotes Check EarlyWatch Alert RSECNOTE Risk assess-ment The week after the Patch Day
Apply
Security Notes
Apply
Kernel Patches, Java Patches and ABAP Support Packages
Update Configuration
Validation checks
in Solution Manager
Within one month During next maintenance cycle
Apply it now!
Scheduled implementation!
Apply additional manual configuration of Security Notes if necessary Complete Test Perform individual regression test
Sample Patch Process
© 2013 SAP AG. All rights reserved. 30
Sample Patch Process
Integrated approach with manual policy adoption & checks
Security Patch Day of SAP Monthly on 2nd Tuesday Check System Recommendations in Solution Manager Apply local patch policy
The week after the Patch Day
Apply
Security Notes
Apply
Kernel Patches, Java Patches and ABAP Support Packages
Within one month, three months … During next maintenance cycle Apply within X
days (policy)
Scheduled implementation
Apply additional manual configuration of Security Notes if necessary Complete Test Perform individual regression test Check Status WORKFLOW: WORKFLOW: Document Exception
Sample Patch Process
Integrated approach with automated policy adoption & checks
Security Patch Day of SAP Monthly on 2nd Tuesday Check System Recommendations in Solution Manager Apply local patch policy
The week after the Patch Day
Apply
Security Notes
Apply
Kernel Patches, Java Patches and ABAP Support Packages
Within one month, three months … During next maintenance cycle Apply within X
days (policy)
Scheduled implementation
Apply additional manual configuration of Security Notes if necessary Complete Test Perform individual regression test Check Status WORKFLOW: WORKFLOW: Document Exception
WORKFLOW: Check in X days
Solution Manager
E.g. Custom Development in SolMan / BW or Process Control
© 2013 SAP AG. All rights reserved. 32
Implementation of a Security Patch Day Process
Preparations
The following, sample procedure for establishing an SAP Patch Day process describes the necessary steps.
SAP recommends that you always import the latest published SAP security notes as soon as possible. Any delay may increase the security risk to the SAP landscape.
PREPARING FOR THE PATCH DAY PROCESS
1. Enter the name of your security contact in SAP Service Marketplace https://www.service.sap.com/securitycontacts
2. Nominate a person to be responsible for the security maintenance of your SAP systems. 3. Review the status of your SAP Solution Manager. (Version and possible upgrade plans) 4. Which tools and methods are used in your company for testing?
5. Who is responsible for deciding whether or not all SAP security notes are imported in a given month? Does the customer use an authorization process?
6. Create a “Patch Day Roadmap”. How should the process be structured in your company? (Possible templates are provided in the next section)
DECISIONS
1. Define responsibilities
2. Identify previous times, resources, and methods required for testing, and use existing SAP tools to reduce time and costs (for example, the Business Process Change Analyzer, and so on)
Implementation of a Security Patch Day Process
Sample SAP Security Patch Day Process
At the end of this second Tuesday in the month, you can review the latest list of SAP security notes on the SAP Service Marketplace page www.service.sap.com/securitynotes.
Use the “System Recommendations” function in your SAP Solution Manager (Release 7.0, Support Package 26 and higher) to determine which SAP security notes are relevant for your system landscape. If you schedule the
background job for Tuesday night, the results will be available the next morning. You can also generate change requests from this tool.
The EarlyWatch Alert report and RSECENOTE tool inform you of urgent SAP Active Global Support
recommendations regarding HotNews and other important security notes that have been classified as relevant. As a rule, check the results of the report at the start of the week following the SAP Patch Day.
Regardless of the channel that the customer uses to find information about the latest SAP security notes (SAP
recommends checking all channels: System Recommendations, SAP Service Marketplace, EarlyWatch Alert report, RSECNOTE), customers should always run their own risk assessment after reviewing the information.
The risk assessment should consider whether implementing the notes poses any risks to live operations or
© 2013 SAP AG. All rights reserved. 34
Implementation of a Security Patch Day Process
Sample SAP Security Patch Day Process
Using “Configuration Validation”, automated reports can check which SAP systems meet the security requirements of the customer, and what is “missing” in the remaining systems. The reports use the target system from your SAP
landscape specified by you, apply the latest SAP security notes, and with the Configuration Validation, can coordinate with other systems.
The SAP security notes are then implemented in the course of that month, and regression tests are performed (where necessary) in order to ensure that the productive business processes are functioning correctly.
In the next maintenance window, update your kernel, and implement the latest JAVA and ABAP support packages. During this update, you will also receive the patches from the SAP security notes. Some of the SAP security notes describe configuration changes that are also required in this context. During the update process, you may find that the process overlaps with another (live) Patch Day. These new SAP security notes should be implemented during this maintenance window if possible.
Implementation of a Security Patch Day Process
Optimization Points for the Process
1. Ensure an efficient analysis with automated batch jobs and e-mail notifications.
This way, you will receive automatic results by e-mail, and can skip straight to the risk assessment.
2. Use the “System Recommendations” function in the SAP Solution Manager. This provides you with a quick and consolidated analysis of open notes for each system. For more information, see: www.service.sap.com/sysrec
3. Alternatively, if you are using an older version of SAP Solution Manager (Release 7.0, SP 25 or lower), we
recommend using a report that returns all of the notes relevant for the EarlyWatch Alert, that is, the selection of notes displayed in transaction ST13/RSECNOTE. This “Cross System Check” centrally identifies the open notes for each system in a single report in accordance with RSECNOTE.
4. You should run a check for any open SAP security notes regularly (we recommend monthly). Normally, a
monthly list contains around 40–50 notes (exceptions are possible at any time). First check the small number of notes classified as priority 1. Also assess the possible risk posed by other open notes (priority 2 to 4). If possible, these should also be imported immediately. There may be reasons on the customer side to delay the
© 2013 SAP AG. All rights reserved. 36
Information about SAP Spotlight News
SAP regularly publishes
“ad-hoc” information about
particularly important
security topics linked to
the SAP security notes.
Customers can find this
information at SAP
Service Marketplace.
This information should
not be confused with
HotNews or priority 1
notes. The difference is
that Spotlight News
primarily summarizes key
changes or
Agenda
Configuration
Validation
SOS
EWA
Security Notes Report
and System
Recommendations
Security Patch Process
Security Tools and Services
EarlyWatch Alert (EWA) – Security Chapter
Security Notes Report (RSECNOTE)
System Recommendations
Configuration Validation
© 2013 SAP AG. All rights reserved. 38
The Role of EarlyWatch Alert (EWA) for Security
SAP EarlyWatch Alert (EWA) (see
http://service.sap.com/ewa
)
SAP EarlyWatch Alert is an important part of making sure that your core
business processes work. It is a tool that monitors the essential
administrative areas of SAP components and keeps you up to date on their
performance and stability. SAP EarlyWatch Alert runs automatically to keep
you informed, so you can react to issues proactively, before they become
critical.
Security in the EarlyWatch Alert:
The EWA Report includes selected information on critical security observations
– SAP Security Notes: ABAP and Kernel Software Corrections
– Default Passwords of Standard Users
– Password Policy
– Gateway and Message Server Security
– Users with Critical Authorizations
EarlyWatch Alert in the
SAP Engagement and Service Delivery Work Center
© 2013 SAP AG. All rights reserved. 42
EarlyWatch Alert Chapter “Security”
SAP Security Notes
This chapter in the report indicates that Security Notes are missing in your
system, that can by identified using the tool RSECNOTE.
Agenda
Configuration
Validation
SOS
EWA
Security Notes Report
and System
Recommendations
Security Patch Process
Security Tools and Services
EarlyWatch Alert (EWA) – Security Chapter
Security Notes Report (RSECNOTE)
System Recommendations
Configuration Validation
© 2013 SAP AG. All rights reserved. 44
Check for Security-Related SAP Notes
Using Transaction ST13 Tool RSECNOTE
Transaction ST13 Tool RSECNOTE
Result
The result can be send via
mail, too.
© 2013 SAP AG. All rights reserved. 46
Transaction ST13 Tool RSECNOTE
Result
RSECNOTE lists three categories:
- Security Notes that require implementation
- Security Notes that are successfully implemented - Security Notes that are manually confirmed
Please note: RSECNOTE focuses on SAP Security HotNews (as far as technically clearly identifiable) and selected
additional Security Notes. Check
Cross-System check for Security Notes
Report ZSECNOTE_CENTRAL @ SDN
© 2013 SAP AG. All rights reserved. 48
Agenda
Configuration
Validation
SOS
EWA
Security Notes Report
and System
Recommendations
Security Patch Process
Security Tools and Services
EarlyWatch Alert (EWA) – Security Chapter
Security Notes Report (RSECNOTE)
System Recommendations
Configuration Validation
To keep your SAP systems up-to-date and secure you have to apply various types of notes and
patches. System recommendations shows all relevant notes and patches for the selected systems
and helps you to easily keep all of your systems up-to-date.
© 2013 SAP AG. All rights reserved. 50
System Recommendations: Overview
Advantages & Features
Provides a detailed recommendation of SAP notes and non-SAP notes which should be implemented, based on the actual status of the system and already implemented notes
The recommendations comprise the following notes categories:
Security notes
Performance-relevant notes HotNews
Legal change notes
Correction notes / Patch notes
Powerful calculation method for notes provides a comprehensive recommendation for the selected system
Increase system security by applying up-to-date security-relevant notes exactly tailored for the respective system
Integration into Change Request Management to directly create Change Requests for the selected notes
System Recommendations: Process Flow
Select system to check
& update
Connect to SAP Global
Support Backbone
Provide information on latest
relevant notes (for SP level,
patch level)
Send information back to
the customer‘s SAP
Solution Manager
system
Retrieve system
information (SP level,
patch level)
Calculate delta between OSS provided notes and already
implemented notes. Show relevant notes of the system(s) via
System Recommendations or Configuration Validation
© 2013 SAP AG. All rights reserved. 52
System Recommendation
SAP Solution Manager Workcenter – Change Management
System Recommendations: Key Elements
BW reporting as of SolMan 7.1 SP 3 Filter by solution, product
system, technical system and date
Filter by application component
Integration of Change Request Management and
© 2013 SAP AG. All rights reserved. 54
System Recommendations: Key Elements
Integration of Change Request Management and
System Recommendations: Setup
The following steps are necessary to set up System Recommendations:
Prerequisites:
The SAP-OSS RFC connection needs to be set up correctly
All managed systems have to be connected to SAP Solution Manager and documented in
transaction SMSY, and they have to be assigned to a product system and to a solution
Authorization object: SM_FUNCS
Control access and visibility of tabs in System Recommendations
To collect this data automatically for the use within System Recommendations you can set up a
batch job in the „Settings“ area of System Recommendations.
System Recommendations is part of the „Change Management“ Work Center in
SAP Solution Manager.
Blog: http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/24227
Online Help: http://help.sap.com/saphelp_sm70ehp1_sp26/helpdata/en/83/68fad4952d42a192469fa02586aeff/frameset.htm
Important Notes: Note 1554475 System Recommendations - corrections for SP26 Note 1577059 SysRec: No RFC authorization
© 2013 SAP AG. All rights reserved. 56
Cross-System check for System Recommendations
Report ZSYSREC_NOTELIST @ SDN for SolMan 7.0
SDN
Cross-System check for System Recommendations
Integrated BW Reporting as of SolMan 7.1 SP 3
List SAP notes not yet implemented in the systems of the selected solution,
© 2013 SAP AG. All rights reserved. 58
Cross-System check for System Recommendations
BW Reporting as of SolMan 7.1 SP 3
Select note area ..
.. or select notes which have been classified as being ‘important’ by
your CERT department
CERT = Computer Emergency Response Team
Save view
Using the predefined report
0TPL_0SMD_VCA2_SYS_RECOM_NOTES of the application “Configuration Validation”
you can define arbitrary selections, filters and views for a cross-system report based on the results of the application “System
New with Solution Manager 7.1 SP 9
BW Reporting based on System Recommendations for note list
New option to paste note numbers into the selection screen
of the reporting as of SolMan 7.1 SP 9 for the query showing
results of System Recommendations.
1. Step: Activate the new option
© 2013 SAP AG. All rights reserved. 60
Extended Functions in System Recommendations
Download selected notes into Note Assistant (SNOTE) of
managed system
Show object list for selected
ABAP notes
Additional information:
+ Note contains automatic correction instruction (SNOTE) + Note contains manual correction instruction
+ Note references to a Kernel Patch
+ ABAP Support Package which contains the solution New list view
Filter and sort list
Execute Business Process Change Analyzer (BPCA) to identify business processes
Extended Functions in System Recommendations
Show object list for selected ABAP notes
© 2013 SAP AG. All rights reserved. 62
Extended Functions in System Recommendations
Collect Java Patches and create Maintenance Transaction
Collect Java Patches for selected Notes
Integration with Maintenance Optimizer
Extended Functions in System Recommendations
Collect Java Patches and create Maintenance Transaction
Integration with Maintenance Optimizer
(MopZ) 2
© 2013 SAP AG. All rights reserved. 64
Maintenance Optimizer (MopZ)
Step 4: Implementation – Show relevant Security Notes
The Maintenance Optimizer shows relevant
security notes as well
https://service.sap.com/MopZ Example used here:
The planned Support Package Upgrade of the ABAP part of a SolMan 7.1 from SP 5 to SP 7 reduces the count of notes by 50 from 373 to 322.
Extended Functions in System Recommendations
Integration with Business Process Change Analyzer
Execute Business Process Change Analyzer (BPCA) to identify business processes
© 2013 SAP AG. All rights reserved. 66
Business Process Change Analyzer (BPCA)
Online Help - Analyzing Business Processes Affected by Changes
http://help.sap.com/saphelp_sm71_sp01/helpdata/en/d7/e0f086fa3440c3bc2debad74ecda22/frameset.htm
Pre-requisites to use the Business Process Change Analyzer (BPCA) for test preparation:
Document Business Processes in a SAP Solution Manager Project.
Create “Technical Bill of Material” (TBOM) for critical business transactions.
How-to Guide for BPCA
https://service.sap.com/~sapidb/011000358700000932192009E
Solution Manager Architecture in Large Environments
Consolidated reporting in a distributed architecture
Goal: Report group wide status of security configurations and security patching while not all systems are
connected to one central SolMan but area/company SolMans
-
System header data for System Recommendations and Configuration Validation applications are replicated
from central SLD into central Solution Manager
-
Configuration and patch implementation statuses are replicated from local to central Solution Manager
SLD Company Company Company SolMan Business area SolMan Group HQ
weekly/daily replication of tables
AGSNOTE_HEAD, AGSNOTE_DATA
Weekly/daily execution
AGSNO_RPT_COLLECT_DATA weekly/daily replication of tables
AGSNOTE_HEAD, AGSNOTE_DATA
Replication of system data from SLD update central with local table entries
SolMan
Weekly/daily execution
© 2013 SAP AG. All rights reserved. 68
Agenda
Configuration
Validation
SOS
EWA
Security Notes Report
and System
Recommendations
Security Patch Process
Security Tools and Services
EarlyWatch Alert (EWA) – Security Chapter
Security Notes Report (RSECNOTE)
System Recommendations
Configuration Validation
Consider Customers Situation of Today …
Are all our CRM systems compliant with the new Configuration Baseline ?.. not
compliant.. which systems? what exactly?
Are security settings applied? …on all systems? …
could you please confirm and report?
Have we imported Transport request xxxx
(with important
performance changes) on all systems? … could I have a list of the systems where it is still
missing?
Are the OS, DB, Software and Kernel on the certain / latest level?
… on all Systems? .. Please show me?
Have we applied SAP Note xxxxx on all systems? …please report implementation status for all
systems?
A large number of systems… Complex SAP Landscape …
… Need to perform comparison of current configuration status against a defined target or
standard configuration baselines
… with minimum efforts and ASAP
© 2013 SAP AG. All rights reserved. 70
Configuration Validation
Architecture Overview
Configuration and Change Database ( CCDB ) ABAP based installations Solution Tool Plugins JAVA based installations DiagnosticsAgents Extractor Framework (EFWK) Once a day Solution Manager EHP1
Configuration Validation Reporting
DB Table Target System Maintenance Virtual InfoProvider 0SMD_VCA1 Function Module Configuration Validation Change Reporting Copy
Customer defined system configurations / baselines
Existing system configurations
What is Configuration Validation?
The Idea behind Configuration Validation
...
Reference System Compared Systems
ABAP Notes Software Packages Transports Parameters
...
Configuration Items Configuration Validation Configuration Items ABAP Notes Software Packages Transports Parameters...
Kernel level Compliance with Reference System Software Packages ABAP Notes Transports System 1 System N...
System 2...
ABAP Notes Software Packages Transports Parameters...
Configuration ItemsA reporting to understand how homogeneous the configuration of systems is
System 1 System N
All systems on a certain OS level or DB level?
Template configuration (SAP or DB parameter) applied on
all systems?
No kernel older than 6 month on all systems?
Security policy settings applied? Security defaults in place?
Have certain transports arrvied in the systems?
© 2013 SAP AG. All rights reserved. 72
Options to report about SAP Notes
A) Configuration Validation using a
Target System
which is based on EarlyWatch online
recommendations (
RSECNOTE
)
•
Use this option to produce a cross-system analysis comparable to RSECNOTE (ABAP only)
•
The target system defines which notes should be checked. The note list and the check
conditions are loaded from EarlyWatch online recommendations.
B) Configuration Validation using a
Target System
which is based on
Notes
shown in System
Recommendations
•
Use this option to produce a cross-system analysis on selected notes (ABAP and Java)
•
The target system defines which notes should be checked. The initial note list is loaded from
System Recommendations, and can be reduced or extended. The check conditions are loaded
from note definition available at the SAPNet.
C) Reporting using the
results of System Recommendations
A) ABAP Notes – based on recommendations from RSECNOTE
The SAP Notes from the SAP Security List
Software and Kernel dependency of a Note is
provided
Only relevant SAP Notes for the source system can
be inserted (the SAP Notes matching Components
and Kernel Release from the source system)
Software dependency Kernel dependency
© 2013 SAP AG. All rights reserved. 74
A) Predefined Report about Security Notes from RSECNOTE
Using this report, the Target
System gets updated
B) ABAP/Java Notes – based on System Recommendations
The SAP Notes relevant for the source system can
be restricted via
Data Range
Note Group – for example only Security and
Hotnews SAP Notes can be inserted
Option b) all notes based on System Recommendations
C) New option to select notes provided by
System Recommendations reporting
Paste
Paste easily
notes from the
clipboard as
filter for
system
recomendation
output
© 2013 SAP AG. All rights reserved. 78
C) New option to select notes provided by
System Recommendations reporting
Paste
Paste easily notes from the clipboard as filter
for system recommendation output
New with Solution Manager 7.1 SP 3: Security Dashboards
Personal Dashboard
WebDynpro ABAP Application MY_DASHBOARD
© 2013 SAP AG. All rights reserved. 80
New with Solution Manager 7.1 SP 3: Security Dashboards
Dashboard Management
Proposal: Create individual dashboard blocks for
different KPIs and include them into a specific
security dashboard.
Define dashboards to be used
by others:
WebDynpro ABAP Applications
DASHBOARD_MANAGEMENT
and
GENERIC_DASHBOARD_VIEWER
Agenda
Configuration
Validation
SOS
EWA
Security Notes Report
and System
Recommendations
Security Patch Process
Security Tools and Services
EarlyWatch Alert (EWA) – Security Chapter
Security Notes Report (RSECNOTE)
System Recommendations
Configuration Validation
© 2013 SAP AG. All rights reserved. 84
SAP Security Notes
Note Characteristics And Patch Day
SAP strongly recommends to apply important security fixes as soon as possible
If left unpatched, severe vulnerabilities with high security risk may exist
CVSS scoring adds additional details to the priority of a SAP Note
SAP Security Notes
Patching Policy And Process
Required to find the right trade-off between security risks and operational risks
that suits the needs of the company / organization
Good policies and processes are key for a fast application of important fixes
Good exception handling make operational risks transparent and the process more flexible
SAP brings a variety of tools to the table that provide additional support during the process
Thank You!
Contact information:
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the United States and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe Systems Incorporated in the United States and other countries.
Oracle and Java are registered trademarks of Oracle and its affiliates.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems Inc.
HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc.
IOS is a registered trademark of Cisco Systems Inc.
RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App World are trademarks or registered trademarks of Research in Motion Limited.
© 2013 SAP AG. All rights reserved.
Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android are trademarks or registered trademarks of Google Inc. INTERMEC is a registered trademark of Intermec Technologies Corporation.
Wi-Fi is a registered trademark of Wi-Fi Alliance. Bluetooth is a registered trademark of Bluetooth SIG Inc.
Motorola is a registered trademark of Motorola Trademark Holdings LLC. Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company.
Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company.
