Framework de análisis de seguridad

[Security_SP]

Estimados Miembros,

Estoy realizando una investigación para realizar un framework que se ejecute dentro de SAP a través de una trx Z... el cual realice un análisis de la seguridad del sistema SAP sobre el que se está ejecutando, esto serviría para todos los administradores Basis y Seguridad para conocer "la foto" de como esta su sistema a nivel de seguridad y ejecutar un plan de acción para corregir estos temas que se informen. En principio obviamente contemplaría los permisos (Ej: SAP_ALL) asignados a usuarios que no sean administradores, los accesos a ciertas trx críticas de los distintos módulos, y el acceso a ciertas tablas... Uds., desde su experiencia, podrían ayudarme a contemplar otros tips que debería tener en cuenta para desarrollar esta herramienta?

Desde ya muchas gracias a todos por su ayuda

Saludos
Sergio

[JorgeLema]

Security_SP, me parece una muy buena idea considerando que hoy por hoy no existe este tipo de framework y sobre todo gratis!!.

Yo creo que deberías de contemplar además de esos tips, el acceso a la tabla RFCDES y a la transacción SM59 (entre otras). Además estaría bueno saber si ciertos usuarios por defecto como *SAP, DDIC si tienen la contraseña por default o si tiene otra contraseña… es un punto importante en la seguridad.

Creo que hay muchos mas por agregar

[BREZHNEV]

Lo mas importante acceso a los grupos de tablas (S_TABU_DIS = *), acceso a todas las transacciones (S_TCODE = *), acceso a transcciones criticas (SU01, PFCG, DB13, ETC), segregacion funcional (por ejm, quien crea un pedido no lo libera), opciones de modificacion de mandates (SCC4, y sus respectivas opciones), opciones demodificaion de sistema (SE06 y sus respectivas opciones), politicas de contraseñas (RZ10, que pida un digito, que cadique a los 90 dias, etc.), verificar que la auditoria este activa (SM20, SM21, SM19, SM18), Verificar que la politica de backups (DB13, al menos un full offlines al mes, y si es posible un full online diarios, con sus respectivos archive logs)...
hay mucho por controlar si necesitas mas apoyo no dudes en avisarme yo quise hacer lo que tu estas haciendo, pero no se mucho ABAP, por lo que me interesa ayudarte.


salu2

[gfr]

Te paso la info q tengo, espero q te ayude. cualquier cosa estoy a disposicion

Table Description Reports
USR02 Users Data (logon data) RSUSR020
USR04 User master authorization (one row per user)
UST04 User profiles (multiple rows per user)
USR10 Authorisation profiles (i.e. &_SAP_ALL)
UST10C Composit profiles (i.e. profile has sub profile)
USR11 Text for authorisation profiles
USR12 Authorisation values RSUSR030
USR13 Short text for authorisation
USR40 Tabl for illegal passwords
USGRP User groups
USGRPT Text table for USGRP
USH02 Change history for logon data
USR01 User Master (runtime data)
USER_ADDR Address Data for users
AGR_1016 Role and Profile RSUSR020
AGR_1016B Role and Profile
AGR_1250 Role and Authorization data
AGR_1251 Role Object, Authorization, Field and Value RSUSR040
AGR_1252 Organizational elements for authorizations
AGR_AGRS Roles in Composite Roles
AGR_DEFINE To See All Roles (Role definition) RSUSR070
AGR_HIER2 Menu structure information - Customer vers
AGR_HIERT Role menu texts
AGR_OBJ Assignment of Menu Nodes to Role
AGR_PROF Profile name for role
AGR_TCDTXT Assignment of roles to Tcodes
AGR_TEXTS File Structure for Hierarchical Menu - Cus
AGR_TIME Time Stamp for Role: Including profile
AGR_USERS Assignment of roles to users
USOBT Relation transaction to authorization object (SAP)
USOBT_C Relation Transaction to Auth. Object (Customer)
USOBX Check table for table USOBT
USOBXFLAGS Temporary table for storing USOBX/T* chang
USOBX_C Check Table for Table USOBT_C
TSTCA Transaction Code, Object, Field and Value

Reportes de seguridad.
SAP Security Report Name Description
RSUSR_SYSINFO_ROLE (YOU NEED TO LOG ON TO THE CENTRAL SYSTEM FOR THIS) Report cross-systm information/role STANDARD SELECTION, User name, Receiving system, SELECT ROLE Role
RSUSR_SYSINFO_PROFILE (YOU NEED TO LOG ON TO THE CENTRAL SYSTEM FOR THIS) Report cross-systm information/profile STANDARD CRITERIA User Name, Receiving system, Profile
RSUSRSUIM Same as SUIM User Information System


RSUSR402 Download user data for CA manager from Secude


RSUSR300 Set External Security Name for all Users


RSUSR200 List of Users According to Logon Date and Password Change


RSUSR102 Change Documents for Authorizations


RSUSR000 Currently Active Users Tcodes SU04 and AL08


RSUSR002 Users by Complex Selection Criteria (search by User, Group, User Group, Reference User, User ID Alias, Role, Profile Name, Tcode, SELECTION BY FIELD NAME, Field Name, SELECTION BY AUTHORIZATIONS Authorizatrion Object, Authorization, SELECTION BY VALUES, Authorization Object 1, AND Authorization Object 2, AND Authorization Object3, ADDITIONAL SELECTION CRITERIA, Account number, Start Menu, Output Device, Valid Until, Locked Users ONLY, Unlocked Users Only, CATT Check ID


RSUSR002_ADDRESS Select User According to Address, NAMES, First Name, Last Name, User, COMMUNICATION PATHS, Company, City, Buildings, Room, Extension, OTHER DATA, Department, Cost Center


RSUSR003 Check the Passwords of Users SAP* and DDIC in All Clients (SAP* DDIC SAPCPIC )


RSUSR004 Restrict User Values to the following Simple Profiles and Auth Objs SELECTION CRITERIA Single Profiles, Authorization Objs


RSUSR005 List of Users with Critical Authorizations (SAME AS RSUSR009 but difference is here you can't chose)


RSUSR006 List of Users According to Logon Date and Password Change


RSUSR007 List Users Whose Address Data is Incomplete (here give the Required Address Data)
RSUSR008 Critical Combinations of Authorizations at Transaction Start (Can view either Critical Combinations or Users)


RSUSR009 List of User with Critical Authorizations SAME AS RSUSR005 but here you can (Check using either customer data of Check using SAP data)


RSUSR010 Transaction for User with Profile or Authorization (Transaction executable either by, User, with Role, Profile, Authorization


RSUSR011 Lists of transactions after selection by User, profile or obj SELECTION FOR User


RSUSR012 Search authorizations, profiles and users with specified object value (DISPLAY authorization objects, DISPLAY authorizations, DISPLAY profiles, DISPLAY users)


RSUSR020 Profiles by Complex Criteria SELECTION CRITERIA Profile, Profile test, ADDITIONAL CRITERIA FOR PROFILES, Composite Profile, Single Profile, Generated Profiles, SELECTION BY CONTAINED PROFILES Profile, SELECTION BY AUTHORIZATIONS, Authorization Object, Authorization, SELECTION BY VALUES, Auth obj, auth obj2, auth obj3, SELECTION BY ROLE
RSUSR030 Authorizations by Complex Selection Criteria SELECTION CRITERIA, Auth Object, Authorization, BY VALUES
RSUSR040 Authorization Objects by Complex Criteria, STANDARD SELECTIONS, Authorization object, ADDITIONAL CRITERIA Object class, Obj class text, Field


RSUSR050 COMPARISIONS, Compare Users, USER A ------** USER B--------, ROLES, PROFILES< AUTHORIZATIONS, Across Systems
RSUSR070 Roles by Complex Selection Criteria STANDARD SELECTION Role, Description, SELECTION BY USER Assignments


RSUSR100 Change Documents for Users


RSUSR101 Change Document for Profiles

Saludos

[Security_SP]

JorgeLema, BREZHNEV, gfr... Muchas gracias por la info!
Voy a seguir sumando ideas y las voy actualizando en el blog así las compartimos...

Saludos y gracias otra vez