#1
|
|||
|
|||
Framework de análisis de seguridad
Estimados Miembros,
Estoy realizando una investigación para realizar un framework que se ejecute dentro de SAP a través de una trx Z... el cual realice un análisis de la seguridad del sistema SAP sobre el que se está ejecutando, esto serviría para todos los administradores Basis y Seguridad para conocer "la foto" de como esta su sistema a nivel de seguridad y ejecutar un plan de acción para corregir estos temas que se informen. En principio obviamente contemplaría los permisos (Ej: SAP_ALL) asignados a usuarios que no sean administradores, los accesos a ciertas trx críticas de los distintos módulos, y el acceso a ciertas tablas... Uds., desde su experiencia, podrían ayudarme a contemplar otros tips que debería tener en cuenta para desarrollar esta herramienta? Desde ya muchas gracias a todos por su ayuda Saludos Sergio |
#2
|
|||
|
|||
Framework Free!!
Security_SP, me parece una muy buena idea considerando que hoy por hoy no existe este tipo de framework y sobre todo gratis!!.
Yo creo que deberías de contemplar además de esos tips, el acceso a la tabla RFCDES y a la transacción SM59 (entre otras). Además estaría bueno saber si ciertos usuarios por defecto como *SAP, DDIC si tienen la contraseña por default o si tiene otra contraseña… es un punto importante en la seguridad. Creo que hay muchos mas por agregar |
#3
|
||||
|
||||
Lo mas importante acceso a los grupos de tablas (S_TABU_DIS = *), acceso a todas las transacciones (S_TCODE = *), acceso a transcciones criticas (SU01, PFCG, DB13, ETC), segregacion funcional (por ejm, quien crea un pedido no lo libera), opciones de modificacion de mandates (SCC4, y sus respectivas opciones), opciones demodificaion de sistema (SE06 y sus respectivas opciones), politicas de contraseñas (RZ10, que pida un digito, que cadique a los 90 dias, etc.), verificar que la auditoria este activa (SM20, SM21, SM19, SM18), Verificar que la politica de backups (DB13, al menos un full offlines al mes, y si es posible un full online diarios, con sus respectivos archive logs)...
hay mucho por controlar si necesitas mas apoyo no dudes en avisarme yo quise hacer lo que tu estas haciendo, pero no se mucho ABAP, por lo que me interesa ayudarte. salu2
__________________
============= ==»BREZHNEV«== ============= |
#4
|
|||
|
|||
Te paso la info q tengo, espero q te ayude. cualquier cosa estoy a disposicion
Table Description Reports USR02 Users Data (logon data) RSUSR020 USR04 User master authorization (one row per user) UST04 User profiles (multiple rows per user) USR10 Authorisation profiles (i.e. &_SAP_ALL) UST10C Composit profiles (i.e. profile has sub profile) USR11 Text for authorisation profiles USR12 Authorisation values RSUSR030 USR13 Short text for authorisation USR40 Tabl for illegal passwords USGRP User groups USGRPT Text table for USGRP USH02 Change history for logon data USR01 User Master (runtime data) USER_ADDR Address Data for users AGR_1016 Role and Profile RSUSR020 AGR_1016B Role and Profile AGR_1250 Role and Authorization data AGR_1251 Role Object, Authorization, Field and Value RSUSR040 AGR_1252 Organizational elements for authorizations AGR_AGRS Roles in Composite Roles AGR_DEFINE To See All Roles (Role definition) RSUSR070 AGR_HIER2 Menu structure information - Customer vers AGR_HIERT Role menu texts AGR_OBJ Assignment of Menu Nodes to Role AGR_PROF Profile name for role AGR_TCDTXT Assignment of roles to Tcodes AGR_TEXTS File Structure for Hierarchical Menu - Cus AGR_TIME Time Stamp for Role: Including profile AGR_USERS Assignment of roles to users USOBT Relation transaction to authorization object (SAP) USOBT_C Relation Transaction to Auth. Object (Customer) USOBX Check table for table USOBT USOBXFLAGS Temporary table for storing USOBX/T* chang USOBX_C Check Table for Table USOBT_C TSTCA Transaction Code, Object, Field and Value Reportes de seguridad. SAP Security Report Name Description RSUSR_SYSINFO_ROLE (YOU NEED TO LOG ON TO THE CENTRAL SYSTEM FOR THIS) Report cross-systm information/role STANDARD SELECTION, User name, Receiving system, SELECT ROLE Role RSUSR_SYSINFO_PROFILE (YOU NEED TO LOG ON TO THE CENTRAL SYSTEM FOR THIS) Report cross-systm information/profile STANDARD CRITERIA User Name, Receiving system, Profile RSUSRSUIM Same as SUIM User Information System RSUSR402 Download user data for CA manager from Secude RSUSR300 Set External Security Name for all Users RSUSR200 List of Users According to Logon Date and Password Change RSUSR102 Change Documents for Authorizations RSUSR000 Currently Active Users Tcodes SU04 and AL08 RSUSR002 Users by Complex Selection Criteria (search by User, Group, User Group, Reference User, User ID Alias, Role, Profile Name, Tcode, SELECTION BY FIELD NAME, Field Name, SELECTION BY AUTHORIZATIONS Authorizatrion Object, Authorization, SELECTION BY VALUES, Authorization Object 1, AND Authorization Object 2, AND Authorization Object3, ADDITIONAL SELECTION CRITERIA, Account number, Start Menu, Output Device, Valid Until, Locked Users ONLY, Unlocked Users Only, CATT Check ID RSUSR002_ADDRESS Select User According to Address, NAMES, First Name, Last Name, User, COMMUNICATION PATHS, Company, City, Buildings, Room, Extension, OTHER DATA, Department, Cost Center RSUSR003 Check the Passwords of Users SAP* and DDIC in All Clients (SAP* DDIC SAPCPIC ) RSUSR004 Restrict User Values to the following Simple Profiles and Auth Objs SELECTION CRITERIA Single Profiles, Authorization Objs RSUSR005 List of Users with Critical Authorizations (SAME AS RSUSR009 but difference is here you can't chose) RSUSR006 List of Users According to Logon Date and Password Change RSUSR007 List Users Whose Address Data is Incomplete (here give the Required Address Data) RSUSR008 Critical Combinations of Authorizations at Transaction Start (Can view either Critical Combinations or Users) RSUSR009 List of User with Critical Authorizations SAME AS RSUSR005 but here you can (Check using either customer data of Check using SAP data) RSUSR010 Transaction for User with Profile or Authorization (Transaction executable either by, User, with Role, Profile, Authorization RSUSR011 Lists of transactions after selection by User, profile or obj SELECTION FOR User RSUSR012 Search authorizations, profiles and users with specified object value (DISPLAY authorization objects, DISPLAY authorizations, DISPLAY profiles, DISPLAY users) RSUSR020 Profiles by Complex Criteria SELECTION CRITERIA Profile, Profile test, ADDITIONAL CRITERIA FOR PROFILES, Composite Profile, Single Profile, Generated Profiles, SELECTION BY CONTAINED PROFILES Profile, SELECTION BY AUTHORIZATIONS, Authorization Object, Authorization, SELECTION BY VALUES, Auth obj, auth obj2, auth obj3, SELECTION BY ROLE RSUSR030 Authorizations by Complex Selection Criteria SELECTION CRITERIA, Auth Object, Authorization, BY VALUES RSUSR040 Authorization Objects by Complex Criteria, STANDARD SELECTIONS, Authorization object, ADDITIONAL CRITERIA Object class, Obj class text, Field RSUSR050 COMPARISIONS, Compare Users, USER A ------** USER B--------, ROLES, PROFILES< AUTHORIZATIONS, Across Systems RSUSR070 Roles by Complex Selection Criteria STANDARD SELECTION Role, Description, SELECTION BY USER Assignments RSUSR100 Change Documents for Users RSUSR101 Change Document for Profiles Saludos
__________________
Gustavo. Seguridad SAP R/3 y BI |
#5
|
|||
|
|||
JorgeLema, BREZHNEV, gfr... Muchas gracias por la info!
Voy a seguir sumando ideas y las voy actualizando en el blog así las compartimos... Saludos y gracias otra vez |
Herramientas | Buscar en Tema |
Desplegado | |
|
|