SM19 Security Audit
SAP Basis: the heart of the SAP system
The SAP NetWeaver Application Server Add-on for Code Vulnerability Analysis tool, also known as Code Vulnearability Analyzer (CVA), is a tool that performs a static analysis of user-defined ABAP source code to detect possible security risks. The tool is available in the NetWeaver ABAP stack and is based on versions from: 7.0 NetWeaver: in EHP2 SP 14 or higher / 7.0 NetWeaver: in EHP3 SP 09 or higher / 7.3 NetWeaver: in EHP1 SP 09 or higher / 7.4 NetWeaver: in SP05 or higher To use the CVA tool, the execution of system-wide security controls must be enabled with the RSLIN_SEC_LICENSE_SETUP report. Afterwards, the security checks are available in standard ABAP code checking tools such as ABAP Test Cockpit (ATC) or Code Inspector (SCI). The option of these checks is usually referred to as "security analysis in extended program check". Note that the use of the security check feature for custom code separation is licensed and incurs additional costs. The older program that has been around for years is Virtual Forge's "Code Profiler". It is one of the first products in this segment of SAP security and was used by SAP itself for many years. It is very comprehensive and is also able to track individual variables across the entire control flow. This leads to very precise statements and a reduction of false positives.
Once you have met all the requirements described above, you can begin to prepare your system for processing digitally signed notes. To do this, the SAP Note with the number 2408073 must be recorded. This consists of a few steps for manual preparation, some automatically executable activities, and steps to rework the note. It is recommended not to change the file name after downloading. Note 2408073 has a file extension of "sar" and will first be unpacked with SAPCAR. There is a zip archive in it. The text file in it can be loaded into the Note Assistant with the SNOTE transaction via the Note upload. Once you have completed these steps, you can begin to install the note. The steps are detailed in the note itself and in a document attached to the note. Therefore, only a few points that need to be considered are highlighted below. When creating and clicking on Save the "CWBDS" object, a message may appear prompting you to select an object from the permitted namespace. Here the cursor can be placed in the object field and confirmed with Enter, then the query is made after a transport order. When creating the message texts in the "SCWN" message class, it is normal that after saving the changes several times (as many times as messages have been created) the question about the transport order must be confirmed. In addition, when creating the message texts, it should be noted that the texts provided in the tutorial attached to the note are available in English. If you are working on a German system, you should translate the texts into the German language when inserting them. The English texts can then be inserted as translations in the same window. To do this, select "Jump -> Translate". Conclusion It is a popular approach among hackers to use updates that are usually intended to fix bugs or increase security to inject malicious code into the system.
SAP Basis refers to the administration of SAP system that includes activities like installation and configuration, load balancing, and performance of SAP applications running on Java stack and SAP ABAP. This includes the maintenance of different services related to database, operating system, application and web servers in SAP system landscape and stopping and starting the system. Here you can find some useful information about SAP Basis: www.sap-corner.de.
Always the latest version: Your system will always be up to date and you will have access to the latest versions. Patches are performed by the external SAP Basis team.
The tasks of a company's own SAP Basis department are currently undergoing enormous change, as SAP is also increasingly relying on cloud services. Strategically, completely self-hosted SAP systems are becoming rarer and the proportion of customers using an SAP system from the cloud is increasing. The new roles of SAP Basis employees tend to be "enablers" and coordinators between the cloud provider and internal IT and the business departments. Until that time comes, companies can also rely on external service providers to offer expert know-how as well as operational support for the transition period.
The "Shortcut for SAP Systems" tool is ideal for doing many tasks in the SAP basis more easily and quickly.
If you get a tp-step in the cancel message, it is a transport order-independent step whose logs cannot be displayed with logs.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
After installing the GUI, the GUI patches should be applied as far as available.