Solved: Can certain users logon directly to the OS from SA...

Former Member · ‎07-09-2010

Hello All,

Can certain users logon directly to the OS from SAP in a UNIX environment? How does one find out such users?

Thank you.

Former Member · ‎07-09-2010

Check out transaction

OS04

OS05

OS06

OS07

RZ.. transactions also few DB transactions can give you details of OS and DB.

To find if they used the transaction :

Please SUIM -

> Change document tab

probably to see if anyone used the OS.. transactions, you should not give this transaction to anyone easily.

Regards

Former Member · ‎07-09-2010

Check out transaction

OS04

OS05

OS06

OS07

RZ.. transactions also few DB transactions can give you details of OS and DB.

To find if they used the transaction :

Please SUIM -

> Change document tab

probably to see if anyone used the OS.. transactions, you should not give this transaction to anyone easily.

Regards

Former Member · ‎07-09-2010

Thank you very much!

Obviously I am not authorized to use the TCodes you listed but was able to find users assigned with authorization to execiute those TCodes.

Could you clarify the use of SUIM>>>Change Documents to determine if the OS Tcodes were used?

Thank you

Former Member · ‎07-09-2010

Actually,

I forgot to mention if you need audit logs it has to be

SM19 and few other SM20 etc transactions

and audit logging should be enabled by your Basis.

I was thinking about security authorization data.

Former Member · ‎07-12-2010

Hi,

what do you mean with "login directly to the OS"? Did users change anything? Did they just saw anything which they are not allowed to?

Beside of OS* transactions there are some commands you can reach over transaction SM49. Or you can browse directories through AL11.

So please specify your problem.

Regards,

Julia

Former Member · ‎07-13-2010

Thank you for your response. My objective is to find out all unauthorized users with the ability to exit from SAP and directly access the OS. All of the responses have been helpful.

mvoros · ‎07-12-2010

Let's not forget about program RSBDCOS0.

Cheers

Former Member · ‎07-21-2010

Hi,

What is the best way to determine which users can execute the program RSBDCOS0?

IIn SUIM, I entered object S_Program with value RSBDCOS0 together with S_TCODE with value of SA38. Is that correct or should I include SE38?

Thank you

Former Member · ‎07-21-2010

Forget about SE38 and transaction codes here for stuff like this...

Concentrate on object S_LOG_COM and S_DATASET with the extention "FILTER". These objects are the correct checks to make and if the programs are using the correct symantics of the auth objects then you are doing a good job, even if the use does have access to SA38 and many other transaction which have the ability to access the OS directly.

Two known exceptions are the ABAP C-call 'SYSTEM' (see RZ11 parameter rdisp/call_system documentation) and external server programs which call the OS via the RFC gateway without ABAP system intervention (see OSS notes about the file 'secinfo.dat').

They are both quite easy to solve unless you have dodgey coding which is (still) needed and uses older concepts.

SAP "owns" the authorization checks and the objects S_LOG_COM and S_DATASET are the documented symantics for restricting it and they check for this in their own code.

If you do the same in your code and plug the backdoors, then you should be fine.

Hope that helps you further...

Cheers,

Julius

Can certain users logon directly to the OS from SAP?