08-10-2011 9:59 AM
Hi all. I'm carrying out a security review. I know that it allows users to input UNIX commands but was wondering what the risk was associated with this and what damage could be done?
Thanks
08-10-2011 11:00 AM
Hi John,
It lets you run commands on the server using the permissions of the user that SAP uses to interact with the server. Basically you can trash the FS and the DB with the standard permissions for the user.
08-10-2011 11:00 AM
Hi John,
It lets you run commands on the server using the permissions of the user that SAP uses to interact with the server. Basically you can trash the FS and the DB with the standard permissions for the user.
08-10-2011 11:02 AM
Thanks. How do you find out what user this is or is it one of the standard service accounts? What does FS stand for?
08-10-2011 11:34 AM
sorry, FS is the file system on the OS. Generally the SAP user (<SID>ADM) will have access to a specific set of files and directories which are required for the operation of the SAP system. Depending how the user is set up will ultimately define how much damage could potentially be caused by exploiting it's permissions through an OS command from SAP.
08-10-2011 10:05 PM
The report can be run from anywhere but makes the same checks as SM69 etc.
You need to concentrate on the application authorizations of the users (all of them). Particularly S_RZL_ADM (very blunt) and S_LOG_COM (which provides some degree of granularity).
A developer can also use DATASET commands and CALL 'SYSTEM' to achieve the same, so add all aspects of S_DEVELOP to the list as well.
If you set your gateway control files to "local" or "internal" only then the risk is transfered to the application layer (hence, the 3 above mentioned auth objects).
That leaves only Z* and Y* and /* programs as the "blackbox". It makes sense to check them as well....
Cheers,
Julius