Security And Control Over The Unix Operating System

For administrator who handle the Unix system, here are some idea where you can review on the security and control over the Unix operating system.

1. Determine who has access to execute program SAPMSOS0.  

This program has access to the UNIX command prompt.  This program is run by Transaction SM52.

 
2. Obtain a listing of the users that can sign onto the UNIX operating system directly:

$ cat etc/passwd

 
3. Obtain a listing of the groups and the users who belong to these groups:

$ cat etc/group
 

4. Obtain a listing of the SAP directories and determine who has read and write authorities to these directories and files:

/usr/sap

Many of the files and sub-directories hold pertinent information:

/usr/sap/trans/buffer - information on which transports are to be imported

/usr/sap/trans/cofiles - information on transport requests

/usr/sap/trans/sapnames - information for users on transport request status

/usr/sap/trans/tmp - temporary data

/usr/sap/trans/log - local system log

/usr/sap/trans/work - runtime data

 
5. Obtain a copy of the initialization file and be sure that a sum command (hash total) is run on the file daily to identify any changes.

/etc/inittab
 

6. List the trusted environment within UNIX to ensure that any trust relationships are also properly protected.

etc/hosts.equiv

.rhost
 

7. List the exported file system to determine if any SAP file is exported over the network.

etc/exports

 
8. Review the batch job submission file within UNIX to ensure that it is properly protected.

/usr/spool/cron/crontabs/root

RDDIMPDP migrates to production queued up jobs (every 5 minutes)

 
9. Review the list of services to ensure that no unsecured service is running.

/etc/services

/etc/inetd.conf

 
10. If any users other than the system administrator (root or uid = 0) have command line authority, then evaluate why they need this level of authority on the SAP production machine.
 

11. Perform a find command to identify all suid and sgid programs that are owned by root.  Using this output sum the result to compare from one day to the next to track differences.  The diff command can be used to identify any changes that have occurred.

# find / -name root -perm -4000 -print

# find / -name root -perm -2000 -print

# find / -name root -perm -4000 | sum > today

SAP BC Tips

See Also
Review Audit Security And Control Of Core Modules

Get help for your Basis problems
Do you have a SAP Basis Question?

SAP Basis Admin Books
SAP System Administration, Security, Authorization, ALE, Performance Tuning Reference Books

SAP Basis Tips
SAP BC Tips and Basis Components Discussion Forum

Administration In SAP - Sapgui, Unix, SAP ITS, Router, Client Copy and IDES 

Main Index
SAP ERP Modules, Basis, ABAP and Other IMG Stuff

All the site contents are Copyright © www.erpgreat.com and the content authors. All rights reserved.
All product names are trademarks of their respective companies.  The site www.erpgreat.com is in no way affiliated with SAP AG. 
Every effort is made to ensure the content integrity.  Information used on this site is at your own risk. 
 The content on this site may not be reproduced or redistributed without the express written permission of 
www.erpgreat.com or the content authors.