Skip to Content
Author's profile photo Former Member

Protect your system with simple effort

Sap has come up with a nice and user friendly tool called “RSECNOTE” which helps clients / security administrators to simply identify the necessary notes which are critical for them.

Need:  Hackers are targeting Sap since a while and no of attacks has increased in recent years. Though Clients are protected at highest level of security using different levels (SAP security can be provided at 6 levels. They are Operating system, Database, Application, Web Connection, Communication, and Presentation). Sap always publishes security information through newsletters and e-mails customers directly to bring their attention. To make this more transparent and easy a new option has been created in Service market place called “Security contact”. However, if customer wants to know what are the notes relevant for their system it’s not an easy task and administrators need to keep on check notes in service market place for respective components. As per my experience, many clients are not even checking for notes.

To bridge this gap, Sap has come up with tool “RSECNOTE”. Customer at any point of time can run this report and get list of notes required for their system and take decisions depending on the criticality and severity.  This in turn included in early watch reports as well. In this blog, I will explain on how to use this tool and get benefited from it.

How to use this feature:Available for versions:

Check the note 888889 for up to date information and available releases.

How it execute:

1.   Go to transaction SA38/SE38 and enter report “RSECNOTE” or go to ST13 and enter component name as “RSECNOTE”

 

SA38/SE38

 

             ST13

                          

The report checks connection to SAPnet and updates the note information. It only provides the latest notes which are applicable based on the basis / support pack level you are on. i.e. All notes which are already updated with support pack installation or with any other method not shown here.

 

2.   The below screen shot shows you output of the report which respective notes which need to be implemented / already implemented.

3.    Customer’s / security administrators need to identify the required notes which need to be implemented. Notes with red status (components which are not installed , even I don’t know why SAP shows them if they are not installed. May be they suspect it as needed)can be set to green by clicking on the status button.  You can find these type of notes under section “Manually confirmed recommendations”

              

 

The best thing here is you can change the status back if you need.

 

4.   After successful implementation of note using SNote or by importing support packs which has those notes, the status will be set to Green by the tool

          

      

 Background to this blog:

Since I have started positing in SDN, learned a lot and SDN keeps me motivated. Knowledge sharing is the key for one to know better about themselves and technology. I have found some of the old bloggers and moderators provide SAP note #’s just like that. Surprised 🙂 and especially Julius who keeps on provide information regarding hot /critical security notes. By inspiring from them, I have started to keep on checking for notes in Sap market place (though not every day). The note 888889 which is a source for this blog came to notice while reading a forum post. Thanks to all the forum members.

Assigned Tags

      18 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member
      Thanks for the awareness of this great tool and taking care of your security patching.

      I am glad to have been of help in this. 1 down, many to go... 🙂

      Cheers, Julius

      Author's profile photo Former Member
      Former Member
      I've a stupid question: Is it possible to run the rsecnote report in batch and to get the resulting list via email automatically?
      At the moment we have to logon to each system and execute the report manually.
      Many thanks in advance for your answer, perhaps you know how this might work.
      Regards, Robert
      Author's profile photo Former Member
      Former Member
      I am not aware of a way to do this from the RSECNOTE report.
      However, the security notes now follow a monthly frequency, so what you are looking for is the second Tuesday in each month (a.k.a. "Patch Tuesday").
      Cheers, Julius
      Author's profile photo Former Member
      Former Member
      Hello Julius,
      many thanks for the hint, so this might make it easier to follow up on all the SAP systems we have.
      Thanks again.

      Regards, Robert

      Author's profile photo Former Member
      Former Member
      Microsoft usually releases patches every second tuesday of the month. Since SAP also decided to release the patches same day, all the organizations will be benifited with a single patch roll out every month.

      Thanks Julius for sharing the valuable information

      Author's profile photo Mario Marschall
      Mario Marschall
      Hi,
      given the new SAP patch day we are facing the problem of having to sort out about 540 SAPnotes for the december-patch day alone. However we are not sure wether RSECNOTE is reliable. For example we looked at SAPnote 1511114 and we find it in the patch day list. We looked in one of our systems with EA-APPL 604 and it should be relevant due to the release level. This SAPnote has not yet been implemented, it does not appear in RSECNOTE though. How can this be? We suspect that it is connected with the marker for "checked in EWA". The 12 notes with this marker do seem to appear in RSECNOTE, all the others we checked don't. 12 out of 540 is far too little for RSECNOTE to be a reliable tool. And a manual check of all the rest is too much effort. Any ideas?
      Author's profile photo Former Member
      Former Member
      Only those notes which have an "automatic" flag in addition are selected by the RSECNOTE tool.

      I don't know exactly what the criteria is for the flag, however some discussions have indicated that it relates to being able to apply the coding corrections to SAP "internal only" coding without having to perform additional testing or manual corrections required or the risk propels the issue into the Hotnews category making the 1st priority to ensure that the correction gets into the systems come hell or high water... 🙂

      The path of least resistence for 540 notes + many "related and dependent" notes is to apply support packs regularly. That is an important lesson learnt from this, for me anyway.

      Cheers,
      Julius

      Author's profile photo Mario Marschall
      Mario Marschall
      Thanks. That's about what I was afraid of. Sure, support packs are a solution. But I'm anticipating lots of fun dealing with our respective departments when we tell them that they have to test their entire applications 4 times a year or something like that...
      Author's profile photo Former Member
      Former Member
      I strongly suspect that this timing had to do with HR legal support packs. So once a year is a more likely scenario for such a batch of patches - and is reasonable for support packs in my opinion.

      Cheers,
      Julius

      Author's profile photo Mario Marschall
      Mario Marschall
      Once a year will not be enough for us, I know that much... by the way: I just checked the note I mentioned above (1511114) again, the relevant support pack is supposed to be released in October 2011. That won't be soon enough for us...
      Author's profile photo Former Member
      Former Member
      The note states that you must first apply the correction instructions of related note 1497003, which is 38 pages long of manual prerequisites to prepare the system (the DATASET operations from all components) for the new concept.

      Latest in October 2011 applying the SP's for EA-APPL, this coding will become active.

      Cheers,
      Julius

      Author's profile photo Frank Buchholz
      Frank Buchholz
      1. Yes, you can schedule a batch job sending the result via email into a central mailbox on a monthly schedule (see https://service.sap.com/sos -> Media Library for details)

      2. We recommend to produce the EarlyWatch Alert report and the RSECNOTE list on the weekend after any  patch day because for us it may take a couple of days to construct the Online Recommendations for these tools.

      3. The meaning of the X in column "Automatic check by EWA" on the page /securitynotes of the SMP is the following: You do not need to analyze if these notes are required for a given system. You can use tool RSECNOTE to check the relevance of these notes. For all other notes it's your task to identify if a note is relevant for a system. After this step you have to decice about if and when to apply the relevant notes.

      4. Concerning testing: You have to run regression tests for all notes which you apply. You may skip this only if a note states clearly that no regression testing is required, e.g. if the note just deactivates obsolete code.

      5. RSECNOTE shows less notes than the page /securitynotes of the SMP which shows the total list of SAP Security Notes. This has either technical reasons (it has to be possible to test it automatically in RSECNOTE) or other reasons. Example from the December patch day: Most of the notes about Directory Traversal belong to a group. If you want to solve Directory Traversal issues you have to apply all notes of this group together with the central note and you have to do the neccessary customizing afterwards. This is far beyond the typical patch procedures but requires a kind of maintenance project, therefore we skip these notes in the EWA and RSECNOTE. We believe that you can apply all of the high critical notes in RSECNOTE within a monthly patch process cycle (as soon as this patch process is settled).

      Kind regards
      Frank Buchholz, Active Global Support      

      Author's profile photo Frank Buchholz
      Frank Buchholz
      The report RSECNOTE works fine to show required Security Notes which should be applied to a system. However, if you are responsible for several systems you want to produce a cross-system report about required Security Notes. The Code Exchange Project "Cross-system check for Security Notes" at https://cw.sdn.sap.com/cw/groups/cross-system-check-for-security-notes shows how to solve this task.

      Author's profile photo Frank Buchholz
      Frank Buchholz

      Recently I've extended the report ZSECNOTE_CENTRAL which is presented in the project "Cross-system check for Security Notes" mentioned above:

      - Show application component of notes

      - Select and download multiple notes into SNOTE for local system

      - Show status of notes from transaction SNOTE for the local system

      - Implement notes via transaction SNOTE for the local system

      - Start transaction SNOTE for remote systems

      Author's profile photo Franz Lengel
      Franz Lengel

      Hello Frank Buchholz,

      I had the information from SAP, that the notes in rsecnote can be implemented easily with snotes. But that is not so today.

      Not all notes shown in rsecnote are to be implemented easily with snote.

      There are some which require manual activity.

      Is it on purpose ?

      With kind regards,

      Franz Lengel

      Author's profile photo Frank Buchholz
      Frank Buchholz

      Please tell me, which notes had produced more effort.

      Kind regards

      Frank

      Author's profile photo Franz Lengel
      Franz Lengel

      Hello Frank,

      we found the following notes with manual implementation instructions:

      Note 1363371   (2009 / November 2010) Missing authorization checks

      Check using transaction SFW5 if the business function set INSURANCE is active. If yes, implement the correction instruction of note 1363371 using SNOTE.

      Note 1472395   (November 2010) Unauthorized change of stored contents

      Check using transaction SFW5 if the business function set INSURANCE is active. If yes, implement the correction instruction of note 1472395 using SNOTE.

      Note 1718613 (August 2012) Missing authorization check Delete the function DD_DB_IMIG_CALL_INSTTOOL as described in note 1718613. Please note that transaction IMIG will not work correctly anymore after the import of the correction.

      Thank you.

      Kind Regards,

      Franz

      Author's profile photo Andy Silvey
      Andy Silvey

      Hi Gowrinadh,

      excellent blog thank you

      Andy.