SAP security checks with GUI scripting
Anyone interested in SAP security – Hello! I want to talk about my new project to automate SAP security checks. The project is called SAPSEC. It’s based on SAP GUI scripting technology. GUI scripts help SAP users to automate their routine operations in the SAP Logon application. I hope this technique is well known to most SAP specialists.
SAPSEC is written in Python. Why? First of all because I know a little Python, secondly Python is one of the most popular programming language these days, and thirdly I have big ambitious plans for the development of my project, to create unique complex SAP security tests that no one has made before.
The Tool performs a set of programmed security checks consistently, it may be a check that minimum password length parameter is set to 8 or 12, or a check that a user password policy is assigned to all dialog users, and other checks. The scope of the security checks is determined by the configuration file, and a single report is created on the verification results. The report contains statuses of performed tests – complied or not.
Project source codes you can find here. Read more about installation and usage procedures in README file. In short, to start a project you need to install python and run one command to load and install SAPSEC from the repository with all required dependencies. So it’s very easy, believe me.
The Project benefits:
- There is no need to store the username and password to login SAP server somewhere in our code (The user log in SAP system himself and only after it we start out gui scripts).
- SAPSEC is open source, you can read any part of our programming code and be sure that critical data will not be send to someone else.
- You can independently add, redefine and develop new security checks (based on existing templates) and disable any checks that are not interested in.
- As I said above security checks configuration is in separate yaml file, you may create several versions scan profiles (configuration file). For example, it may be useful to scan various SAP server versions.
- You‘ll get the analysis result in just a few minutes. The scripts help you automate daily or weekly checks of the protected SAP systems.
- Report result is in one excel file. Everything is clear and can be sorted by status or critical level of security checks.
- Easy to install and use, no need to install RFC SDK.
- It’s free.
What types of security checks are already implemented in the project?
- Checking the numerical value of the profile parameter (by using RSPFPAR report). For example, you can specify a single value or list of values that the parameter should correspond to.
- Analysis of the number of roles with certain privileges (by using RSUSR070 report). You can define roles limit number in the configuration file. For example, no more than 5 roles with the privileges are normal (safety). Excess is not good.
- Analysis of the number of users with certain privileges (by using well-known RSUSR002 report). This check is similar to the previous one but about SAP users.
- Verification of the number of entries in SAP tables by the specified filter. Using this template, you can implement a variety of security checks at the SAP table level. For example, we can check that all sap tables storing password hashes assigned to SPWD class according to SAP security note.
- GUI scripting should be enabled on the SAP server. Usually, SAP security experts do not recommend enabling it, but recently the sapgui/user_scripting_per_user parameter has added in SAP which allows you to enable GUI scripting per special user not for everyone. By the way, GUI scripting is enabled dynamically in transaction RZ11, no need to reboot the SAP application server.
- The user should be assigned the privileges to perform the actions that we try to automate, for example, to run transactions SA38, SE16 and reports RSUSR002, RSUSR070, RSPFPAR, the privileges to load information to files.
- If the sapgui/user_scripting_per_user parameter is set to TRUE, you need to add special authority object to user role S_SCR:ACTVT=16 (to allow execute GUI scripts).
Few words about the generating report. It’s Excel file:
You can see performed security checks with their statuses in the screenshot. COMPLIED status means the required conditions are met. NOT COMPLIED – not met. ERROR – tell us that something went wrong, for example, not enough privileges to execute the transaction or report. By the way that’s typical reason why you got the report with errors – check the user privileges, maybe some authorizations are missing.
As you can see one module with security checks is already ready. It helps to analyze the presence of weak password hashes in your SAP systems. An article about the module will be released a bit later. I’m going to add new interesting features monthly. Follow the news about the project.
If you have the ideas what other security checks can be implemented in the future – write to my email. So I suggest everyone to try SAPSEC and join the project.