Security OSS notes via System Recommendations

This blog will explain how you can optimize your process of security notes via System Recommendations.

Questions that will be answered are:

  • What is the System Recommendations tool?
  • How do I set up the System Recommendations tool?
  • How do I deal with the results of the System Recommendations tool?
  • Where to find even more information on the System Recommendations tool?

What is the System Recommendations tool?

System Recommendations is a tool that runs in SAP solution manager. It weekly check SAP for new security notes and compares it with your own system. New notes will be alerted as new in the System Recommendations list. Notes you have applied will be removed from the list.

This automated procedure save you a lot of time checking for and follow up on security notes.

Setting up System Recommendations

If solution manager is properly setup, system recommendations is already enabled.

To verify if the system recommendations job is running start transaction SOLMAN_SETUP and select Mandatory Configuration and then Basic Configuration. Then select in the roadmap on top step number 2 and look for the system recommendations job, which will typically run every week:

System recommendations job

Adding a system to System Recommendations

In SOLMAN_SETUP goto the managed system configuration of the system you want to add to system recommendations.

Select the full configuration for the system. On the roadmap select step 5: Enter System Parameters. On the screen below tick the box for Enable System Recommendations:

Managed system configuration Step5 landscape parameters

Now the system is added you need to wait until the weekly job runs.

System recommendations result

In solution manager goto the System Recommendations tile:

Fiori tile for system recommendations

Upon clicking you get the list of systems and OSS notes per category:

System recommendations overview

Now you can zoom in for example on the security notes:

Security notes

Per OSS note you can keep track of the status:

System recommendations status change

Dealing with the list

Some notes you can implement via SNOTE automatically. After they are implemented (normally via transport import if you run System Recommendations against productive system) they will be gone with the next run of system recommendations.

Some notes depend on kernel patch: also here, you can mark the status as to-be-implemented and wait for the actual implementation of the kernel patch.

Some notes might be non-relevant: you can mark them and they will no longer show in the open list of security notes.

DB and OS versions

The security notes will pickup all the database and OS versions for security notes, even if you don’t run them. To reduce the list goto transaction SM30 and maintain the content of table AGSSR_OSDB:

Table AGSSR_OSDB

Flag the unused Databases and OS to Inactive and they will be filtered away next run.

More features

System recommendations function has more features. If you want to read all of them, please read the SAP full document.

Security Optimization Service

In SAP solution manager there is a free out-of-the-box tool available to quickly scan for security items in your system: the Security Optimization Service.

Questions that will be answered in this blog are:

  • How to run the Security Optimization Service?
  • How does the questionnaire work?
  • How does a sample result look like?

How to run Security Optimization Service

In solution manager 7.2 goto the tile Active Sessions for Service Delivery:

Service delivery Sessions

You now arrive in the sessions overview screen:

Sessions overview

If you are first time using: hit the button Content Update to fetch the latest content from SAP. When done, you are ready to run.

Select the button create to make a new service. From the list choose the option SAP Security Optimization:

New security optimization service

Then select the system for which you want to run the service. Do this by clicking the Add button in the Technical System section:

Select system

Finish the roadmap. After the final step the detailed roadmap will appear:

Security optimization session roadmap

In the first step select the logon and test the connection:

Select system logon

In the next step you need to assign a questionaire:

Create and assign questionaire

If you run the SOS before you can re-use or change the template. The first time you need to create the questionaire:

Questionaire maintenance

In the questionaire you can maintain whitelist. In the example above user from the basis team is added to the list of system administrators. These users will no longer appear in the report as exceptions.

More background information on the questionaire and the impact can be found in OSS note 2036188 - How questionnaire influences results of Security Optimization Service.

Save the questionaire and return to the roadmap.

Next step is to start the data collection:

Data collection

If you have a recent run, you can select it here. If no run is present, hit the button Schedule new ST14 analysis run. Pending on your system size and speed the run will take between 5 and 60 minutes. If the run is finished select the run and complete the roadmap.

The SOS session is now scheduled.

Results

Usually the run is done overnight and you can fetch the results next day. Goto the active services tile, select your run and goto the column Documents. Click on the document to get the results.

Example of an SOS report can be found at this URL.

Follow up

If you find issues: solve them and rerun the report.

If you find many users with too many rights: start to revoke the rights and rerun the report.

If you find basis and authorization staff in the list with rights they should have, add their user ID’s to the corresponding section in the questionaire, and rerun the report.

In general it will take a few runs to come to a more cleaned up system.

Referring OSS notes

Relevant OSS notes:

2687176 – SOS: Check “Users are authorized to access tables with user data (0013)” does not take table authorization group SPWD into consideration