SAP Focused Run security notes validation

In the blog on security and configuration validation overview, we have explained to run a validation of ABAP security notes against your systems using Focused Run configuration and security validation.

Questions that will be answered in this blog are:

  • How can I quickly run an entire year of security OSS notes versus my systems?

SAP github with security policy source files

SAP publishes files for the ABAP security notes each month on the SAP Focused Run Best Practices GitHub:

Here the policy files for the ABAP security notes are stored per year and per month.

Not all security notes for ABAP stack are in these files: only the ABAP notes which can be applied via SNOTE. Security notes for ABAP stacks which require parameter changes or patches are not part of this check!

For convenience I have collected the files per year.

These files are for convenience only. It can be I made a mistake in assembling them.

Uploading the files

Goto the Configuration validation policy maintenance Fiori tile:

Create new policy and copy paste the text from the file:

Do this by choosing Edit and copy and paste the text in the editing section:

Now Save the policy. Check the XML. Generate the policy and check it by pressing Test Policy. Note that these are large files with many checks, so the testing can take some time. Run can be done via the Validate button or by following the instructions below.

Running the Security notes checks against the connected systems

To run the checks, goto the Configuration and Security Analytics Fiori tile:

Select the policy file to run:

Now be patient until the results are ready.

Make sure you expand the amount of columns.

If an ABAP notes is not applied it does not mean your system is not safe. You have define for which CVSS score and which systems you want to apply the security OSS notes, within which timeframe.

More on CVSS score see OSS note 2463332 – Security Note CVSS vector computation – SAP Solution Manager 7.1 and 7.2 and this SAP blog explaining the CVSS scoring in general.

<< This blog was originally posted on SAP Focused Run Guru by Frank Umans. Repost done with permission. >>

Security patch day

This blog will explain more on the SAP security patch day.

Questions that will be answered are:

  • What is security patch day?
  • Where can I find the recently released security OSS notes?
  • Where can I find more background information on security patch day?
  • Where to find more information on the CVSS scoring mechanism?
  • What is a practical approach to security patch day and security OSS notes?

Security patch day

Security patch day is every second Tuesday of each month (for more on security patch day itself, you can read the FAQ). The actual OSS notes as summary can be found at the Security response at SAP support security notes page. The patch days themselves are planned and published on this page.

The wiki pages also include a suggested process for dealing with the security patch day OSS notes.

SAP uses the CVSS scoring mechanism to determine the risk a security leak. The scoring mechanism is explained in this blog.

SAP solution manager system recommendations

If you setup SAP solution manager system recommendations, than you will get an always current overview of security notes. With the system recommendations you can mark notes as reviewed, so they don’t appear any more. Applied ABAP notes will be automatically be removed by the tool. Newly released security notes and updated are added to the overview. For setup information on SAP solution manager system recommendations, read this blog.

SAP Focused Run configuration and security validation

SAP Focused Run configuration and security validation can be used to check the application of security notes in your system landscape. For more information, read this blog.

Practical approach to security notes

A pragmatic approach for security notes is the following:

  • Every 6 to 12 months update your SAP kernel
  • Apply every 3 month the ABAP OSS notes which can be done automatically (don’t look at the score, just apply them). Leave them on your test and/or acceptance system. This will normally make sure you have no negative side effects. Then move them to production.
  • Apply every 3 month the ABAP OSS notes with manual actions for the processes you use and for CVSS score you deem high enough to justify the effort of the manual actions

Feel free to increase the frequency of the above proposal.

Security OSS notes via System Recommendations

This blog will explain how you can optimize your process of security notes via System Recommendations.

Questions that will be answered are:

  • What is the System Recommendations tool?
  • How do I set up the System Recommendations tool?
  • How do I deal with the results of the System Recommendations tool?
  • Where to find even more information on the System Recommendations tool?

What is the System Recommendations tool?

System Recommendations is a tool that runs in SAP solution manager. It weekly check SAP for new security notes and compares it with your own system. New notes will be alerted as new in the System Recommendations list. Notes you have applied will be removed from the list.

This automated procedure save you a lot of time checking for and follow up on security notes.

Alternative in SAP Focused Run

SAP Focused Run has a superior alternative for checking security notes with it’s Configuration and Security validation tool. Read more in this blog.

Setting up System Recommendations

If solution manager is properly setup, system recommendations is already enabled.

To verify if the system recommendations job is running start transaction SOLMAN_SETUP and select Mandatory Configuration and then Basic Configuration. Then select in the roadmap on top step number 2 and look for the system recommendations job, which will typically run every week:

System recommendations job

Adding a system to System Recommendations

In SOLMAN_SETUP goto the managed system configuration of the system you want to add to system recommendations.

Select the full configuration for the system. On the roadmap select step 5: Enter System Parameters. On the screen below tick the box for Enable System Recommendations:

Managed system configuration Step5 landscape parameters

Now the system is added you need to wait until the weekly job runs.

System recommendations result

In solution manager goto the System Recommendations tile:

Fiori tile for system recommendations

Upon clicking you get the list of systems and OSS notes per category:

System recommendations overview

Now you can zoom in for example on the security notes:

Security notes

Per OSS note you can keep track of the status:

System recommendations status change

Dealing with the list

Some notes you can implement via SNOTE automatically. After they are implemented (normally via transport import if you run System Recommendations against productive system) they will be gone with the next run of system recommendations.

Some notes depend on kernel patch: also here, you can mark the status as to-be-implemented and wait for the actual implementation of the kernel patch.

Some notes might be non-relevant: you can mark them and they will no longer show in the open list of security notes.

DB and OS versions

The security notes will pickup all the database and OS versions for security notes, even if you don’t run them. To reduce the list goto transaction SM30 and maintain the content of table AGSSR_OSDB:

Table AGSSR_OSDB

Flag the unused Databases and OS to Inactive and they will be filtered away next run.

More features

System recommendations function has more features. If you want to read all of them, please read the SAP full document. You need to use transaction SM30_DNOC_USERCFG_SR to configure these settings. 

OSS note backbone settings

If you have issues updating most recent notes, or anything at all, please check in transaction SM30_DNOC_USERCFG_SR. Make sure there is no entry there for SYSREC_RFC_CALL. If it is there delete it. This is due to the SAP technical backbone change.

More background information

More background information can be found at the SAP pages on system recommendations and in SAP oss note 2554633 – System Recommendations configuration guide for SAP Solution Manager 7.2.

Bug fix OSS notes

Please check these notes for potential bug fixes: