Wednesday, 8 January 2014

Automatic checks for security notes using RSECNOTE

Note 888889 - Automatic checks for security notes using RSECNOTE

 

Summary
SymptomThe SAP EarlyWatch Alert report contains selected checks about "Security". Among other things, there is a check to determine whether or not selected and required security-relevant notes or HotNews have been implemented in the system. The report displays an overall status. An administrator uses the tool RSECNOTE to create the detailed evaluation of the required security-relevant notes in the system to be analyzed.

This note responds to the following situations:

  • In the SAP EarlyWatch Alert report, the "Service Preparation Check" unit complains that Note 888889 is not implemented. As a result, the check for security-relevant notes can only be carried out partially in the "Security" section.
  • You want to use the tool RSECNOTE to check the implementation status of security-relevant notes in your system. However, this tool is not yet available in your system.
  • You require detailed information on implementing and executing the tool RSECNOTE, and on interpreting the results.
  • You call transaction ST13. In the F4 help for the "Tool Name" field, the entry RSECNOTE is missing. If you manually enter RSECNOTE and then execute it, the system issues the message "The tool RSECNOTE does not exist".
  • The tool RTCCTOOL shows that the tool RSECNOTE is missing.
Other termsEarlyWatch Alert, EWA, security, RSECNOTE, RTCCTOOL, ST13
Reason and PrerequisitesThe tool RSECNOTE is part of the software component ST-A/PI as of Release 01M_*. Correction instructions are available for the installation in Release 01L_*.

As of Support Package 3 for the Service Content Plug-In ST-SER 701_2008_2, various services in the Solution Manager require the tool RSECNOTE on the managed system to check whether or not security-relevant notes are implemented.

The service report shows that this tool is missing and makes reference to this present Note 888889.

SolutionBelow you will find:
- a guide to implementing the tool RSECNOTE
- documentation on using the tool and information about the background and further procedures

Guide for creating the tool RSECNOTE
    1. Install the tool RSECNOTE in all systems in which you want to use the tool. SAP recommends that you install Release 01M_* of the software component ST-A/PI. See Note 69455 for more information.
    You can also install the tool RSECNOTE in Release 01L_* by implementing the correction instructions using transaction SNOTE. Go to "System Change Option" in transaction SE06 and set the software component ST-A/PI and the namespaces/name ranges "General SAP Name Range", /SSA/, and /SSF/ to "Modifiable". Enter /SSA/RTC if you are asked to specify a main program for /SSA/INT.
    2. Assign the following authorizations to all the users for whom you want to provide access to the tool.
    ObjectFieldValue
    S_TCODETCDST13

    S_ADMI_FCDS_ADMI_FCDST0R

    S_PTCH_ADMTABLE' (or empty)

    COMPONENTSECURITY-CHECK

    ACTVT02 (change)

Documentation for the tool RSECNOTE
You use transaction ST13 to start the tool RSECNOTE. In transaction ST13, select the tool and start it by choosing "Execute" or F8.
Comment: As of SAP_BASIS Release 620 Support Package 55, SAP_BASIS Release 640 SupportPackage 13, SAP_BASIS Release 700 and subsequent releases, you can also start the tool as the report RSECNOTE by using transaction SA38, for example.

As a result of the tool RSECNOTE, notes that contain security corrections and notes that are relevant foryour system due to the existing software components (taking the releases and the Support Packages into account) are displayed.

The report shows the following three sections:

  • "Missing recommendations"
    This section shows the required security-relevant SAP Notes and HotNews.
    HotNews are flagged with a red traffic light and notes are flagged with a yellow traffic light.
  • "Manually confirmed recommendations"
    Report messages can also be confirmed manually. This should only happen in exceptional cases that require it.
    For example: You cannot implement a specific note using transaction SNOTE because youmanually changed the affected program beforehand. In this case, implement the correctionsmanually and confirm the message.
  • "Successfully implemented recommendations"
    This section shows the security-relevant notes and HotNews that are required for the system and that are implemented successfully.
    A note or a HotNews is no longer required if your system release or Support Package level already contains the correction. After the system is upgraded or Support Packages are imported, a note that was implemented earlier may no longer be listed.
List of security-relevant notes that are checkedThe tool RSECNOTE checks security-relevant notes or HotNews that are entered as related notes in this present note.

For Note 1298433 "Security note: Bypassing security in reginfo & secinfo", however, the system checks only that at least the required kernel patch is installed. It does not check whether the gateway has also been safeguarded.

An overview of other security-relevant notes or HotNews is provided on the SAP Service Marketplace under the quick link /SECURITYNOTES (https://service.sap.com/securitynotes).

Updating recommendationsThe quantity of checked notes or HotNews is managed online by SAP. During a check, a system loads the list automatically using the service connection to SAPNet once a day. You can also use the tool RSECNOTE to update the list manually (menu path: List -> Refresh from SAPNet).

If the system to be checked does not have an online connection to SAPNet, then you can also use a transport to import the current recommendations from another system that has a connection to SAPNet. To do this, create a "Transport of Copies" and enter the object key R3TR TABU /SSF/PTAB. Enter ND* as the table key. This means that all recommendations are selected, including the recommendations for the tools RTCCTOOL and RSECNOTE. Make sure that you have specified a table key. Start the tool RTCCTOOL or RSECNOTE before you export the transport request, to update the recommendations.

Attached to this note is the file
Transport_Files_.zip, which contains the recommendations for the tool RSECNOTE for the specified date. Use the transport files contained in it if you do not have any systems that have an online connection to SAPNet.

EarlyWatch Alert report
The SAP EarlyWatch Alert report also provides a summary of the results of the tool RSECNOTE. For further information on the SAP EarlyWatch Alert report, see Note 863362.

Note Assistant
You can use the Note Assistant (transaction SNOTE) to implement the correction instructions. You can find additional information about the Note Assistant on SAP Service Marketplace under the quick link /NOTE-ASSISTANT (https://service.sap.com/note-assistant).

Header Data


Release Status:Released for Customer
Released on:03.05.2010 07:08:40
Master Language:German
Priority:Recommendations/additional info
Category:Advance development
Primary Component:SV-SMG-SER SAP Support Services
Secondary Components:XX-INT-SR Security Response

No comments:

Post a Comment