Do SAP Security Notes contain hacker and/or virus defence?

Dear SCN fellows,
I am new to this community and generally new to asking for SAP help in discussions and blogs.
I need some advice on whether SAP Security Notes contain hacker and/or virus defences?
I am investigating a companies SAP Security settings against its policy and global market standards.  I have identified that since our SAP rollout SAP Security notes patches have not been maintained.  RSECNOTE provides a large list of missing security notes.  I'm writing a report and what to confirm whether these notes offer any advice, support or notification of hacking or viruses.  Similar to Internet security software I guess.
Can anyone advise if my thoughts and questioning is heading in the right direction or have I got the concept of SAP Security Notes completely wrong?
Thank you kindly.
Paul

Hi Paul,
I need some advice on whether SAP Security Notes contain hacker and/or virus defences?
SAP releases respective security notes as per the loophole identification.  Once you run RSECNOTE you get the list of all applicable notes to your software release.
Applying these notes will help you to remove the vulnerability SAP identified, So yes it contains solution to remove vulnerability.
I'm writing a report and what to confirm whether these notes offer any advice, support or notification of hacking or viruses.  Similar to Internet security software I guess.
Could you please elaborate it is not that clear to me.
BR,
Mangesh

Similar Messages

  • SAP Security Note 1487730

    Last week we saw SAP releasing its SAP Security Notes as per its SAP Security Patch Day Practice .
    One of thenotes released was related to a BUG FIX in a Kernel as per note 1487730
    https://websmp130.sap-ag.de/sap/support/notes/1487330
    Now the issue goes this way .
    We are on Kernel 7.01 SP Level 79.
    According to the NOTE we need to be atleast on SP Level 103 .
    When I check out at Marketplace I can only Find SP Level 111 which is the latest and released on 14.10.2010 ie. 2 days after the NOTER was released .
    Apprantely we follow a Thumbs Rule here to Implement the Kernel which is lower than the latest Kernel .
    The issue is I cant find Kernel SP Level 103 .
    Is it safe to go for SP Level 111 .
    Our Database is ORACLE 10.2.0.4
    OS PLatform :- Solaris Sparc 64- Bit NON UNICODE
    Regards,
    Ashish .A. Poojary
    Edited by: Ashish Poojary on Oct 21, 2010 7:10 AM

    Hi Ashish,
    Generally the rule of N - 1 is followed for SAP Application patches and not for kernel.
    You can go for latest kernel, it will not be any problem.
    Thanks
    Anil

  • Apply SAP Security Notes to all components?

    Dear Forum,
    Is it possible to take advantage of exploits in installed components although theyre not in use? I mean, when patching SAP Security Notes, does it make sence to patch components which are installed but not in use?
    Rough example:
    We have a system with 10 components (according to SPAM status) only 7 of these modules are actively used. Should all 10 receive applicable SAP Security Notes, or would it be enough to patch the ones in use?
    I hope someone is able to elaborate on this
    Thanks in advance guys,
    Kind Regards,
    Soren

    HI,
    for example reading a file. Let's say there is a bug in a program which allows malicious user to read any file on the application server. Obviously, you want to patch this even that program is not used by normal users. Another example is missing authorization checks for table view. You can have assigned proper authorizations for S_TABU_DIS but if a malicious user can trick a program without authorization check to display data from any table then you have a problem.  A real example could be an issues fixed in note 1558740. Even if you don't use IS-U those FMs are still in your system.
    Don't forget that it's good to have multiple layers of protection. So you keep authorizations tight but still you patch all security issues.
    Cheers

  • SAP Security Report for single and composite roles

    Hi
      I have a requirement to create a cutomize report in SAP Security.
    I have to display Composite roles,corresponding single roles,the tcodes assigned to those single roles and the description of t- codes. The selection screen has composite roles,single role and T-code which are optional.User can enter selection in any of the selection critreria.How should I go on this?If user gives only composite roles on the selection for e.g 'TEST'. for this role I get suppose 3 child roles 'TEST1' 'TEST2' 'TEST3' from table AGR_AGRS.Now to get the tcodes i go to table 'AR_1251' and I get the tcodes.
    But if user give only single role on the selection for eg 'TEST2' ,for this single role 'TEST2' there would be multiple composite roles.for e.g, 'TEST' 'SAP1' 'SAP2' etc..Now if go to get the tcodes for this single role in AGR_1251,I will ceatainly get the tcodes for eg MM01,FB01,etc.But then how would I know whether MM01 belongs to composite role 'TEST' SAP1' or SAP2' for the single role 'TEST2'.
    Please advise.
    Thanks
    Edited by: Julius Bussche on Aug 13, 2009 4:52 PM
    Subject title improved

    I though of seperate selection options for singles and composites, but you also said:
    > But if user give only single role on the selection for eg 'TEST2' ,for this single role 'TEST2' there would be multiple composite roles.
    My suggestion would be to build better single roles, but that is just me...
    Cheers,
    Julius

  • SAP Security Notes: ABAP and Kernel Software Corrections

    Hi all,
    I have a quick question, hopefully it's just as quick an answer.
    Under the Early Watch section in the title it states
    Security-related SAP Notes cannot be checked because the results of the RSECNOTE tool are missing.
    What does this actually mean and how do I make the results of RSECNOTE available to the early watch report?
    It says this in all my systems, I can run the tool via ST13 or SE38 > RSECNOTE manually but surely it's must be referring to some automated results.
    Thanks
    Craig

    Sorry but this note is not relevant, we are using ST-A/PI 01Q_700 SP2 (SAPKITAB7L).
    It also refers to RSECNOTE not existing in the system.  As I mentioned the tool exists and I can run this manually, but as noted the Early Watch report states
    Security-related SAP Notes cannot be checked because the results of the RSECNOTE tool are missing.
    Suggesting that somehow results of the tool are held somewhere and are read by the Early Watch report processing. So my question still stands, how are these results made available to the Early Watch report, what batch job needs to be running on a regular basis for this to work?
    The very first sentence after the section says
    You have marked 2 security-related SAP Notes as not to be considered.
    So it must be reading this from somewhere!
    Thanks
    Craig

  • Does SAP upgrade cover prievious security notes.

    Hi, i am beginner in security field and have this confusion. I am using Solution Manager to find out missing security notes from my system. Should i filter the result and implement security notes that have been released after the date of the upgrade or should I include all security notes including thoses notes relased before the upgrade date.
    Thank You..

    In addition to the list of security notes at https://service.sap.com/securitynotes you should have a look to the Security Patch Process FAQ as well.
    Concerning your question:
    Yes, all security corrections of SAP are part of a Support Package.
    But there exist some pitfalls:
    By the time when you finally have upgraded your production system, it's already some month old compared with the corresponding development close date for the support package at SAP. Therefore you always will find some new security notes -> Use the Maintenace Optimizer to find new security notes while you are preparing the upgrade and the application System Recommendations monthly. 
    Several security notes contain manual instructions to configure the system (e.g. concerning profile parameters, RFC Gateway access control lists or logical filenames), which are valid for the new support package. -> I recommend to skip any date selection while searching for security notes. (Use a date interval only if you explicitely want to have a look, e.g. to the notes of the most recent patch day.)
    Kind regards
    Frank

  • SAP ECC 6.0 -- Business Connector / Error:Input values do not contain IDOC

    Hello,
    We have a scenario R/3 4.6C ORDRSP to the SAP business connector which is running fine. When I send the first IDoc the routing roule is created automatically and it can be adapted.
    Now we switched to the ECC 6.0 system but I get the following error message:
    "Input values do not contain IDOC" and no routing roule is created either. The status of the IDoc is 03.
    Do you have any idea what the problem could be? Could it have anything to do with ECC 6.0?
    Thank you for your support.

    Hi,
    I hope you must have added new SAP ECC system under SAP tab on SAP BC page.
    To check exact error information:
    FIrst open SAP BC page in browser (http://localhoet:port)
    Go to transaction tab, and there under TID box, enter transaction id corresponding to SM58. And check what it says.
    About routing rule:
    BC automatically creates routing rule, if not you can edit and direct them to correct process flow, or you can create new routing rule, as BC need routing rule to move IDOC ahead.
    Please let us know further about error information, so that we can help you further.
    Divyesh

  • PO creation-ME21n-Why SAP does not check company code and Plant relation

    Hi All,
    Does someone know, why SAP does not check Plant and company code relation at the time of PO creation or how can we put validation between plant and company code at the time of PO creation.
    <b>Example:</b> Suppose i have a company 0001 which is assinged to Plant 0001. when i am creating a PO with another company code 0002(Entering at header level-Org, data) and using Plant 0001 at line item level. SAP does not do this validation.
    How can we put this check in place?
    Thanks in advance.
    Deepak

    Hello Deepak,
    There are three types of purchasing
    - Company code specific :You need to assign company code to Pur organization
    - Plant specific : You must assign plant to pur organization
    - Cross company purchasing: No assignment between company code and pur organization.
    In the case 3, the system will not check company code and plant relationship, but it will check plant and pur organization specific.
    The following is the copy of sap help text:
    You can assign a purchasing organization to one company code. This is company-specific purchasing.
    You can assign a purchasing organization to no company code. This purchasing organization can then procure for all plants assigned to it, irrespective of the company code to which the plant belongs.
    Since each plant must be assigned to a company code, the company code can be determined via the plant in each procurement transaction, even if the procuring purchasing organization is not assigned to a company code.
    A purchasing organization must be assigned to one or more plants. This is plant-specific purchasing.
    Now, check your company-code and purchase organization assignment.
    Hope this helps.
    Regards
    Arif Mansuri

  • SAP SECURITY COURCES FOR HR, CRM and BI

    Hi,
    What are the courses that SAP offers for SAP SECURITY,
    for HR, CRM and BI modules

    You can find the info here:
    www.sap.com/services/education/index.epx
    As far as I am aware, there is no course covering CRM security, but look through the link and you will see there are courses for HR & BI security

  • Security.core.useradmin.war AND configtool: Experts Advise Needed

    Hi,
    It is said in help.sap.com, there exists a way to make available only a few languages in the portal like in SDN at http://help.sap.com/saphelp_nw04/helpdata/en/49/e607426338da6fe10000000a1550b0/frameset.htm.
    It mentions, extract the languages to be made available say en,de and edit these properties files.
    Next it mentions that we should remove from the com.sap.security.core.useradmin.war file all the languages to be removed.
    Then, I have the confusing part; it says in config tool go to com.sap.security.core.ume.service and upload one by one all the languages_XX properties files.
    My question is do we have to upload all or only the ones we EXTRACTED for modification mentioned earlier?
    Secondly, if we removed the languages we dont want from the WAR file, what do we do with that file? It does not mention about uploading that file and its containing EAR file at all? How then will the change be reflected?
    If any of you have an idea about this and tried it out, please help me.

    According to this <a href="http://java.sun.com/j2se/1.4.2/docs/api/java/util/Locale.html">Sun Java site</a>, you can create a Locale with:
    Locale(String language)
    Locale(String language, String country)
    Locale(String language, String country, String variant)
    HTH

  • Frustrated. Need Advice on SAP Security Implementation!!!

    I'm very frustrated with my latest project and I would really appreciate your feedback.
    I recently joined a company that's implementing SAP. They are already in the realization phase and will soon enter the final preparation stage. I was brought in to implement SAP Security. I was provided with a  compiled list of roles and tcodes based on the blueprints from the teams and this was my starting point.
    I wanted to do a presentation with the teams so that we all know what my expectations/requirements are from them and vice versa. In preparation for this, I gathered their processes from their blueprints. I wanted them to break each processes into detailed activities/tasks/functions. From there, they can identify the tcodes and then the roles. I also wanted to do this approach because the company is following SOX regulations. I showed this to my team lead and the PM and the PM adviced me not to go with this strategy because there would be too much work involved. I wanted this approach because I also wanted to do the SOD but I was told not to do it because it would only confused them. He just wanted to work on polishing the list of roles and tcodes.
    Some teams leads are all experienced people while other teams are not because they are working with an employee from the company. Kinda like a partnership, 1 is a consultant while the other is a team lead from the company. Which I believe is normal practice so that there is knowledge transfer.
    So I had my presentation and I found out that most of the team leads have not seen this compilation of roles and tcodes. I also found out that even though they are already in the realization stage, majority of the teams have no idea what roles to give nor do they know who to give it to. I also asked for the org chart from the HR team but I was told that they still don't have it and cannot give it to me. They even asked me why I need it. They also informed me that HR structural authorizations are not going to be implemented and yet nobody can give me a damn good reason why. All they tell me is that because they don't need it.
    So as you can see, I'm not getting the cooperation/support I need to be able to do my job properly. How can I when every strategy I wanted to do is being turned down? What should I do? Really need your advice on how to proceed. Your inputs are highly appreciated.
    Thanks in advance!

    Julius, Auke and Alex,
    Im sure everyone would agree that the advice you guys offer is more than valuable. Thank you for that.
    I myself have been encountering the same situation that Litz is facing except for that in my case the Management is very co-operative (and trust me, this helps a lot). My problem is that neither me nor my Management know what access  needs to be given to Consultants or IT Staff after GoLive or even now.The Functional Consultants "don't have the time" to tell me what Tcodes they need access to, and they insist that they should have sap_all, and I have no idea what access they SHOULD have.
    I was going to post another thread for my questions but I guess there are already too many which address the same issue. These threads did give me a good insight on how SAP Security should be managed, and I was able to get some of it chalked out. I have a few questions though, which I wasn't too sure about even after reading through the countless threads.
    Most consultants in my company had sap_all in QA since no one knew what they should be have and often had we noticed that they would be playing with the Basis Tcodes. Now knowing what they have been doing in QA, I do not want to give them sap_all in Prod (although they insisted) at any cost. So, I made a role (z:sap_all), copied sap_all, disabled Basis Tcodes and assigned it to them. Then I kept adding Tcodes one by one on request basis.
    We haven't gone Live (they say that we are still in testing phase since the final cutover is due in the next few weeks) yet and I know that this cannot work after Go-Live since z:sap_all has Tcodes like SE38, AL11, SM50 etc in Prod. They say that they need these to do processing and it is okay to give it to them since we haven't gone live. I would also like to mention that my company is trying to get SOX compliant and needs these things in place.
    I have been entrusted a BIG responsiblity and am trying my best to live up to the expectations and I am relying yon you guys to help me out.All the Business Roles are in place, and its just the IT roles that I'm worried about.
    So, my questions are
    1. Until how long is it okay for Functional Consultants to have this kind of access in Prod ?
    2. After we Go-Live, would a display only role for all functional Tcodes suffice for them ? Or should they have Basis Tcodes too ? If yes, which ones (Im asking this because I know that it should be minimal)
    3. I have been to told to create an "IT-Support role" by the Manager of the Implementation Partner for after GoLive. But he has no idea what T-codes it should have or what it does. Any ideas on this ?
    4. I have read about the "firefighting role". Im guessing that the IT Support Role is the same as this. But what exactly does the firefighting role have? And in what situations is it assigned?
    5. How important is the period before the final Cutover important as far as SOX compliance goes?
    A little enlightenment on the common issues encountered after Go Live would also help me assess the situation a lot better.
    I hope Im not asking too much of your time here. Thank you again guys !! Appreciate it !
    Kunal

  • Hi, If I Reset my iPad 2 in setting completely and then sold it, is there still a chance that my iPad could be hacked and every thing deleted brought back?

    Is there software that could hack and take all deleted photos,videos and apps?  Thanks

    Are you 100% sure that when I press 'Erase all content and Settings' that it will completely wipe the iPad, and everything that was on the iPad including deleted photos, apps and videos, will not be hacked and brought back if I sold it.

  • HT204085 Can the secure notes be access on an iPhone in a similar way that they can on my MacBook?

    I have been using Keychain on my MacBook to keep secure notes with login and password information on all the websites I frequently visit and have to login to. Is there a way to access these secure notes on my iPhone if I have enabled Keychain on it allowing it to be shared with my other devices?
    CFDBattChief

    There are, basically, two kinds of email account: IMAP and POP. What you want is an IMAP account. If you have a POP account, you may be able to access your messages through an IMAP server. Check with your mail service provider.

  • MAX create report for cRIO doesn't contain software and devices

    I am trying to create an html report which docoments the software and devices for a cRIO remote system using the MAX -> Remote Systems -> cRIO System -> Create Report -> Custom Report utility.
    The MAX Configuration Report that was generated contains identification, configuration and system monitor information but does not contain software and device information, available using MAX.
    What can I do to create my desired report using MAX?

    Not sure what version of NI-RIO or MAX you have, but I'm running MAX 14.5 and RIO 14.0.1 and my report shows both what software is install and the hardware configuration for everything that shows up under Devices and Interfaces.
    Here is a link to MAX 14.5.
    http://www.ni.com/download/ni-system-configuration-14.5.0/5158/en/

  • How to verify that the variable "does not contain" a value?

    Hi
    I am using CP 7.0.1.237.
    We want to use Text Area widget for a custom quiz and verify an answer. While we figured out how to verify the existence of certain keywords, we are not able to figure out how to verify that the content should NOT contain certain keywords. For example, we want to ensure that the text entered in this widget should not contain "Transformation" and "Non-compliant".
    Is this possible at all?
    Thanks
    Sreekanth

    Here's what the solution might look like in JavaScript.  This would be for SWF output and aimed at Cp 7.  For Cp 8, this would still work for SWF output, but you'd probably want to take advantage of the new unified JS API that gets and sets Cp variables for both SWF and HTML5 output.  You can read more about that here:  Common JS interface
    //Get the text area value from Captivate (SWF output Only)
    var cpTextAreaValue = document.Captivate.cpEIGetValue('m_VarHandle.v_TextArea);
    //convert the value to lower case to properly compare
    cpTextAreaValue = cpTextAreaValue.toLowerCase();
    //Check if text area value contains the words "transformation" or "non-compliant"
    if(cpTextAreaValue.indexof('organizational') > -1 && cpTextAreaValue.indexof('behavioral ') > -1 && cpTextAreaValue.indexof('managerial') > -1 && cpTextAreaValue.indexof('transformation') < 0 && cpTextAreaValue.indexof('non-compliant') < 0){
      //the text area has the correct answer so increment varScore
      //get the current score from Captivate
      var score = document.Captivate.cpEIGetValue('m_VarHandle.varScore');
      //increment score by 1
      score++;
      //set score in Captivate
      document.Captivate.cpEISetValue('m_VarHandle.varScore', score);
    } else {
      //the text area does not have the correct answer so show message to user inside of Captivate
      document.Captivate.cpEISetValue('m_VarHandle.v_message', 'Answer is not correct');
    This JS has not been tested.  Note that the "does not contain" operator is done using the "indexof" operator in JS. 
    Jim Leichliter

Maybe you are looking for

  • Error in Using FP_JOB_OPEN

    Hi all, I am using FP_JOB_OPEN FM to open a PDF form in EP. But I am getting an error stating that "Define all the required parameters". Please help me on this. Regards, Amit

  • How to Call Webservices in ABAP(Syntax) created in abap ,java etc

    All Champs,    Can some one explain me(programatically) that how to access webservices in following cases. case 1: A webservice created in ABAP (FM,BAPI,FUNCTION GROUP) by using wizard . How to call this webservice in report or in any bsp or webdynpr

  • Downloading and installment issue

    cannot download photoshop through adobe manager. this seems to be a common problem. please advise.

  • CMS modes pro's and con's

    Hello, I am tasked with writing a paper that explains the three modes (bride, route, one-armed) of the CMS. I have accomplished this task. I have also been tasked with explaining, in detail, why one mode is better than the other modes, when they are

  • Found a BUG on Create a Procedure Form Cancel Branch.

    FYI... From the Page level add a new region / Form / Procedure Arguments / Procedure Owner / Next / Cancel Instead of branching back to the page level it branches to Create Page Define with no options.