technical whitepaper virtual forge systemprofiler · version 3.2 – 27. ... integration into an...

Version 3.2 – 27. October 2016

Technical Whitepaper

Virtual Forge SystemProfiler

© 2016 Virtual Forge | www.virtualforge.com | All rights reserved. 2

Table of content

Table of content ................................................................................................................... 2

Management Summary ....................................................................................................... 3

Overview .............................................................................................................................. 4

Customer Benefit and Solution Approach .............................................................................. 4

Solution Overview ............................................................................................................... 6

Comprehensive and extensible content ................................................................................. 6

Central, scalable architecture ................................................................................................ 9

Integration into an SAP system landscape .......................................................................... 11

Flexible Policies ................................................................................................................... 12

Output of results .................................................................................................................. 12

Effective, automated corrections ......................................................................................... 14

Implementation and configuration ................................................................................... 15

Technology .......................................................................................................................... 15

Roadmap ............................................................................................................................ 16

Outlook ................................................................................................................................ 16

About Virtual Forge ........................................................................................................... 17

Disclaimer .......................................................................................................................... 18


Management Summary

Virtual Forge SystemProfiler enables you to secure and monitor the security and quality of your entire

SAP system landscape to ensure frictionless system operations.

SystemProfiler continuously monitors SAP-systems for weaknesses in the areas of security,

compliance and quality. This leads to minimized critical risks, significant cost reduction through more

stable, and faster SAP systems as well as drastically reduced effort for monitoring and correction

measures.

The flexible policy management and the architecture of SystemProfiler are designed to provide a

central overview of all SAP systems, even in complex system landscapes. This simplifies the

assessment of all risks related to security and quality.

SystemProfiler comes with a comprehensive and predefined set of checks which are based on

established industry standards. In addition, custom checks can easily be configured and added.

The results of those checks will be displayed centrally within the SAP system, generating PDF reports

of these results is also possible. Naturally, SystemProfiler also offers integrations for analyzing the

results externally. An interface to SIEM solutions, delivering critical events in real-time, or a reporting

API which enables detailed analysis in any reporting solutions, are just two examples of standard

functionality delivered by SystemProfiler. Additionally, SystemProfiler is the first solution to use the

Virtual Forge Reporting framework to provide an overview of the most relevant key performance

indicators (KPIs).


Overview

SAP® systems are part of the business-critical infrastructure and are infinitely more complex than just

a few years ago. One system line alone consists of at least a development, quality assurance and

productive system, in addition to several more system lines for HR, CRM and other departments.

Internal departments are using standard PCs to access SAP systems, but these days also mobile

devices, decentralized and outsourced teams are accessing data from SAP. In addition, maintenance

and administration of those systems are within the responsibility of service providers and

subcontractors.

This complexity increases the overall risks: many SAP systems are vulnerable to attacks from both the

outside and the inside due to errors or omissions in their configuration.

And security is not the only topic: more demanding requirements relating to the quality of system

configuration make it difficult and costly to maintain a high level of configuration quality.

Therefore it is imperative to know about the risks with SAP operations and hence to take the

appropriate action. In addition to topics such as roles and authorizations, GRC, identity management

and security when programing, in particular the issue of configuration is essential for smooth business

operations. With the objective to carry out the comprehensive and complex tasks in this context

efficiently and effectively, we have developed the Virtual Forge SystemProfiler that combines our

longstanding project experience in one software solution.

Customer Benefit and Solution Approach

Virtual Forge developed SystemProfiler to simplify two major tasks which result from the risks

mentioned above.

Firstly, SystemProfiler enables customers to maintain and ensure a high level of security and quality

for the entire SAP system landscape.

Secondly, System Profiler simplifies the manual tasts necessary for maintaining a certain level of

security and quality by providing a central overview of the current status for each and every individual

SAP system. This process is highly automated, both in terms of validating the configuration, but also in

terms of correcting found weaknesses.

The approach followed by SystemProfiler can be divided into three phases. Firstly, an initial risk

assessment checks each system for its current security status. The second phase then consists of the

mitigation of all found weaknesses. For this, the options exist:

Maintenance of black- and whitelists where necessary (e.g. whitelists for users which require

that particular authorization)

Adjustment of inspection policies (e.g. the target values for certain parameters may differ by

system)

Correction of weaknesses


Following this phase is the continuous validation of the entire SAP system landscape. For this a

background job will be set up. Using the notification functionality, or the integration into a SIEM or

similar solution, respectively, the user will automatically be notified about newly found weaknesses.

This approach significantly lowers the effort required in the administration of complex system

landscapes and enables SAP systems to be integrated into a holistic IT security concept.


Solution Overview

Comprehensive and extensible content

The Virtual Forge SystemProfiler comprises a set of test cases and recommended reference values

and assessments. The test groups include the domains security & compliance as well as quality

assurance. Both of these domains are separated into several categories. Currently, the following

categories are included in SystemProfiler:

Authorizations – AS Java

Authorizations – Central Functions

Authorizations – Development

Authorizations – General

Authorizations – General (Exploitable)

Authorizations – General Basis Administration

Authorizations – Job and Spool Administration

Authorizations – User Administration

Authorizations – User Administration (Exploitable)

Common System Profile Parameters

User Management

Business Continuity

Operating System Security

Database Performance

Database Security

Forensics

Java System Security

Communication Security – General

Communication Security - SNC

Passwort Policy

Logging

Communication Robustness

System Integrity Protection

Standard Users

System Performance

System Installation

Web AS Security

The overall scope of the solution is based on best practices and can be individually adjusted and

enhanced by companies. In addition to many years of experience of Virtual Forge these test cases

incorporate recommendations from existing security guidelines. The following standards have been

incorporated into SystemProfiler:

The audit guideline of the german-speaking SAP user group (DSAG), which was developed

together with audit companies and is also used by them.

The recommendations of SAP for security and quality, such as the Security Optimization

Services (SOS) or the recommendations from the SAP Security Baseline Template.


Best practices from customer projects

Additional standards for SAP and IT systems such as the PCI DSS, SOX, BSI and others

In total, the current version of SystemProfiler (3.2) features more than 400 test cases. Besides the

technical check, a recommended value, based on the recommendations from the standards

mentioned above, is also part of the delivered solution. This enables an out-of-the-box comparison of

a system configuration to common standards.

Figure 1 - SystemProfiler – Selection of test cases

However, not all test cases are based on individual weaknesses. Security weaknesses in SAP

systems are often the result of a combination of individual weaknesses. While each individual

weakness might not pose a big threat to system integrity, the combination of several leaks might

increase the potential risk significantly. One example would be RFC connections: a fully qualified RFC

connection (i.e. username and password are stored in the connection settings) might not be

exploitable by an attacker as such. If the user for a particular RFC connections holds critical

authorizations, however, and the RFC connections also points to a system of a higher security level,

the risk associated with a fully qualified RFC connections increases. Therefore, we have developed

advanced test cases which combine the results of individual test cases. This provides a more precise

assessment of the actual risk and the business impact associated with different weaknesses.

Advanced test cases are based on specific test classes and can be configured, adjusted and extended

according to customer requirements.

BLACK- AND WHITELISTS

Many test cases offer the possibilty to define exceptions. This is especially useful for critical

authorizations. SystemProfiler integrates black- and whitelists for this purpose.


Whitelists contain exceptions which will not be checked by an inspection, for example administrators

which should not appear in the result lists for users with critical authorizations.

Blacklists on the other hand are important for test cases where the scope of the validation is defined

by the content of the list. For example, the standard delivery of SystemProfiler contains a test case

which includes a predefined list of ICF-services which should not be active according the

recommendations by SAP.

Configuration of Black- and whitelists in SystemProfiler offers a great deal of flexibility. For instance, it

is possible to define general lists covering the entire system landscape. However, it is also possible to

restrict lists to single test cases or to group of test cases. Lists for a specic system or even client can

also easily be created, even temporary lists are possible. Maintenance of black- and whitelists is

possible in customizing or directly from within finding management.

ENHANCEMENT OF TEST CASES

Test Cases of SystemProfiler can be configured to custom requirements. In addition, new test cases

can be developed by the user.

To enable this functionality, SystemProfiler provides so called test classes. Within these test classes

new test cases within the customer namespace can be defined.

This ensures maximum flexibility in terms of meeting customer specific requirements. We see this

flexibility as a substantial feature of SystemProfiler:

Test cases included in the standard can be configured to meet customer requirements.

Customer specific test cases can be developed based on standard test classes

Customer specific test classes can be implemented and used for defining new test cases

All advantages of SystemProfilers, such as a continuous monitoring of the entire system

landscape or the flexible policy management, can therefore expanded to cover every possible

customer requirement.


Figure 2 - SystemProfiler – Test cases and test classes

Central, scalable architecture

All tests are carried out as so-called „whitebox-tests“ in the SAP system. The tests can be run both

locally and centrally in a system landscape.

This approach is reflected in the central architecture of SystemProfiler. In the central system, all

central components of SystemProfiler are implemented. The target systems are connected to the

central systems engine. This enables the validation of all SAP systems within the corporation from one

central point. This makes it possible to keep an overview even in complex system landscapes and

quickly validate system configurations for possible risks. The necessary information on the SAP

system landscape can be retrieved from SAP SolutionManager.

SystemProfiler is centrally managed. A dispatcher distributes the different policies to the target

systems. Inspections are scheduled using the central components:

The SystemProfiler Cockpit for selecting test cases and systems to be checked

Result Viewer, which displays the results for each inspection run

The Finding Manager visualizes the results. Manual and automatic corrections can be started

from here


A SystemProfiler engine is installed in the target systems using the Add-on Tool. This engine receives

the policies from the central system, returns the inspection results and triggers automatic corrections.

For all tasks involved in using SystemProfiler, Virtual Forge also delivers the necessary roles and

authorizations. These contain all required authorization objects to execute the inspections on all

systems as well as to execute corrections.

Figure 3 - SystemProfiler components


Integration into an SAP system landscape

In general there are different types of SAP systems in connection with SystemProfiler:

The central system. A system that hosts the central components of SystemProfiler and a client

that is used to start inspections and corrections. The central components of SystemProler

have to be installed on an ABAP system.

The connected target system of type SAP NetWeaver AS ABAP. A system that hosts clients

that are targets of inspections and corrections. The execution of the test cases takes place in

these clients. There are RFC connections from the central client to every target client.

The connected target system of type SAP NetWeaver AS Java. A system that is target of

inspections. There are Web service connections from the central system to every target

system.

The connected Solution Manager system. A system that contains system landscape data for

the adjustment of the SystemProfiler system landscape repository. Furthermore, special test

cases are executed on a Solution Manager system. There are RFC connections from the

central client to the target clients of this system.

The HANA proxy system. An SAP NetWeaver AS ABAP system that is connected to HANA

target systems. There are RFC connections from the central client to at least one client of this

system or the central system is the HANA proxy.

The connected HANA target system. An SAP HANA system that is connected to a HANA

proxy system. There are database connections from proxy system to this system.

Figure 4 - SystemProfiler connections


Flexible Policies

The flexibility of the engine is reflected in the policy management of SystemProfiler, which can be set

for each system individually. A reference policy, based on established standards, comes predelivered

with SystemProfiler. Depending on the role of the respective SAP system and client the policy can be

adjusted for each configuration detail separately. That makes it easy to define policies that apply to the

entire system landscape and at the same time are individually customized for each system. With

SystemProfiler, the systems can be continuously checked against these guidelines and evaluations of

the configuration status of the entire system landscape can be generated.

Tests can be performed as follows:

system or client role-specific

cross-client or client-specific

application server-specific

operating system-specific

database-specific

Using the integrated landscape maintenance, where the landscape can either be adopted from SAP

solution manager or can be defined manually, a monitoring covering the entire SAP system landscape

is possible.

SystemProfiler enables the validation SAP NetWeaver ABAP, SAP NetWeaver Java or SAP HANA

based systems as

ad-hoc-Inspections

a scheduled, periodic and therefore continuous inspection.

Using the notification functionality, results of finished inspections can be sent via E-Mail to the person

responsible. Both receiver and sender of the notification can be configured and a status filter can be

set. This enables notification of specific responsible system administrators when a weakness has

been detected on their system.

Output of results

Integrated reporting options

The integrated result viewer provides an overview of the configuration status of individual systems and

the entire system landscape. The results are displayed within the system in a separate user interface,

additionally all results can be exported as reports in PDF format.

The reports of SystemProfiler adhere to the standards set forth by auditors. Besides an executive

summary on the overall status of the system, the number of findings will be displayed in table form.

This is followed by a detailed documentation of each test case, which contains the following

information:


Information on the test case

Short and long description of the test case

Risk associated with a found weakness as well as details on possible impacts.

Detailed description of manual and automated corrections.

A reference to an attachment where the findings are listed

Reports can be created before the start of an inspection, but can also be generated subsequently.

Detailed results of every test case can also be exported in Microsoft Excel format.

Interfaces

In addition to built-in reports, inspection results can be exported using several options.

One option for exporting results is a standardized XML format. This XML can be processed by

external applications (e.g. ticket systems) using a mapping table.

SystemProfiler additionally offers an integration into SIEM solutions (Security Information and Event

Management). The continuous monitoring enabled with SystemProfiler extends the reach of SIEM

solutions to cover SAP systems, something which has not been possible before.

For SIEM export, all test cases from the „forensics“ category are being exported into SIEM compatible

formats by default and can be processed immediately. Out of the box, SystemProfiler supports CEF

and LEEF file exports. Additional test cases and content can be added to SIEM processing using

SystemProfilers customizing.

Additional features of the SIEM interface are an intelligent pre-qualification of events, automatic

detection of duplicates and status management features.

To enable detailed result analysis, SystemProfiler also offers a reporting API. This is achieved by

providing relevant statistical system data (e.g. total number of users or total number of RFC

connections).

The reporting API consists of several function modules and is standardized across all Virtual Forge

solutions. Using this API, the most current results along with their master data and texts will be

provided to and can be processed by external reporting solutions. The API can be called both

internally and externally using web services.

Virtual Forge Reporting

SystemProfiler is the first solution of Virtual Forge which uses our new reporting dashboard. The

Virtual Forge Reporting Dashboard provides an intuitive, easy-to-use Web application which shows a

visualization of the current status of the test case results as well as trends that show the history of the

results. The Virtual Forge Reporting Dashboard will provide these features for all Virtual Forge

solutions in the near future.

Within the SystemProfiler implementation of the Virtual Forge Reporting Dashboard, detailed charts

enable an analysis of results depending on system-specific attributes. In addition, a detailed view on

all test case results is available. The Reporting Dashboard comes pre-configured to encompass all

test case results. Which test cases are actually shown within the Dashboard can be determined


individually by simply creating a variant which includes all required test cases. The Reporting

Dashboard provides several benefits:

Aggregated view on test case results of the entire system landscape.

Fast identification of necessary actions by showing different trends and status statistics.

Examination of the aggregated results depending on different point-of-views related to system

attributes such as system category or business unit.

In addition, the Reporting Dashboard contains the following features:

Visualization of special aspects of test case results such as the distribution of business impact

ratings or results filtered by test domains.

Detailed charts related to system attributes such as region and business unit.

Detailed trend charts for periods in the past.

Status charts for multiple key dates in the past.

Tables with detailed test case results for an immediate evaluation of single key figures.

Filtering and sorting capabilities.

Configurable key date and trend reporting periods.

The reporting dashboard can be configured in terms of which test cases are contained in the reporting

scope and regarding how time periods are displayed. For more specific reporting purposes,

SystemProfiler contains a web service API which can be used to cover more advanced reporting use

cases.

Effective, automated corrections

The unique functionality to correct parameters and settings in an automated manner extends

SystemProfiler to a comprehensive management solution for SAP system configurations. Automated

correction is available for many test cases.

Automated corrections can be leveraged from the Finding Manager. The Finding Manager is used for

the management and processing of all found weaknesses. It displays all current weaknesses clearly

and in near real-time. Invididual findings can be updated, verified and corrected directly from within

Finding Manager, for most test cases, an extensive exception management (black- and whitelists) is

integrated.

Whether automated correction is allowed can be customized test case or system specific in

SystemProfiler customizing.

Especially for large and complex system landscapes the automated correction feature significantly

lowers costs for basis administration of all SAP systems.


Implementation and configuration

For the implementation of Virtual Forge SystemProfiler three phases can be distinguished:

installation (SAP transports with components and test contents – best-practice approach)

configuration (for company-specific adjustments and customization)

concept and planning (definition of test and correction sequences)

Basically, certain components of Virtual Forge SystemProfiler must be installed on all SAP systems to

be tested. To a large extent the configuration can be done on a centralized basis.

An authorization object and pattern roles are delivered for an easy definition of processes and

responsibilities.

The installation and configuration of the solution can be done within a few days. If desired,

experienced consultants will provide you with support when planning your processes in the

SystemProfiler environment. An essential feature of the solution is the extensibility through

configuration and custom developments.

Technology

Virtual Forge SystemProfiler is fully implemented in ABAP. The central components as well as the

ABAP-based target systems require SAP NetWeaver (Application Server ABAP) version 7.0 or higher.

For SAP NetWeaver Java systems, SystemProfiler supports versions 7.0 and 7.3. Among others the

Virtual Forge SystemProfiler uses the following SAP components and functions:

SAP Add-On Installation Tool

SAP Business Workflow (optional)

SAPconnect (optional)

On top of that, there are dependencies to other SAP components for specific test cases that are

delivered in separate packages. We will be happy to discuss a support for otherSAP releases with you

upon request.

SystemProfiler is certified by SAP and will be delivered as an Add-On package.


Roadmap

The road map detailed below is not binding and is subject to be changed by Virtual Forge at any time.

It serves as an orientation regarding the intended version and the respective planned functions.

Version 3.2 offers

comprehensive functionality of the components of the SystemProfiler framework

support of the scenarios “planned, periodic inspection”, “ad-hoc inspection” and automated

corrections

automated, interactive corrections

validation reports and manual correction instructions

comprehensive test contents (orientation in line with the DSAG security guideline) for security

and quality assurance, including advanced test cases

support for notification

centralized administration and customization

export of results as XML or PDF

Integration into SIEM and reporting solutions

Built-in reporting functionalities (via Virtual Forge Reporting solution)

Integration into SAP Solution Manager and its applications

Outlook

Future versions of Virtual Forge SystemProfiler will provide enhancements in the following directions:

Integration into the Virtual Forge Cloud

further application scenarios

integration with the Virtual Forge CodeProfiler for even better assessment of vulnerabilities

further enhancement of the test contents to the areas „performance“, „robustness“, „maintainability“ etc.

expansion to other platforms

enhanced integration into business processes (e.g. workflows)

support of audit processes (e.g. questionnaires)

transaction support for manual corrections


About Virtual Forge

Virtual Forge is an independent supplier of Security, Compliance and Quality products for

SAP® systems and applications.

Our customers are worldwide leading companies acting in branches such as automotive, banking

and insurance, chemicals and pharmaceuticals, high-tech and electronics, media and entertainment,

consumer goods, trade, oil and gas, and utilities.

With our products, they automatically identify key risks and easily correct errors within their

customized systems to protect them against cyber attacks, fraud, and unnecessary downtime.

www.virtualforge.com


Disclaimer

© 2015 Virtual Forge GmbH. All rights reserved.

Information contained in this publication is subject to change without prior notice. These materials are provided by

Virtual Forge and serve only as information.

SAP, ABAP and other named SAP products and services as well as their respective logos are trademarks or

registered trademarks of SAP SE in Germany and other countries worldwide. All other names of products and

services are trademarks of their respective companies.

Virtual Forge accepts no liability or responsibility for errors or omissions in this publication. From the information

contained in this publication, no further liability is assumed. No part of this publication may be reproduced or

transmitted in any form or for any purpose without the express permission of Virtual Forge GmbH, Germany or

Virtual Forge Inc., Philadelphia. The General Terms and Conditions of

Virtual Forge apply.

technical whitepaper virtual forge systemprofiler · version 3.2 – 27. ... integration into an...

Documents