This website is not affiliated with, sponsored by, or approved by SAP AG.

Accessing Data in SAP from UNIX AIX

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

Accessing Data in SAP from UNIX AIX

Postby bbdude » Thu Dec 02, 2010 12:57 pm

Hi All,

A relatively easy question, I suspect. Hoping you can help! As always - help is very much appreciated.

At one of my clients they have SAP 4.7 running DB2 9.7 on top of a UNIX AIX 5.3TL operating system. If an end-user had access to "root" - could this user, reasonably, make changes to data in SAP? I'm sure they could delete the DB2 database or bring it down, but I suspect the end-user would have to use AIX to gain knowledge of a user account for DB2 and then crack the DB2 user password to gain access to SAP data.

The issues above I don't see mentioned often via google. It's much more prevalent in Oracle apps - just looking to see if anyone has any insights on this.
bbdude
 
Posts: 21
Joined: Wed Nov 03, 2010 8:16 am

Re: Accessing Data in SAP from UNIX AIX

Postby thx4allthefish » Mon Dec 06, 2010 2:45 am

bbdude wrote: I'm sure they could delete the DB2 database or bring it down, but I suspect the end-user would have to use AIX to gain knowledge of a user account for DB2 and then crack the DB2 user password to gain access to SAP data.


This.

Having access as 'root' to the OS allows for manipulation of the DB-software (= what you call delete the DB etc.), but you would have to get access to the DB management accounts to manipulate data.

Out of curiosity ... are you an auditor?
curiousorange wrote:I give up. Humanity isn't worth saving. Why is there never a Vogon Constructor Fleet around when you really need one?
thx4allthefish
 
Posts: 5694
Joined: Sat Oct 26, 2002 6:18 pm
Location: barolo barrel

Re: Accessing Data in SAP from UNIX AIX

Postby bbdude » Mon Dec 06, 2010 10:54 am

thx4allthefish wrote:
bbdude wrote: I'm sure they could delete the DB2 database or bring it down, but I suspect the end-user would have to use AIX to gain knowledge of a user account for DB2 and then crack the DB2 user password to gain access to SAP data.


This.

Having access as 'root' to the OS allows for manipulation of the DB-software (= what you call delete the DB etc.), but you would have to get access to the DB management accounts to manipulate data.

Out of curiosity ... are you an auditor?


Thanks - that's what I suspected.

I am an auditor - it's that obvious, egh? Without giving away too much information - IMHO, too many auditors have limited to zero knowledge of how technology actually works and the complexity of ERP environments. Prior to audit I was a system admin so I try to gain as much knowledge about each application I audit so I'm comfortable with our letter(s) to management. Unfortunately, some people don't like me on their jobs because I dig too much (risk-based digging, of course!).

Why do you ask? I suppose you may wish to throw virtual tomatoes at me? :D
bbdude
 
Posts: 21
Joined: Wed Nov 03, 2010 8:16 am

Re: Accessing Data in SAP from UNIX AIX

Postby thx4allthefish » Tue Dec 07, 2010 3:19 am

bbdude wrote:I am an auditor - it's that obvious, egh? Without giving away too much information - IMHO, too many auditors have limited to zero knowledge of how technology actually works and the complexity of ERP environments. Prior to audit I was a system admin so I try to gain as much knowledge about each application I audit so I'm comfortable with our letter(s) to management. Unfortunately, some people don't like me on their jobs because I dig too much (risk-based digging, of course!).

Why do you ask? I suppose you may wish to throw virtual tomatoes at me? :D


Far be it from me to abuse fruit/vegetables in a non-alcoholic form :lol: :lol:

I was just asking to satisfy my curiosity and to see whether I was on the correct path. I have a special fondness for auditors, which is why I answered your post ... 8)
curiousorange wrote:I give up. Humanity isn't worth saving. Why is there never a Vogon Constructor Fleet around when you really need one?
thx4allthefish
 
Posts: 5694
Joined: Sat Oct 26, 2002 6:18 pm
Location: barolo barrel

Re: Accessing Data in SAP from UNIX AIX

Postby bbdude » Tue Dec 07, 2010 9:03 am

thx4allthefish wrote:
bbdude wrote:I am an auditor - it's that obvious, egh? Without giving away too much information - IMHO, too many auditors have limited to zero knowledge of how technology actually works and the complexity of ERP environments. Prior to audit I was a system admin so I try to gain as much knowledge about each application I audit so I'm comfortable with our letter(s) to management. Unfortunately, some people don't like me on their jobs because I dig too much (risk-based digging, of course!).

Why do you ask? I suppose you may wish to throw virtual tomatoes at me? :D


Far be it from me to abuse fruit/vegetables in a non-alcoholic form :lol: :lol:

I was just asking to satisfy my curiosity and to see whether I was on the correct path. I have a special fondness for auditors, which is why I answered your post ... 8)


Oh? Perhaps you're ex Big4/Big5? What do you do now if you don't mind my asking?
bbdude
 
Posts: 21
Joined: Wed Nov 03, 2010 8:16 am

Re: Accessing Data in SAP from UNIX AIX

Postby thx4allthefish » Wed Dec 08, 2010 6:21 am

bbdude wrote:
thx4allthefish wrote:
bbdude wrote:I am an auditor - it's that obvious, egh? Without giving away too much information - IMHO, too many auditors have limited to zero knowledge of how technology actually works and the complexity of ERP environments. Prior to audit I was a system admin so I try to gain as much knowledge about each application I audit so I'm comfortable with our letter(s) to management. Unfortunately, some people don't like me on their jobs because I dig too much (risk-based digging, of course!).

Why do you ask? I suppose you may wish to throw virtual tomatoes at me? :D


Far be it from me to abuse fruit/vegetables in a non-alcoholic form :lol: :lol:

I was just asking to satisfy my curiosity and to see whether I was on the correct path. I have a special fondness for auditors, which is why I answered your post ... 8)


Oh? Perhaps you're ex Big4/Big5? What do you do now if you don't mind my asking?


If there is such a thing as the small4/small5 I am probably working for them - I am the basis-girl - the one using root to destroy databases. But I also have been doing SAP security for more than a decade now, and that is where my fondness for auditors comes from.
curiousorange wrote:I give up. Humanity isn't worth saving. Why is there never a Vogon Constructor Fleet around when you really need one?
thx4allthefish
 
Posts: 5694
Joined: Sat Oct 26, 2002 6:18 pm
Location: barolo barrel

Re: Accessing Data in SAP from UNIX AIX

Postby Al. » Wed Dec 08, 2010 7:47 am

bbdude wrote:Without giving away too much information - IMHO, too many auditors have limited to zero knowledge of how technology actually works and the complexity of ERP environments.


Amen to that. You cannot effectively review something that you do not fundamentally understand. Data retrieval is one thing, what you do with it requires understanding.

bbdude wrote:Prior to audit I was a system admin so I try to gain as much knowledge about each application I audit so I'm comfortable with our letter(s) to management. Unfortunately, some people don't like me on their jobs because I dig too much (risk-based digging, of course!).


I think the phrase "poacher turned gamekeeper" applies here :wink:
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3049
Joined: Tue Feb 25, 2003 5:35 am
Location: London

Re: Accessing Data in SAP from UNIX AIX

Postby bbdude » Wed Dec 08, 2010 9:31 am

thx4allthefish wrote:If there is such a thing as the small4/small5 I am probably working for them - I am the basis-girl - the one using root to destroy databases. But I also have been doing SAP security for more than a decade now, and that is where my fondness for auditors comes from.


Very interesting and good to know. Things in the SAP World have changed quite a bit in the last decade. The latest GRC module is especially fascinating.

Al. wrote:Amen to that. You cannot effectively review something that you do not fundamentally understand. Data retrieval is one thing, what you do with it requires understanding.


Something I don't understand - perhaps you and allthefish can assist with - is how the supporting OS/DB differ in Oracle ERP as compared to SAP ERP.

In Oracle ERP, you can su root in the supporting UNIX OS, but your ability to impact the financial data in Oracle DB is limited. You would need to invoke sqlplus and also have the password to the appropriate DB account to run update table commands. On the other hand, the Oracle DB supporting Oracle ERP allows for direct login and access to financial data at the DB level - with the right access you can directly impact financial data. Also, changes are done at the DB level.

In SAP ERP (as I understand it), you can su root in the supporting UNIX OS, but your ability to impact the financial data in the Oracle DB supporting SAP is also limited. You would still need to access sqlplus and access to a DB account in order to run update table commands. This is where I am confused .... if changes to SAP are not being done through UNIX, but use STMS - what (if any) changes can be made directly in the supporting Oracle DB that would impact functional financial data at the application (SAP) level? What I've heard is that even if a knowledgeable person (e.g. basis-girl) has root access in UNIX and access to the Oracle DB supporting SAP - that any direct DB changes would be futile if a relative transport for the direct changes is not completed. Is my understanding appropriate? I feel that it is not and the risk to financial data via direct changes at the DB level supporting SAP is of high-risk. Thoughts?

Or did this auditor just go a bit over a few people's heads :D

Al. wrote:I think the phrase "poacher turned gamekeeper" applies here


I think you're onto something, Al!
bbdude
 
Posts: 21
Joined: Wed Nov 03, 2010 8:16 am

Re: Accessing Data in SAP from UNIX AIX

Postby thx4allthefish » Wed Dec 08, 2010 10:24 am

There's some hardcore mixup going on in your post.

Firstly - financial data - if they are true data, like -say- an incoming invoice or a cheque or something - are never, ever influenced by transports. No STMSing here! Which are the things we transport, then?

  • Configuration changes
  • Changes in table structures (not (!) data)
  • Other Repository changes = program changes etc
  • ... = roles, calendars ...

Two different fish entirely.

Now to the OS/DB matter.

Oracle ERP goes with Oracle DB and naught else. I cannot vouch for Oracle ERP, never having seen the thingy, but I suspect that changes to the ERP functionality/structure of the application as well as the data can be done either by su root + login oradba + sqlplus or by some functionality that the ERP provides for exactly such a purpose.

SAP ERP goes with many different DB-products: MaxDB, SQL-Server, Oracle ... changing the functionality/structure of the ... see Oracle.

So basically, for manipulating data (see above - real data - leave out structure/functionality/development) you have two possible ways: use the application the respective ERP system provides (via a GUI layer or something) or access the database directly in the way described.

What does that mean for an auditor: the manipulation of data via an application which is provided by the ERP can usually be limited by the security functionality embedded in said ERP (again - no clue about ORA-ERP) = roles, objects, profiles ... the manipulation of data via OS/DB access is only limited by root/passwort, dbaadm/passwort - which is barely a limit at all! More: the changes go unrecorded, there's no history etc - all the things an ERP should provide. So, access to OS/DB should be strictly limited to the girls doing the maintenance of the software, applying OS patches, DB patches etc. which cannot otherwise be applied using ERP functionality. Nobdody else is to enter here.

In terms of layers of software of an ERP-system (top-down)

Top layer
ERP (with applications developped in whatever language, in case of SAP ABAP, java etc) where ERP specific authorisation checks are programmed somewhere in the code.

One down

Kernel: mostly in C#, C++ and assembler programmed functionality that enables the ERP to communicate with the OS/DB

Again, one down
DB a modelled software consisting of tables, views ... programs that ensures a relational (well nowadays, anyway) modelling of data. Tools for maintenance, performance, monitoring etc.

Bottom
OS ... everybody knows ...

Don't take that layer-model literally, it's a translation done for the sake of your problem. If you want to understand about layers (as in architecture) in general, google for some OSI - model.
curiousorange wrote:I give up. Humanity isn't worth saving. Why is there never a Vogon Constructor Fleet around when you really need one?
thx4allthefish
 
Posts: 5694
Joined: Sat Oct 26, 2002 6:18 pm
Location: barolo barrel

Re: Accessing Data in SAP from UNIX AIX

Postby bbdude » Wed Dec 08, 2010 11:02 am

Very helpful! Thank you so much for the explanation - very clear.

Going back to my original question to make sure I understand what you have explained ... it seems someone with direct access to the DB supporting SAP could impact financial data by executing update/modify commands? Furthermore, someone with access to root may also make changes to financial data, but would first need knowledge of the DB user account(s) password?

So in reality - I should evaluate any direct changes made to the database and determine whether or not these changes were approved - AND why they weren't done via the GUI?
bbdude
 
Posts: 21
Joined: Wed Nov 03, 2010 8:16 am

Re: Accessing Data in SAP from UNIX AIX

Postby thx4allthefish » Wed Dec 08, 2010 1:21 pm

bbdude wrote:Very helpful! Thank you so much for the explanation - very clear.

Going back to my original question to make sure I understand what you have explained ... it seems someone with direct access to the DB supporting SAP could impact financial data by executing update/modify commands?


Only if s/he has access to both, root/pw for the OS + dbaadm/pw for the DB + sql (and knows the table names and so on to do the real damage) - which is why I said: nobody enters here ... trespassing on the OS/DB domain (level) is forbidden for everybody, except the ones that have no real other chance = sys-admins, who have to apply patches and so on.

bbdude wrote:Furthermore, someone with access to root may also make changes to financial data, but would first need knowledge of the DB user account(s) password?



Correct.

bbdude wrote:So in reality - I should evaluate any direct changes made to the database and determine whether or not these changes were approved - AND why they weren't done via the GUI?


I can't see how you were to accomplish this - there's no recording of changes active on that level (usually not, for performance reasons), so your primal goal would be to evaluate WHO has that access that enables her/him to change data on that level. I'll go farther: there can never be an approval of changing data on OS/DB level, every excuse you get for data changes on that level are questionalble, to say the least.

And hoping, you are the guy I think you are, promptly, strictly and forcefully disable it (excepting the poor admins who have no other choice and making them subject to document every single access (by running a trace or something)).

ETA:
Actually, you might want to even forbid access to OS level. Since on that level -as root- you can do a rm -rf any time = you could delete the whole database completely ... and that would void any concern about financial data.
curiousorange wrote:I give up. Humanity isn't worth saving. Why is there never a Vogon Constructor Fleet around when you really need one?
thx4allthefish
 
Posts: 5694
Joined: Sat Oct 26, 2002 6:18 pm
Location: barolo barrel

Re: Accessing Data in SAP from UNIX AIX

Postby bbdude » Wed Dec 08, 2010 2:44 pm

thx4allthefish wrote:I can't see how you were to accomplish this - there's no recording of changes active on that level (usually not, for performance reasons), so your primal goal would be to evaluate WHO has that access that enables her/him to change data on that level. I'll go farther: there can never be an approval of changing data on OS/DB level, every excuse you get for data changes on that level are questionalble, to say the least.

And hoping, you are the guy I think you are, promptly, strictly and forcefully disable it (excepting the poor admins who have no other choice and making them subject to document every single access (by running a trace or something)).

ETA:
Actually, you might want to even forbid access to OS level. Since on that level -as root- you can do a rm -rf any time = you could delete the whole database completely ... and that would void any concern about financial data.


Ah, okay. In an Oracle ERP environment - changes are often done directly in the DB and this is actually tracked. For example, if you wanted to set-up/configure a program to be used in Oracle ERP ... you would first add the packages to the Oracle DB and then register them at the application level. This process obviously confuses me as it relates to SAP. You can tell in my past life I was an Oracle admin :D

Unfortunately, I'm not in a position to make security decisions or influence policy as I am an external auditor 8)

We are, however, going to provide guidance to our client as to what should and should not be enabled. Their trusted host set-up isn't very pretty either :twisted:

Thanks for all the help and guidance. Glad I actually understand things now.
bbdude
 
Posts: 21
Joined: Wed Nov 03, 2010 8:16 am

Re: Accessing Data in SAP from UNIX AIX

Postby thx4allthefish » Wed Dec 08, 2010 3:00 pm

bbdude wrote:Ah, okay. In an Oracle ERP environment - changes are often done directly in the DB and this is actually tracked. For example, if you wanted to set-up/configure a program to be used in Oracle ERP ... you would first add the packages to the Oracle DB and then register them at the application level.


Dear, are you sure, you are not mixing these up?? Adding a program is one thing (like: developing it in SAP, transporting it around the landscape). Of course, this is tracked.

But changing data = a cheque, a bill, a sale order, a production order, the cost centre a production order has as an accountig link - this is something else entirely. It should not be enabled on OS/DB level.
curiousorange wrote:I give up. Humanity isn't worth saving. Why is there never a Vogon Constructor Fleet around when you really need one?
thx4allthefish
 
Posts: 5694
Joined: Sat Oct 26, 2002 6:18 pm
Location: barolo barrel

Re: Accessing Data in SAP from UNIX AIX

Postby bbdude » Wed Dec 08, 2010 3:04 pm

thx4allthefish wrote:
bbdude wrote:Ah, okay. In an Oracle ERP environment - changes are often done directly in the DB and this is actually tracked. For example, if you wanted to set-up/configure a program to be used in Oracle ERP ... you would first add the packages to the Oracle DB and then register them at the application level.


Dear, are you sure, you are not mixing these up?? Adding a program is one thing (like: developing it in SAP, transporting it around the landscape). Of course, this is tracked.

But changing data = a cheque, a bill, a sale order, a production order, the cost centre a production order has as an accountig link - this is something else entirely. It should not be enabled on OS/DB level.


I guess what I'm trying to say is that in an Oracle environment there are more reasons to be in the database directly as there is when it comes to SAP. I agree that, in both cases, access should be very limited to those that need it and direct changes to data should NOT occur.
bbdude
 
Posts: 21
Joined: Wed Nov 03, 2010 8:16 am

Re: Accessing Data in SAP from UNIX AIX

Postby thx4allthefish » Wed Dec 08, 2010 3:08 pm

I hope, you are correct.

I find that very disturbing and actually, this is -in my book- a very important fact that advises AGAINST the use of Oracle-ERP.

I had a go at Navision, once - it was the same as you describe with Oracle.

In my view, this is not a software fit for ITS or any other financial auditing, but that is -most certainly- only my opinion.

I am a strong supporter or data integrity. The more integrity, the better.

Last, not least - I hope, you did not take offense with my raving!
curiousorange wrote:I give up. Humanity isn't worth saving. Why is there never a Vogon Constructor Fleet around when you really need one?
thx4allthefish
 
Posts: 5694
Joined: Sat Oct 26, 2002 6:18 pm
Location: barolo barrel

Next

Return to SAP Security

Who is online

Users browsing this forum: No registered users and 9 guests



cron


This website is not affiliated with, sponsored by, or approved by SAP AG.