Post on 24-Jun-2018
Version 3.2 – 27. October 2016
Technical Whitepaper
Virtual Forge SystemProfiler
© 2016 Virtual Forge | www.virtualforge.com | All rights reserved. 2
Table of content
Table of content ................................................................................................................... 2
Management Summary ....................................................................................................... 3
Overview .............................................................................................................................. 4
Customer Benefit and Solution Approach .............................................................................. 4
Solution Overview ............................................................................................................... 6
Comprehensive and extensible content ................................................................................. 6
Central, scalable architecture ................................................................................................ 9
Integration into an SAP system landscape .......................................................................... 11
Flexible Policies ................................................................................................................... 12
Output of results .................................................................................................................. 12
Effective, automated corrections ......................................................................................... 14
Implementation and configuration ................................................................................... 15
Technology .......................................................................................................................... 15
Roadmap ............................................................................................................................ 16
Outlook ................................................................................................................................ 16
About Virtual Forge ........................................................................................................... 17
Disclaimer .......................................................................................................................... 18
© 2016 Virtual Forge | www.virtualforge.com | All rights reserved. 3
Management Summary
Virtual Forge SystemProfiler enables you to secure and monitor the security and quality of your entire
SAP system landscape to ensure frictionless system operations.
SystemProfiler continuously monitors SAP-systems for weaknesses in the areas of security,
compliance and quality. This leads to minimized critical risks, significant cost reduction through more
stable, and faster SAP systems as well as drastically reduced effort for monitoring and correction
measures.
The flexible policy management and the architecture of SystemProfiler are designed to provide a
central overview of all SAP systems, even in complex system landscapes. This simplifies the
assessment of all risks related to security and quality.
SystemProfiler comes with a comprehensive and predefined set of checks which are based on
established industry standards. In addition, custom checks can easily be configured and added.
The results of those checks will be displayed centrally within the SAP system, generating PDF reports
of these results is also possible. Naturally, SystemProfiler also offers integrations for analyzing the
results externally. An interface to SIEM solutions, delivering critical events in real-time, or a reporting
API which enables detailed analysis in any reporting solutions, are just two examples of standard
functionality delivered by SystemProfiler. Additionally, SystemProfiler is the first solution to use the
Virtual Forge Reporting framework to provide an overview of the most relevant key performance
indicators (KPIs).
© 2016 Virtual Forge | www.virtualforge.com | All rights reserved. 4
Overview
SAP® systems are part of the business-critical infrastructure and are infinitely more complex than just
a few years ago. One system line alone consists of at least a development, quality assurance and
productive system, in addition to several more system lines for HR, CRM and other departments.
Internal departments are using standard PCs to access SAP systems, but these days also mobile
devices, decentralized and outsourced teams are accessing data from SAP. In addition, maintenance
and administration of those systems are within the responsibility of service providers and
subcontractors.
This complexity increases the overall risks: many SAP systems are vulnerable to attacks from both the
outside and the inside due to errors or omissions in their configuration.
And security is not the only topic: more demanding requirements relating to the quality of system
configuration make it difficult and costly to maintain a high level of configuration quality.
Therefore it is imperative to know about the risks with SAP operations and hence to take the
appropriate action. In addition to topics such as roles and authorizations, GRC, identity management
and security when programing, in particular the issue of configuration is essential for smooth business
operations. With the objective to carry out the comprehensive and complex tasks in this context
efficiently and effectively, we have developed the Virtual Forge SystemProfiler that combines our
longstanding project experience in one software solution.
Customer Benefit and Solution Approach
Virtual Forge developed SystemProfiler to simplify two major tasks which result from the risks
mentioned above.
Firstly, SystemProfiler enables customers to maintain and ensure a high level of security and quality
for the entire SAP system landscape.
Secondly, System Profiler simplifies the manual tasts necessary for maintaining a certain level of
security and quality by providing a central overview of the current status for each and every individual
SAP system. This process is highly automated, both in terms of validating the configuration, but also in
terms of correcting found weaknesses.
The approach followed by SystemProfiler can be divided into three phases. Firstly, an initial risk
assessment checks each system for its current security status. The second phase then consists of the
mitigation of all found weaknesses. For this, the options exist:
Maintenance of black- and whitelists where necessary (e.g. whitelists for users which require
that particular authorization)
Adjustment of inspection policies (e.g. the target values for certain parameters may differ by
system)
Correction of weaknesses
© 2016 Virtual Forge | www.virtualforge.com | All rights reserved. 5
Following this phase is the continuous validation of the entire SAP system landscape. For this a
background job will be set up. Using the notification functionality, or the integration into a SIEM or
similar solution, respectively, the user will automatically be notified about newly found weaknesses.
This approach significantly lowers the effort required in the administration of complex system
landscapes and enables SAP systems to be integrated into a holistic IT security concept.
© 2016 Virtual Forge | www.virtualforge.com | All rights reserved. 6
Solution Overview
Comprehensive and extensible content
The Virtual Forge SystemProfiler comprises a set of test cases and recommended reference values
and assessments. The test groups include the domains security & compliance as well as quality
assurance. Both of these domains are separated into several categories. Currently, the following
categories are included in SystemProfiler:
Authorizations – AS Java
Authorizations – Central Functions
Authorizations – Development
Authorizations – General
Authorizations – General (Exploitable)
Authorizations – General Basis Administration
Authorizations – Job and Spool Administration
Authorizations – User Administration
Authorizations – User Administration (Exploitable)
Common System Profile Parameters
User Management
Business Continuity
Operating System Security
Database Performance
Database Security
Forensics
Java System Security
Communication Security – General
Communication Security - SNC
Passwort Policy
Logging
Communication Robustness
System Integrity Protection
Standard Users
System Performance
System Installation
Web AS Security
The overall scope of the solution is based on best practices and can be individually adjusted and
enhanced by companies. In addition to many years of experience of Virtual Forge these test cases
incorporate recommendations from existing security guidelines. The following standards have been
incorporated into SystemProfiler:
The audit guideline of the german-speaking SAP user group (DSAG), which was developed
together with audit companies and is also used by them.
The recommendations of SAP for security and quality, such as the Security Optimization
Services (SOS) or the recommendations from the SAP Security Baseline Template.
© 2016 Virtual Forge | www.virtualforge.com | All rights reserved. 7
Best practices from customer projects
Additional standards for SAP and IT systems such as the PCI DSS, SOX, BSI and others
In total, the current version of SystemProfiler (3.2) features more than 400 test cases. Besides the
technical check, a recommended value, based on the recommendations from the standards
mentioned above, is also part of the delivered solution. This enables an out-of-the-box comparison of
a system configuration to common standards.
Figure 1 - SystemProfiler – Selection of test cases
However, not all test cases are based on individual weaknesses. Security weaknesses in SAP
systems are often the result of a combination of individual weaknesses. While each individual
weakness might not pose a big threat to system integrity, the combination of several leaks might
increase the potential risk significantly. One example would be RFC connections: a fully qualified RFC
connection (i.e. username and password are stored in the connection settings) might not be
exploitable by an attacker as such. If the user for a particular RFC connections holds critical
authorizations, however, and the RFC connections also points to a system of a higher security level,
the risk associated with a fully qualified RFC connections increases. Therefore, we have developed
advanced test cases which combine the results of individual test cases. This provides a more precise
assessment of the actual risk and the business impact associated with different weaknesses.
Advanced test cases are based on specific test classes and can be configured, adjusted and extended
according to customer requirements.
BLACK- AND WHITELISTS
Many test cases offer the possibilty to define exceptions. This is especially useful for critical
authorizations. SystemProfiler integrates black- and whitelists for this purpose.
© 2016 Virtual Forge | www.virtualforge.com | All rights reserved. 8
Whitelists contain exceptions which will not be checked by an inspection, for example administrators
which should not appear in the result lists for users with critical authorizations.
Blacklists on the other hand are important for test cases where the scope of the validation is defined
by the content of the list. For example, the standard delivery of SystemProfiler contains a test case
which includes a predefined list of ICF-services which should not be active according the
recommendations by SAP.
Configuration of Black- and whitelists in SystemProfiler offers a great deal of flexibility. For instance, it
is possible to define general lists covering the entire system landscape. However, it is also possible to
restrict lists to single test cases or to group of test cases. Lists for a specic system or even client can
also easily be created, even temporary lists are possible. Maintenance of black- and whitelists is
possible in customizing or directly from within finding management.
ENHANCEMENT OF TEST CASES
Test Cases of SystemProfiler can be configured to custom requirements. In addition, new test cases
can be developed by the user.
To enable this functionality, SystemProfiler provides so called test classes. Within these test classes
new test cases within the customer namespace can be defined.
This ensures maximum flexibility in terms of meeting customer specific requirements. We see this
flexibility as a substantial feature of SystemProfiler:
Test cases included in the standard can be configured to meet customer requirements.
Customer specific test cases can be developed based on standard test classes
Customer specific test classes can be implemented and used for defining new test cases
All advantages of SystemProfilers, such as a continuous monitoring of the entire system
landscape or the flexible policy management, can therefore expanded to cover every possible
customer requirement.
© 2016 Virtual Forge | www.virtualforge.com | All rights reserved. 9
Figure 2 - SystemProfiler – Test cases and test classes
Central, scalable architecture
All tests are carried out as so-called „whitebox-tests“ in the SAP system. The tests can be run both
locally and centrally in a system landscape.
This approach is reflected in the central architecture of SystemProfiler. In the central system, all
central components of SystemProfiler are implemented. The target systems are connected to the
central systems engine. This enables the validation of all SAP systems within the corporation from one
central point. This makes it possible to keep an overview even in complex system landscapes and
quickly validate system configurations for possible risks. The necessary information on the SAP
system landscape can be retrieved from SAP SolutionManager.
SystemProfiler is centrally managed. A dispatcher distributes the different policies to the target
systems. Inspections are scheduled using the central components:
The SystemProfiler Cockpit for selecting test cases and systems to be checked
Result Viewer, which displays the results for each inspection run
The Finding Manager visualizes the results. Manual and automatic corrections can be started
from here
© 2016 Virtual Forge | www.virtualforge.com | All rights reserved. 10
A SystemProfiler engine is installed in the target systems using the Add-on Tool. This engine receives
the policies from the central system, returns the inspection results and triggers automatic corrections.
For all tasks involved in using SystemProfiler, Virtual Forge also delivers the necessary roles and
authorizations. These contain all required authorization objects to execute the inspections on all
systems as well as to execute corrections.
Figure 3 - SystemProfiler components
© 2016 Virtual Forge | www.virtualforge.com | All rights reserved. 11
Integration into an SAP system landscape
In general there are different types of SAP systems in connection with SystemProfiler:
The central system. A system that hosts the central components of SystemProfiler and a client
that is used to start inspections and corrections. The central components of SystemProler
have to be installed on an ABAP system.
The connected target system of type SAP NetWeaver AS ABAP. A system that hosts clients
that are targets of inspections and corrections. The execution of the test cases takes place in
these clients. There are RFC connections from the central client to every target client.
The connected target system of type SAP NetWeaver AS Java. A system that is target of
inspections. There are Web service connections from the central system to every target
system.
The connected Solution Manager system. A system that contains system landscape data for
the adjustment of the SystemProfiler system landscape repository. Furthermore, special test
cases are executed on a Solution Manager system. There are RFC connections from the
central client to the target clients of this system.
The HANA proxy system. An SAP NetWeaver AS ABAP system that is connected to HANA
target systems. There are RFC connections from the central client to at least one client of this
system or the central system is the HANA proxy.
The connected HANA target system. An SAP HANA system that is connected to a HANA
proxy system. There are database connections from proxy system to this system.
Figure 4 - SystemProfiler connections
© 2016 Virtual Forge | www.virtualforge.com | All rights reserved. 12
Flexible Policies
The flexibility of the engine is reflected in the policy management of SystemProfiler, which can be set
for each system individually. A reference policy, based on established standards, comes predelivered
with SystemProfiler. Depending on the role of the respective SAP system and client the policy can be
adjusted for each configuration detail separately. That makes it easy to define policies that apply to the
entire system landscape and at the same time are individually customized for each system. With
SystemProfiler, the systems can be continuously checked against these guidelines and evaluations of
the configuration status of the entire system landscape can be generated.
Tests can be performed as follows:
system or client role-specific
cross-client or client-specific
application server-specific
operating system-specific
database-specific
Using the integrated landscape maintenance, where the landscape can either be adopted from SAP
solution manager or can be defined manually, a monitoring covering the entire SAP system landscape
is possible.
SystemProfiler enables the validation SAP NetWeaver ABAP, SAP NetWeaver Java or SAP HANA
based systems as
ad-hoc-Inspections
a scheduled, periodic and therefore continuous inspection.
Using the notification functionality, results of finished inspections can be sent via E-Mail to the person
responsible. Both receiver and sender of the notification can be configured and a status filter can be
set. This enables notification of specific responsible system administrators when a weakness has
been detected on their system.
Output of results
Integrated reporting options
The integrated result viewer provides an overview of the configuration status of individual systems and
the entire system landscape. The results are displayed within the system in a separate user interface,
additionally all results can be exported as reports in PDF format.
The reports of SystemProfiler adhere to the standards set forth by auditors. Besides an executive
summary on the overall status of the system, the number of findings will be displayed in table form.
This is followed by a detailed documentation of each test case, which contains the following
information:
© 2016 Virtual Forge | www.virtualforge.com | All rights reserved. 13
Information on the test case
Short and long description of the test case
Risk associated with a found weakness as well as details on possible impacts.
Detailed description of manual and automated corrections.
A reference to an attachment where the findings are listed
Reports can be created before the start of an inspection, but can also be generated subsequently.
Detailed results of every test case can also be exported in Microsoft Excel format.
Interfaces
In addition to built-in reports, inspection results can be exported using several options.
One option for exporting results is a standardized XML format. This XML can be processed by
external applications (e.g. ticket systems) using a mapping table.
SystemProfiler additionally offers an integration into SIEM solutions (Security Information and Event
Management). The continuous monitoring enabled with SystemProfiler extends the reach of SIEM
solutions to cover SAP systems, something which has not been possible before.
For SIEM export, all test cases from the „forensics“ category are being exported into SIEM compatible
formats by default and can be processed immediately. Out of the box, SystemProfiler supports CEF
and LEEF file exports. Additional test cases and content can be added to SIEM processing using
SystemProfilers customizing.
Additional features of the SIEM interface are an intelligent pre-qualification of events, automatic
detection of duplicates and status management features.
To enable detailed result analysis, SystemProfiler also offers a reporting API. This is achieved by
providing relevant statistical system data (e.g. total number of users or total number of RFC
connections).
The reporting API consists of several function modules and is standardized across all Virtual Forge
solutions. Using this API, the most current results along with their master data and texts will be
provided to and can be processed by external reporting solutions. The API can be called both
internally and externally using web services.
Virtual Forge Reporting
SystemProfiler is the first solution of Virtual Forge which uses our new reporting dashboard. The
Virtual Forge Reporting Dashboard provides an intuitive, easy-to-use Web application which shows a
visualization of the current status of the test case results as well as trends that show the history of the
results. The Virtual Forge Reporting Dashboard will provide these features for all Virtual Forge
solutions in the near future.
Within the SystemProfiler implementation of the Virtual Forge Reporting Dashboard, detailed charts
enable an analysis of results depending on system-specific attributes. In addition, a detailed view on
all test case results is available. The Reporting Dashboard comes pre-configured to encompass all
test case results. Which test cases are actually shown within the Dashboard can be determined
© 2016 Virtual Forge | www.virtualforge.com | All rights reserved. 14
individually by simply creating a variant which includes all required test cases. The Reporting
Dashboard provides several benefits:
Aggregated view on test case results of the entire system landscape.
Fast identification of necessary actions by showing different trends and status statistics.
Examination of the aggregated results depending on different point-of-views related to system
attributes such as system category or business unit.
In addition, the Reporting Dashboard contains the following features:
Visualization of special aspects of test case results such as the distribution of business impact
ratings or results filtered by test domains.
Detailed charts related to system attributes such as region and business unit.
Detailed trend charts for periods in the past.
Status charts for multiple key dates in the past.
Tables with detailed test case results for an immediate evaluation of single key figures.
Filtering and sorting capabilities.
Configurable key date and trend reporting periods.
The reporting dashboard can be configured in terms of which test cases are contained in the reporting
scope and regarding how time periods are displayed. For more specific reporting purposes,
SystemProfiler contains a web service API which can be used to cover more advanced reporting use
cases.
Effective, automated corrections
The unique functionality to correct parameters and settings in an automated manner extends
SystemProfiler to a comprehensive management solution for SAP system configurations. Automated
correction is available for many test cases.
Automated corrections can be leveraged from the Finding Manager. The Finding Manager is used for
the management and processing of all found weaknesses. It displays all current weaknesses clearly
and in near real-time. Invididual findings can be updated, verified and corrected directly from within
Finding Manager, for most test cases, an extensive exception management (black- and whitelists) is
integrated.
Whether automated correction is allowed can be customized test case or system specific in
SystemProfiler customizing.
Especially for large and complex system landscapes the automated correction feature significantly
lowers costs for basis administration of all SAP systems.
© 2016 Virtual Forge | www.virtualforge.com | All rights reserved. 15
Implementation and configuration
For the implementation of Virtual Forge SystemProfiler three phases can be distinguished:
installation (SAP transports with components and test contents – best-practice approach)
configuration (for company-specific adjustments and customization)
concept and planning (definition of test and correction sequences)
Basically, certain components of Virtual Forge SystemProfiler must be installed on all SAP systems to
be tested. To a large extent the configuration can be done on a centralized basis.
An authorization object and pattern roles are delivered for an easy definition of processes and
responsibilities.
The installation and configuration of the solution can be done within a few days. If desired,
experienced consultants will provide you with support when planning your processes in the
SystemProfiler environment. An essential feature of the solution is the extensibility through
configuration and custom developments.
Technology
Virtual Forge SystemProfiler is fully implemented in ABAP. The central components as well as the
ABAP-based target systems require SAP NetWeaver (Application Server ABAP) version 7.0 or higher.
For SAP NetWeaver Java systems, SystemProfiler supports versions 7.0 and 7.3. Among others the
Virtual Forge SystemProfiler uses the following SAP components and functions:
SAP Add-On Installation Tool
SAP Business Workflow (optional)
SAPconnect (optional)
On top of that, there are dependencies to other SAP components for specific test cases that are
delivered in separate packages. We will be happy to discuss a support for otherSAP releases with you
upon request.
SystemProfiler is certified by SAP and will be delivered as an Add-On package.
© 2016 Virtual Forge | www.virtualforge.com | All rights reserved. 16
Roadmap
The road map detailed below is not binding and is subject to be changed by Virtual Forge at any time.
It serves as an orientation regarding the intended version and the respective planned functions.
Version 3.2 offers
comprehensive functionality of the components of the SystemProfiler framework
support of the scenarios “planned, periodic inspection”, “ad-hoc inspection” and automated
corrections
automated, interactive corrections
validation reports and manual correction instructions
comprehensive test contents (orientation in line with the DSAG security guideline) for security
and quality assurance, including advanced test cases
support for notification
centralized administration and customization
export of results as XML or PDF
Integration into SIEM and reporting solutions
Built-in reporting functionalities (via Virtual Forge Reporting solution)
Integration into SAP Solution Manager and its applications
Outlook
Future versions of Virtual Forge SystemProfiler will provide enhancements in the following directions:
Integration into the Virtual Forge Cloud
further application scenarios
integration with the Virtual Forge CodeProfiler for even better assessment of vulnerabilities
further enhancement of the test contents to the areas „performance“, „robustness“, „maintainability“ etc.
expansion to other platforms
enhanced integration into business processes (e.g. workflows)
support of audit processes (e.g. questionnaires)
transaction support for manual corrections
© 2016 Virtual Forge | www.virtualforge.com | All rights reserved. 17
About Virtual Forge
Virtual Forge is an independent supplier of Security, Compliance and Quality products for
SAP® systems and applications.
Our customers are worldwide leading companies acting in branches such as automotive, banking
and insurance, chemicals and pharmaceuticals, high-tech and electronics, media and entertainment,
consumer goods, trade, oil and gas, and utilities.
With our products, they automatically identify key risks and easily correct errors within their
customized systems to protect them against cyber attacks, fraud, and unnecessary downtime.
www.virtualforge.com
© 2016 Virtual Forge | www.virtualforge.com | All rights reserved. 18
Disclaimer
© 2015 Virtual Forge GmbH. All rights reserved.
Information contained in this publication is subject to change without prior notice. These materials are provided by
Virtual Forge and serve only as information.
SAP, ABAP and other named SAP products and services as well as their respective logos are trademarks or
registered trademarks of SAP SE in Germany and other countries worldwide. All other names of products and
services are trademarks of their respective companies.
Virtual Forge accepts no liability or responsibility for errors or omissions in this publication. From the information
contained in this publication, no further liability is assumed. No part of this publication may be reproduced or
transmitted in any form or for any purpose without the express permission of Virtual Forge GmbH, Germany or
Virtual Forge Inc., Philadelphia. The General Terms and Conditions of
Virtual Forge apply.