Layer Seven Security

Configuration and Security Analytics with SAP Focused Run

SAP Focused Run supports real-time monitoring for high-volume SAP landscapes and customers with advanced requirements for system management, user and integration monitoring, and vulnerability management. Configuration and Security Analytics (CSA) in SAP Focused Run applies security policies to  discover vulnerabilities in SAP systems. The policies read the contents of configuration, software and user-related stores in the Configuration and Change Database (CCDB). The CCDB stores are refreshed daily using the Simple Diagnostics Agent (SDA), installed in SAP systems monitored by Focused Run.

This article explores capabilities in CSA for tuning security checks using exclusions, configuring alerts for critical vulnerabilities, and investigating security-related changes reported by CSA.

Exclusions can be applied to exclude specific checks in security policies. In the example below, we have applied an exclusion to exclude a check that validates the status of the standard DDIC user. The first step is to open to CSA in the Advanced Configuration Monitoring workgroup.

The next step is to select the relevant policy and select Exemption for Policies.

Select Create to add the exemption. Select the Check ID based on the available checks in the policy and add an Exception ID and Description.

You can add a date range if the exclusion is temporary and should be automatically removed after a target date. Once saved, the check will be excluded from the policy. Exemptions can be maintained and deleted after they are applied.

Alerts for systems that fail checks in security policies can be configured using Configuration Validation Alert Management.

Select Create and add an Alert ID and Description. The Alert Source should be set to Configuration Validation – Policy. Select the Policy and maintain options for Aggregation Level, Scope, Frequency and Severity. Select ON and click on Save to activate the alert.

Alerts can be configured for specific systems or groups based on Customer ID, Data Center, IT Admin Role, Lifecyle Status, or Networks.

IT Admin Role can be used to apply alerts for systems based on environments.

Email and SMS options for alert notifications can be maintained using Outbound Variants.

Alerts can be investigated and managed using Alert Management. In the example below, we can see the alert configured in CSA for changes to standard users. Alerts in Alert Management be integrated with SIEM and service desk solutions. For detailed information, refer to the SAP Help Portal.

Changes in SAP systems are captured and logged in CSA. This includes areas such as parameter settings, RFC destinations, ICF services, and user authorizations, profiles, roles, and transactions. The details of the changes can be viewed using the option to display change of configuration items. Select a time frame for changes using Time Frame Selection.

You can also maintain a custom time frame.

Select a system to view to view a summary of the changes.

Select a store to view the details of changes. In the example below, we can see the details of users that were assigned the SAP_ALL profile in a system over the last three months.

The details can be filtered, sorted and exported to Excel.

The Cybersecurity Extension for SAP integrates with CSA in Focused Run to apply thousands of security checks for known vulnerabilities in SAP solutions. It also integrates with System Monitoring in Focused Run to detect and alert for more than 600 indicators of compromise in SAP event logs. To learn how you can protect your SAP systems from cyber threats using the Cybersecurity Extension for SAP, contact Layer Seven Security.

Security Alerting with SAP Focused Run

SAP Focused Run provides real-time application monitoring, alerting and analytics for large-scale SAP landscapes and hosting providers. It leverages SAP HANA to support centralized monitoring for up to thousands of systems in high-volume environments. Focused Run is intended to complement Solution Manager in SAP landscapes by substituting configuration, integration, system, and user monitoring scenarios from SolMan. Solution Manager is required for all other scenarios including change management, patch management, custom code management, business process monitoring, service management, and test management.

This article explores the alerting capabilities of SAP Focused Run using the workgroups Advanced System Management and Advanced Event & Alert Management.

Similar to SAP Solution Manager, Focused Run includes preconfigured monitoring templates and data providers for SAP platforms and solutions including ABAP, HANA, and Java. It also includes database and host templates for monitoring SAP infrastructure.  The standard metrics and alerts within the SAP-delivered templates include content for monitoring the availability and performance of SAP applications, components, agents, interfaces and infrastructure.

The Cybersecurity Extension for SAP extends the coverage of SAP Focused Run to include security monitoring.  The SAP-certified addon provides more than 500 metrics and alerts for detecting indicators of compromise in SAP logs. This includes ABAP logs such as the Security Audit Log, Gateway Server Log, HTTP Log, System Log, Transaction Log, Read Access Log, and Change Documents. It also includes support for the Audit Log in HANA platforms. The current version of the Cybersecurity Extension for SAP supports ABAP and HANA platforms. Future releases are expected to support Java systems and operating system logs in Linux hosts.

Alerts can be accessed using Alert Management in the Advanced Event & Alert Management workgroup.

Focused Run supports the grouping of systems into Customer IDs. This can be used to segment results for business units. Alert Management will summarize the results for the Customer IDs selected during the initial selection screen.

You can select the list view to display the current alerts.

You can open and view the details of alerts in the list. The example below is an alert triggered in a managed system for changes performed for the roles assigned to the standard SAP* user.

The Metrics tab includes information related to underlying event including the event timestamp, source IP, target IP, and user information. This information can be automatically integrated with Security Information Event Management (SIEM) systems. Notifications can be also sent for alerts through email or SMS using the Send Notification option in the Actions menu.

Alert Reporting in Alert Management provides a dashboard for monitoring alerts by date, category and systems.

Alerts can be also managed using System Monitoring in the Advanced System Management workgroup.

System Monitoring includes an Alert Ticker in the right pane that displays the latest alerts in real time.

The application also includes a hierarchal view for displaying alerts by managed object type including systems, application servers, instances, databases and hosts.

Securing the Journey to SAP S/4HANA

Earlier this month, Layer Seven Security released the new whitepaper Securing the Journey to SAP S/4HANA: A Security Framework for S/4HANA Migrations. The whitepaper provides a comprehensive guide to S/4HANA security to support the transition from SAP ERP to S/4HANA.

Mainstream maintenance for ERP will end in December 2027. Therefore, organizations must migrate to S/4HANA by the beginning of 2028. To date, only one third of organizations have migrated to S/4HANA. Therefore, the majority of SAP customers will be migrating over the next five years.

Security is one of the largest roadblocks to successful migrations. This is due to significant differences between ERP and S/4HANA that require the restructuring of access and technical controls. It is also due to concerns related to cloud security since almost 70% of organizations are electing to migrate to cloud-based S/4HANA installations. Other security concerns arise from the migration of custom SAP programs from ERP to S/4HANA. These programs often contain hidden and unresolved security vulnerabilities since they were never subject to in depth code vulnerability analysis.

The whitepaper includes detailed recommendations across twelve domains to deal with these and other security concerns and facilitate the smooth transition to S/4HANA. The recommendations are aligned to best practices in the SAP S/4HANA Security Guide. The whitepaper also includes guidance for automating pre and post go-live security checks for S/4HANA migrations using SAP Solution Manager and the Cybersecurity Extension for SAP.

Securing Microsoft Platforms with the Cybersecurity Extension for SAP

SAP systems consist of multiple integrated technological layers. SAP solutions comprise the application layer. The application layer is supported by database and operating system layers. The layers are closely integrated to form a software ecosystem linked through several connections including trust relationships that bond the layers to form an SAP system. The layers are more tightly integrated in SAP HANA installations where application, database and OS functions can share physical resources.

Since SAP systems are comprised of multiple layers, security must be applied across all layers within a system. Threat actors can bypass secure SAP applications by targeting weaknesses at the database or OS level to compromise SAP systems. Ransomware, for example, can lead to a denial-of-service for SAP services by exploiting vulnerable operating systems. Application-level data protection mechanisms can be bypassed by exfiltrating data in SAP solutions directly from the database.

The need to secure databases and operating systems in SAP systems is more pressing when SAP applications are coupled with Microsoft platforms that are widely targeted by threat actors and suffer from a host of known vulnerabilities and exploits. The Cybersecurity Extension for SAP is the only security solution that secures all layers within SAP systems including databases and operating systems.

Together with over 2000 vulnerability checks for SAP solutions, the Cybersecurity Extension for SAP performs automated vulnerability scans for Microsoft SQL Server and Microsoft Server to detect more than 300 known security weaknesses in the platforms. This includes active vulnerable services that widen the attack surface for databases and hosts, authentication settings including password policies, file and table encryption, users with administrative privileges including system and user administration, the availability of standard users, logging and auditing, open ports and services, and host firewall settings.

The Cybersecurity Extension for SAP also monitors database and operating logs to detect indicators of compromise in Microsoft platforms and trigger alerts and email/ SMS notifications for security incidents. This includes system, role and user changes, direct access to user tables, changes to database schemas, user groups, scheduled tasks, stored procedures, passwords and firewall settings, failed logons including attempted remote logons, packets blocked by host firewalls, remote procedure calls, service activation, device and program installation, and changes to system auditing.

Maintaining System Inventories with SAP Solution Manager

Maintaining an accurate and complete inventory of SAP systems is an important requirement for cybersecurity. It enables organizations to assess and prioritize risk management, ensure systems are not accidentally overlooked and exposed to threats, plan and track maintenance activities such as upgrades to apply security patches, and recover rapidly from security incidents including data breaches and successful ransomware attacks. For this reason, compliance frameworks such as CIS, NIST and PCI-DSS include requirements for asset management. The requirement is also the subject of the new bill Strengthening Agency Management and Oversight of Software Assets Act approved by the U.S Senate Homeland Security and Governmental Affairs Committee in September.

In many organizations, SAP asset inventories are maintained in spreadsheets or asset management tools that require manual updating. This can lead to inaccuracies if these approaches fail to keep pace with changes in complex and evolving SAP landscapes. Landscape Management in SAP Solution Manager provides an automated solution for managing system inventories by discovering and mapping SAP assets and automatically updating system information. Landscape Management is included in the standard usage rights for Solution Manager.

System information is sourced by Landscape Management from the System Landscape Directory (SLD). The SLD is the central repository of system information required for SAP lifecycle management. SAP landscapes may have multiple SLDs for backup or to support different environments, but the supplier for Landscape Management is the central SLD. The SLD includes a software catalog for each system known as CR Content. It also includes a Common Information Model (CIM) for sharing hardware and software information. CR and CIM data is automatically synched  from the SLD with Landscape Management via SAP agents. The data can also be automatically or manually imported into Solution Manager in landscapes that do not have an SLD. The data is then synched from Landscape Management with the Maintenance Planner in the SAP Support Portal. This is one of the primary reasons why SAP Solution Manager is required in SAP landscapes even if customers are not actively using any SolMan scenarios.

Landscape Management is accessed from the SAP Solution Manager Administration workgroup in the Fiori Launchpad.

System information is categorized by application server, database, host and component areas. For technical systems, you can select a system from the selection screen and click on Display to display the full system information.

The initial screen summarizes the key attributes for the system such as the SID, database, installation number, release information and SAP products installed in the system. This section also includes the environment, location and lifecycle status. The priority of the system can be used to classify systems based on their business importance using a low to very high rating scale.

The tabs for Technical Scenarios, SAP Support Portal, Business Partners, and Installed Licenses detail the active SolMan scenarios for the system, the system number, key personnel including system owners, business contacts, architects, and technical support with email addresses and telephone numbers, and license information.  

The Software section lists the installed software components including version and support pack level. This information is used by SAP Solution Manager during the calculation of relevant notes including security notes.

The Database, Instances and Clients section include information such as the database type, release and host name, instance names, numbers and directories, and active clients and roles.

The Hosts section will include host-level information such as the host name, FQDN, IP address, OS type and version, CPU, and details of whether the host is physical, logical or virtual.

The Destinations section lists the active RFC destinations in the system by client.

Finally, the Component Groups section details the logical component groups for the system. This is often used to group systems based on their role. The system roles below are predefined by SAP. However, users can create and maintain custom component groups to cluster systems by business group, function, location, or other areas.

Security Analytics with SAP Focused Run

SAP Focused Run delivers real-time application monitoring, alerting and analytics for large-scale SAP landscapes and hosting providers that need to monitor customer SAP installations from a central platform. It leverages the power of SAP HANA to support centralized monitoring for thousands of systems in high-volume environments. Focused Run is intended to complement SAP Solution Manager in SAP landscapes by substituting configuration, integration, system, and user monitoring scenarios from SolMan. However, Solution Manager is required for all other scenarios including change management, patch management, custom code management, business process monitoring, service management, and test management.

This article explores the capabilities of the Advanced Configuration Monitoring (ACM) scenario in Focused Run. Scenarios such as Advanced Event and Alert Management (AEM), Advanced Integration Monitoring (AIM) and Advanced User Monitoring (AUM) will be discussed in later posts. ACM includes Configuration and Security Analytics (CSA), accessed from the Fiori launchpad of Focused Run. CSA enables SAP users to analyze the configuration of applications, databases and hosts and automate audits for security compliance. The following short video from SAP provides a quick introduction to CSA: Advanced Configuration Monitoring

CSA analyzes configuration data collected and transferred via the Simple Diagnostics Agent (SDA) from SAP systems. Focused Run does not include a built-in Business Warehouse (BW). Therefore, unlike Solution Manager, configuration data is stored in HANA database tables starting with CCDB_DATA_ rather than BW InfoCubes.  This simplifies the architecture and improves the performance for configuration analysis. The tables are read by the Configuration and Change Database (CCDB). Configuration changes are tracked to support change and trend analysis. This includes changes to security-relevant parameters, services, RFC destinations, and user privileges. The CCDB contains snapshots of SAP systems. The configuration data is structured in containers known as config stores. The stores can be updated every hour to maintain up-to-date snapshots of SAP systems. The stores can be queried using the search option in CSA. The config store below displays the current values for all profile parameters in system FR1.

The following store contains details of user assigned critical profiles. User related stores can be customized to extract details for specific profiles, roles, user types, authorizations, and combinations of roles and authorizations.

CSA can be used to configure and apply policies that analyze config stores to audit systems and automate compliance checks. Policy Maintenance in CSA enables users to create XML policies. Policies can also be converted from target systems in Configuration Validation from SAP Solution Manager. Policies can be exported and imported as XML files or transported between Focused Run installations. SAP recommends limiting the number of checks in single policies to 100 to restrict the number of SQL statements. However, single policies can be combined into composite policies to execute thousands of checks in parallel. In the example below, the composite policy ABAP Parameters includes multiple single policies for reviewing security-relevant parameters in ABAP systems.

In order to apply a generated single or composite policy to audit SAP systems, you must first define the scope of systems. Systems can be grouped by Customer ID, Data Center, IT Admin Role (Environment) and other variables (see below). Customer ID can be used to group systems by company or business group.

The next step is to select and apply the required single or composite policy. The results below summarize the compliance status of systems in the L7_FRUN group against the ABAP Parameters composite policy.

Users can drilldown into the findings for each system to focus on parameters that failed the policy check.

You can click on the icon at the end of each rule to view further details.

The current value of the parameter is displayed in the Value column. The results can be exported to Excel for offline analysis.

Policy checks can be scheduled for hourly, daily or weekly intervals in Policy Management.

The results of the scheduled checks can be displayed in Trend Analysis. This provides a graphical analysis of compliance levels for each interval of the report.

Focused Run does not include the equivalent of System Recommendations in SAP Solution Manager for discovering and applying security notes. SAP periodically publishes policies for security notes to GitHub. The policies can be downloaded and imported into Focused Run to check for the implementation status of relevant notes in each system. This approach can lead to inconsistencies between System Recommendations and Focused Run since calculated notes may not align between the solutions. The Cybersecurity Extension for SAP Focused Run from Layer Seven Security integrates System Recommendations with Focused Run to ensure calculated notes are consistent between both platforms. The CSA policy below displays all security notes calculated by System Recommendations. The results can be filtered by system and priority. With this approach, SAP customers do not need to manually update FRUN with new policies for security notes. Calculated notes are updated automatically daily.

The beta release of the Cybersecurity Extension for SAP Focused Run is scheduled for Q3 2022 and will include additional config stores to supplement the security content in the CCDB, preconfigured single and composite policies for ABAP, HANA and Java systems, and monitoring templates to support alerting for SAP logs including the Security Audit Log and the HANA audit log.  

Patch Your SAP Systems with SAP Solution Manager

Regularly patching SAP systems is the single most important action you can take to secure business-critical SAP applications from cyber threats. Despite the concern surrounding zero-day vulnerabilities, every known SAP exploit targets existing vulnerabilities patched by SAP through security notes. In other words, there is no evidence of the exploitation of zero-day vulnerabilities for SAP applications. However, there is a multitude of evidence for the exploitation of known vulnerabilities that have been fully patched by SAP.

This includes well-known SAP vulnerabilities such as ICMAD, RECON and 10KBLAZE. Notes 3123396 and 3123427 patch SAP for ICMAD. Note 2934135 secures SAP against RECON exploits. Protection against 10KBLAZE can be applied through notes 1408081, 821875, and 1421005. Some the notes for 10KBLAZE have been available since 2006. This is 13 years before CISA released an alert for the exploits.

Organizations take an average of three months to implement hot news notes for critical SAP vulnerabilities. Yet threat actors can weaponize SAP vulnerabilities within 72 hours of a patch release. Therefore, it is important to minimize the window of opportunity for attackers by rapidly discovering, analyzing and implementing SAP security notes.

Most software tools for SAP patch management automate the discovery of SAP security notes but do not support notes analysis and implementation.  System Recommendations (SysRec) is the only solution that supports the full lifecycle of SAP security notes. SysRec is a standard application in SAP Solution Manager, recommended by SAP for patch management. It is automatically enabled during the installation and setup of Solution Manager.

Discovery

For notes discovery, SysRec performs a daily check for the latest security notes. Therefore, customers are notified immediately as soon as new notes are released by SAP. SysRec connects directly to the SAP Support Portal to identify new notes. It calculates relevant notes based on software information for SAP systems stored in the Landscape Management Database (LMDB). The LMDB is synced to the SAP NetWeaver System Landscape Directory (SLD). The SLD is the source of system information in SAP landscapes including installed software components, databases and operating systems and the versions of components and platforms. Notes calculation takes into account the implementation status of notes. Therefore, fully implemented notes are automatically excluded by SysRec.

It is important to note that the results returned by SysRec are based on installed components, regardless of usage. All installed components must be maintained and patched even if they are not actively used since they are part of the attack surface.

System Recommendations is widely used by SAP administrators to manage not only SAP security notes but also correction, legal, performance and other notes. SAP security teams that rely on third party solutions for notes discovery often clash with SAP administrators since security notes returned by their tools do not align with the results of SysRec. SAP administrators are inclined to trust the results of SAP applications such as SysRec over third party solutions. This can lead to disputes and delays within organizations as SAP administration and security teams fail to align on the notes that should be implemented. The risk is avoided when both teams use System Recommendations and are therefore aligned on the required security notes.

Analysis

SysRec supports detailed notes analysis through integration with Usage and Procedure Logging (UPL) and the ABAP Call Monitor (SCMON). UPL and SCMON support change impact analysis by revealing function modules, methods, programs and other objects impacted by security notes before they are applied. It includes usage statistics for impacted objects. This information enables SAP administrators to determine the scope and extent of testing for security notes. Notes impacting many objects with high usage counts may require detailed integration or regression testing. Conversely, notes impacting few objects with low usage counts indicates that customers may be able to employ less complex and more rapid test approaches such as smoke tests. Change impact analysis in SysRec provides the insights required by SAP customers to pinpoint the effect of security notes in SAP systems. This addresses the root cause of long patch cycles that increase the period of vulnerability for SAP systems.

Implementation

System Recommendations enables users to download corrections from the SAP Support Portal directly to the target SAP system. This is performed using the option for Integrated Desktop Actions. The user is prompted to select the target system before the download and can therefore select non-productive SIDs when analyzing notes for productive SIDs. SysRec automatically calls SNOTE in the target system after the download to apply the note.

Integrated Desktop Actions also enables users to create a Request for Change (RfC) in Change and Request Management (ChaRM) for security notes. ChaRM is commonly used by SAP customers to manage the lifecycle of SAP changes and includes workflows to control requests including phases for requirements, approval, testing, and promotion to production.

If you would like to learn more about patching SAP systems using System Recommendations, request a pre-release of Layer Seven Security’s new whitepaper for SAP Security Patching, scheduled for Q3 2022.

Monitoring SuccessFactors with SAP Solution Manager

SuccessFactors is a cloud SaaS solution from SAP for Human Capital Management. It includes a suite of applications for core HR functions such as employee management, recruitment, and payroll.  It is often closely integrated with HCM functions in cloud or on-premise ERP systems using the Integration Add-On for SAP ERP HCM. The integration can be performed using SAP Integration Suite, Process Integration, or FTP/SFTP.

Similar to other cloud services such as SAP Cloud Platform, SAP Ariba, and SAP Concur, organizations can monitor SuccessFactors with SAP Solution Manager. Solution Manager includes metrics and alerts to monitor interfaces, scheduled jobs and application logs in SuccessFactors including Employee Central and Talent Management. It also supports monitoring for all integration scenarios between SuccessFactors and SAP ERP HCM. The scenarios are outlined in the diagram below.

Monitoring for cloud services including SuccessFactors can be configured using SAP Solution Manager Configuration – Managed Systems Configuration – Cloud Services Tab – Create Cloud Service. For the root URL, refer to SAP Note 2215682 – SuccessFactors API URLs for different Data Centers.

The second step is to create the endpoint for the cloud service. For SuccessFactors, you can create HTTPS and SFTP endpoints, depending on the integration scenario. Both endpoints require the setup of the SFAPI user in SuccessFactors. For more information, refer to note 2161909 – How to enable SFAPI in SuccessFactors. Cloud SSL certificates for HTTPS endpoints can be imported using STRUST. For a successful SSL handshake, the parameters icm/HTTPS/client_sni_enabled and ssl/client_sni_enabled should be set to true in Solution Manager.

Alerts for SuccessFactors can be enabled via SOLMAN_SETUP – Application Operations – Exception Management. SAP Solution Manager supports monitoring for the following log stores in SuccessFactors:

SuccessFactors Data Replication Errors
SuccessFactors Integration
SuccessFactors API
SuccessFactors Scheduled Jobs
SuccessFactors Simple Integration
SuccessFactors Smart Suite

Filter definitions for log stores can used to customize monitoring. You can add, remove or change filter fields and values. You can also use different operators for filter values.

SuccessFactors alerts can also be enabled using Interface and Connection Monitoring (ICMon) in Solution Manager. The monitoring templates for Cloud (Success Factors) or Web Services ABAP can be used to monitor exceptions in communication channels between the SAP Success Factors Integration add-on in SAP ERP and SAP Cloud Integration. This will enable alerts for areas such as Employee Data, Compensation, Recruiting, Onboarding, and Variable Pay. SuccessFactors alerts are automatically integrated with the Cybersecurity Extension for SAP and the SIEM Integrator for SAP.

Security Monitoring with Focused Insights for SAP Solution Manager

Focused Insights is an advanced dashboard framework that was previously available only for MaxAttention customers as part of the MaxAttention Next Generation Add-On (MANGO) but is now available for all SAP customers. Focused Insights can now be installed in SAP Solution Manager 7.2 without any additional SAP licensing or user and usage restrictions.

Focused Insights for SAP Solution Manager provides ready-to-use templates for monitoring a range of KPIs for SAP landscapes. Customers can select from over 800 best practice KPIs for multiple use cases. The framework is organized in three levels: Operational, Governance and Strategic. Security metrics are monitored primarily in the Tactical Dashboard, accessible from the Focused Insights Launchpad.

The Tactical Dashboard can monitor several instances. Instances are groups of systems geared for different users or groups. Instances are setup and maintained using the TAC Configuration option. This includes relevant systems, scenarios and thresholds for KPIs.

The current version of the dashboard supports eleven scenarios such as Availability, Performance, Operations, and Security. Each scenario is rated green, red or yellow based on the thresholds and options maintained in the configuration.

The Dashboard is refreshed automatically every 10 minutes but the frequency can be changed from 5 to 30 minutes and maintained separately for each instance.

The security scenario supports monitoring of security metrics for ABAP, HANA, and Java systems and the SAP Web Dispatcher.  It reports the number of very high (hot news) and high rated security notes that are unapplied in each system, users with critical privileges including the SAP_ALL profile, systems that are open for direct changes, insecure client settings, RFC destinations configured with privileged users, and misconfigurations in specific security-relevant profile parameters. Notes information is sourced from System Recommendations in SAP Solution Manager. The results of other security checks are derived from Configuration Validation using target systems supplied by SAP.

Focused Insights 2.0 SP7 and higher supports the integration of custom target systems with the security scenario in the Tactical Dashboard. This can be used to support monitoring for additional security checks beyond the SAP standard delivery.  

Securing the SYSTEM User in SAP HANA

The SYSTEM user is the most powerful database user in SAP HANA with system-wide privileges including permissions to create and maintain other users, perform system changes, stop and start services, and create and drop databases and tables. The user is created during the initial setup of SAP HANA. Once the system is setup, the SYSTEM user should be deactivated and other users should be created for administrative tasks. The user is not required for HANA updates but should be reactivated for system upgrades, installations and migrations. This includes support stack and enhancement pack upgrades.

Since the SYSTEM user is a well-known administrative user with full system privileges, it is often targeted by threat actors. This article outlines measures to secure the user against attacks and detect and alert for actions performed by the user.

1. Reset Initial Password

Initial passwords for the SYSTEM user for both the system database and the first tenant database are set by hardware partners or administrators. The password should be reset immediately after the handover. The reset can be performed using SQL statements or the SAP HANA cockpit by a user with the USER ADMIN or DATABASE ADMIN privilege. Password resets can also be performed by the <sid>adm user from the system database.

2. Deactivate the User

The SYSTEM should not be used for data-to-day activities, especially in production systems. Create alternative dedicated users for each administrative scenario and then deactivate the SYSTEM user. The user can be temporarily reactivated for emergency tasks, when required. Deactivation can be performed using the SQL statement ALTER USER SYSTEM DEACTIVATE USER NOW and reactivation using the statement ALTER USER SYSTEM ACTIVATE USER NOW. The status of the user can be confirmed by reviewing the values in the columns USER_DEACTIVATED, DEACTIVATION_TIME, and LAST_SUCCESSFUL_CONNECT for the SYSTEM user in the USERS system view.

3. Create Audit Policies

Configure audit policies to log for all actions performed by the SYSTEM user and changes to the user such as password changes and user activation/ deactivation. Once activated, the policies will automatically log events to the audit trail. Audit policies can be created using SQL statements or the Auditing tab of the SAP HANA cockpit with the AUDIT ADMIN privilege. Actions should include both successful and unsuccessful events. Events can be written to one of the supported audit trail targets specified in each policy or the default audit trail if none is specified. Maximum retention periods can also be specified for each policy.

4. Monitor the Audit Trail

Monitor HANA audit logs using System Monitoring in SAP Solution Manager. Configure automated alerts and email/ SMS notifications for actions performed by the SYSTEM user or changes to the user. Integrate alerts with SIEM systems for SOC monitoring. Finally, investigate alerts using guided procedures in SAP Solution Manager.