Custom metric to detect if hardware ID is missing

From availability perspective, you want to detect as quickly as possible if you are suffering from missing hardware ID.

You can create a custom monitoring metric to measure and act on this.

Creation of the custom metric for missing hardware ID

Create a custom metric following the steps in this blog. The template to be adjusted is the technical instance SAP ABAP 7.10 and higher template.

Don’t forget to tick it on for monitoring otherwise it is not active.

In expert mode create a custom metric.

Create technical name Z_METRIC_MSG_SRV_HW_ID_MISSING:

In the data collection:

Data to enter: RFC on diagnostics agent (push). Select ABAP System Log Stats. Filter on message number Q16. This indicates missing hardware ID. For more information on system log messages, read this blog.

Define the threshold for alerting:

And assign the metric to the ABAP Instance not available alert group or to a custom created alert group:

Msg Server hardware ID missingChecks for Syslog message Q16. Threshold Red for 1.

Use configuration analytics to determine Cryptolib versions across your landscape

SAP Cryptolib is use for diverse security scenarios. In many cases it is simply installed and never updated.

This blog will explain how to use the configuration validation tool to quickly list all Cryptolib versions across your landscape.

Configuration analytics

Open the configuration and security validation FIORI tile:

Top left choose the searching for configuration items icon:

The search screen opens:

Now select the CRYPTOLIB store:

Now press the find button in the Find in configuration data field:

Results show:

Remark: the result is depending on your scope selected. Use the scope selection button to change the scope.

Other use cases

You can use the same method to get other information from the system.

Use the browsing for configuration items view to find what you are looking for:

Configuration validation to check for disablement of webadmin page

OSS note 2258786 – Potential information disclosure relating to SAP Web Administration Interface is describing the issue that the web administration interface is publicly available if you didn’t configure your system correctly. More background can be found in this blog. This item is misconfigured on a lot of systems. It is present in ABAP, JAVA and web dispatcher.

If you start to fix this item, you want to keep track of the progress, and also in the future you want to check if the setting is done correctly for new systems and after updates, upgrades, etc.

Setting up the configuration validation rule

Go to the security and configuration validation policy tile:

Create a new policy with the following syntax for ABAP:

<configstore name="ABAP_INSTANCE_PAHI">
<checkitem desc="icm/HTTP/admin_0" id="ICM_HTTP_ADMIN">
  <compliant>NAME = 'icm/HTTP/admin_0' and VALUE  like '%ALLOWPUB=FALSE%' </compliant>
  <complianttext/>
  <noncompliant>NAME = 'icm/HTTP/admin_0' and not ( VALUE like '%ALLOWPUB=FALSE%' ) </noncompliant>
  <noncomplianttext/>
</checkitem>
</configstore>

For JAVA and webdispatcher:

<configstore name="DEFAULT.PFL">
<checkitem desc="icm/HTTP/admin_0" id="ICM_HTTP_ADMIN">
      <compliant>TEXT like '%admin_0%' and TEXT  like '%ALLOWPUB=FALSE%' </compliant>
      <complianttext/>
      <noncompliant>TEXT like '%admin_0%' and not ( TEXT like '%ALLOWPUB=FALSE%' ) </noncompliant>
      <noncomplianttext/>
</checkitem>
</configstore>

The rule says: if the subparameter ALLOWPUB is defined with value FALSE it is ok. In all other cases it is not ok.

Running the rule

Now you can run the rule and check if your systems are compliant:

Age of system components

Your system landscape contains a lot of components. For security and compliance it is important to keep the system in good shape with regards to patches and updates.

SAP Focused Run can help you with the check on the age of your system components;

  1. Tactical dashboard
  2. Configuration validation rule

Tactical dashboard

The first method to check for component age is the use of the tactical dashboard. The highlights are explained in this blog.

Result of the tactical dashboard for components:

In the threshold settings you can fine tune the levels to give warning or red flag:

Configuration validation rule

From the text below or from the github site of Focused Run you can download this policy:

COMPONENT like '%' and VERSION like '%' and SP_REL_DATE != '' and <?xml version="1.0" encoding="utf-8"?>
<!--
Exclude software components for which SP_REL_DATE is empty
Version: 002
Date:    July 16 2021
-->
<targetsystem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" desc="Age of component level" id="AGE_COMP" multisql="Yes" version="0000" xsi:schemaLocation="csa_policy.xsd">
  <!-- Basic -->
  <configstore name="COMP_LEVEL">
    <checkitem desc="Age of Component Level - ABAP" id="ABAP.AGE_COMP.01" not_found="ignore" system_attributes="SYSTEM_TYPE:ABAP">
      <compliant>
      COMPONENT like '%' and VERSION like '%' and SP_REL_DATE != '' and (add_days(current_date,-730)) &lt; (CASE WHEN SP_REL_DATE like_regexpr '^\d{8,8}$' THEN SP_REL_DATE WHEN SP_REL_DATE = 'NEWER' THEN CURRENT_DATE ELSE '00000000' END)
      </compliant>
      <noncompliant>
      COMPONENT like '%' and VERSION like '%' and SP_REL_DATE != '' and not (add_days(current_date,-730)) &lt; (CASE WHEN SP_REL_DATE like_regexpr '^\d{8,8}$' THEN SP_REL_DATE WHEN SP_REL_DATE = 'NEWER' THEN CURRENT_DATE ELSE '00000000' END)
      </noncompliant>
    </checkitem>
    <checkitem desc="Age of Component Level - JAVA" id="JAVA.AGE_COMP.01" not_found="ignore" system_attributes="SYSTEM_TYPE:JAVA">
      <compliant>
      COMPONENT like '%' and VERSION like '%' and SP_REL_DATE != ''and (add_days(current_date,-730)) &lt; (CASE WHEN SP_REL_DATE like_regexpr '^\d{8,8}$' THEN SP_REL_DATE WHEN SP_REL_DATE = 'NEWER' THEN CURRENT_DATE ELSE '00000000' END)
      </compliant>
      <noncompliant>
      COMPONENT like '%' and VERSION like '%' and SP_REL_DATE != '' and not (add_days(current_date,-730)) &lt; (CASE WHEN SP_REL_DATE like_regexpr '^\d{8,8}$' THEN SP_REL_DATE WHEN SP_REL_DATE = 'NEWER' THEN CURRENT_DATE ELSE '00000000' END)
      </noncompliant>
    </checkitem>
  </configstore>
</targetsystem>

Use this to set up a new policy called AGE_COMP (for detailed instructions for setting up new policy, see this blog):

By default the rule is taking 730 days. You can adjust the value as per your needs.

Now you can run the query to get an easy overview across the systems:

Don’t be afraid if you have high number in the beginning; most of the cases this is due to HR components being outdated.

Custom metric to check OS signal

In some cases the OS system will give critical signals to the SAP system that are visible in the ABAP system log. An example is the signal 11.

When this happens, the system is in trouble and you as admin need to check fast to see what is going on to stop the system from full collapse, crash or very poor performance.

You can create a custom monitoring metric to measure and act on this.

Creation of the custom metric for OS signal detection

Create a custom metric following the steps in this blog. The template to be adjusted is the technical instance SAP ABAP 7.10 and higher template.

Don’t forget to tick it on for monitoring otherwise it is not active.

In expert mode create a custom metric.

Create technical name Z_METRIC_OS_SIGNAL_RECEIVED:

In the data collection:

Data to enter: RFC on diagnostics agent (push). Select ABAP System Log Stats. Filter on MSG_ID QoE. This captures severe errors for OS signals.

Define the threshold for alerting:

And assign the metric to the system message alert group:

OCC dashboards

OCC dashboards are the most flexible form of dashboarding in SAP Focused Run. It is completely up to you to define any dashboard based on the available data.

The explanation below will give a quick introduction on how to setup a dashboard with as example a line graph with CPU for one system and amount of short dumps per hour for that system in a bar chart.

Set up new dashboard

Start the OCC dashboard FIORI tile:

Click the add a new dashboard icon on the left:

Now open on the right hand side icon the personalization. Here you can change the default 2 by 1 layout if want as well:

Now per gadget, select the personalization. First choose the type of graph, then select the query details:

Add the query by clicking the Plus sign:

Give the legend a name and press the Change query button:

First select the data source. In this example we choose system monitoring. Select next your system, and select the metric (in this case CPU). Don’t forget to save on top of the personalization!

We repeat for the other gadget, but now select short dumps per last hour as example:

Test your dashboard to see if the results are according to your expectation.

Make dashboard public

If you are happy with your dashboard, you can make it public. To do so, go to the personalization options:

Set the selected page to public, select a proper icon, and rename the default user-edit to a proper name and don’t forget to Save.

Other users can now add you dashboard from their UI personalization menu by clicking the Add Public Page and add your dashboard:

Other examples

Examples on this blog site: trend for ABAP short dump.

Detecting long running DIA process

In some exceptional cases you can have a DIA process that runs for a long time without action and still occupies the resources.

You can create a custom monitoring metric to measure and act on this.

Creation of the custom metric for detecting long running DIA processes

Create a custom metric following the steps in this blog. The template to be adjusted is the technical system SAP ABAP 7.10 and higher template.

Don’t forget to tick it on for monitoring otherwise it is not active.

In expert mode create a custom metric.

Create technical name Z_METRIC_LONGRUN_DIA_WP_36HRS:

Now setup the definition for the data collection:

It is using the Push.

And set the usage:

Last but not least: you need to set the alerting threshold:

The alert is raised if a single DIA work process is running longer than 36 hours.

Save the custom metric and make sure the template reassignment is done to activate the custom metric for your systems.

Determining configuration changes

In SAP Focused Run the Configuration and Security validation tool captures a lot of detailed configuration data. This tool can be used to determine configuration changes that were done to your systems.

Configuration changes

Go to the Configuration and Security Analytics FIORI tile:

On the left side choose the tool to display configuration changes:

In the next screen you can see the changes per system:

In the details you can see what has been changed and when.

Search for specific configuration changes

You can also search for specific configuration changes. Open the find tool and select the change store (in this example RFC destinations):

Now you get the detailed list of changes:

The easiest overview is the table view. This allows also for Excel download.

Remark: the time frame default 1 week. If you need search different period, change the time frame selection.

Health monitoring overview

Health monitoring can be used to monitor special use cases:

Health monitoring

Health monitoring can be started with the FIORI tile:

The overview screen opens:

From the overview you can immediately zoom to the error by clicking on the red bar:

Configuration and Alerts

Each scenario needs to be configured. For the configuration per scenario read the separate detailed blogs:

  • SLL certificate monitoring
  • OS process monitoring
  • URL availability monitoring
  • Per scenario you can choose to create an alert in case of issues. The alert is then send to the central Alert overview.

    Hotnews note 3145987

    Unfortunately SAP had to release hotnews OSS note 3145987 – [CVE-2022-24396] Missing Authentication check in SAP Focused Run (Simple Diagnostics Agent 1.0). More background can be found in that note and in the Q&A note: 3148440 – Q&A for SAP Security Note 3145987.

    What is the problem?

    From the note “The Simple Diagnostics Agent 1.0 (up to version 1.57.*) does not perform any authentication checks for functionalities that can be accessed via localhost on http port 3005. Due to lack of authentication checks, an attacker could access administrative or other privileged functionalities and read, modify or delete sensitive information and configurations.”.

    What to do to fix it?

    The fix is two steps:

    1. Update the host agent to version 7.22 PL55 or later as a prerequisite (see OSS note 3113553 – SAP Host Agent 7.22 PL55)

    2. After step 1 update the SDA (simple diagnostics agent) to version 1.58.0 or later (see OSS note 3113553 – SAP Host Agent 7.22 PL55). You can do a mass deployment using the Agent Mass Update tile.

    How to monitor the follow up?

    Open the Self monitoring FIORI tile:

    Click on the SDA icon on the left:

    Check that all versions are ok: