Tag: Configuration monitoring

Monitoring Changes in RFCs in SAP ABAP Systems using SAP Focused Run…

With SAP Focused Run 3.0 FP 2, its now possible to monitor changes in RFCs in SAP ABAP Systems.

In SAP Focused Run 3.0 FP 2, you can activate alerting and notification for any changes to the content of a CCDB config store. Using this functionality we can activate alerting and notification on the CCDB store that contains information about RFCs.

First we need to identify which CCDB store keeps the information on RFCs. For this you need to click on Configuration & Security Analytics – Administration app in the Advanced Configuration Monitoring section of SAP Focused Run Launchpad.

In the app select any of the SAP ABAP systems. Upon selecting a system you will see the list of available CCDB stores for the system.

Now you can filter on Description for text “RFC” to see RFC related CCDB stores.

You will see the following CCDB Stores. To monitor changes to RFCs either you can use the generic CCDB store to monitor on all type of RFCs or you can use the specific RFC type CCDB store. In this example we will use the RFC destinations type ‘3’ CCDB store.

Next you need to go to the main Configuration and Security Analytics app.

In the app, in the navigation area click on Related Links.

Select Configuration Validation Alert Management.

In the alert management app, click on create button.

Enter Alert ID, Description and then select the Alert Source as Store content change.

Click on Select a Config Store

In the next pop-up to select the store, filter on description “RFC”.

Then from the list select the specific RFC CDDB store you want to report on and then click on close.

Then back in Alert creation screen, you can select the scope as ALL or for specific system. In this example we selected a specific managed system.

You can set the frequency between Hourly, Daily or Weekly.

Then, set the Severity and click on Active button and then save.

Upon activation it will start monitoring is there are any change is performed to the specific RFC store. Changes include Creation/Deletion/Update.

Upon any change detected an alert will be generated of the below format. This alert will be visible in the Alert Inbox.

Age of system components…

Your system landscape contains a lot of components. For security and compliance it is important to keep the system in good shape with regards to patches and updates.

SAP Focused Run can help you with the check on the age of your system components;

  1. Tactical dashboard
  2. Configuration validation rule

Tactical dashboard

The first method to check for component age is the use of the tactical dashboard. The highlights are explained in this blog.

Result of the tactical dashboard for components:

In the threshold settings you can fine tune the levels to give warning or red flag:

Remark: this function works for ABAP and JAVA systems. Not for other SAP products.

Configuration validation rule

From the text below or from the github site of Focused Run you can download this policy:

COMPONENT like '%' and VERSION like '%' and SP_REL_DATE != '' and <?xml version="1.0" encoding="utf-8"?>
<!--
Exclude software components for which SP_REL_DATE is empty
Version: 002
Date:    July 16 2021
-->
<targetsystem xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" desc="Age of component level" id="AGE_COMP" multisql="Yes" version="0000" xsi:schemaLocation="csa_policy.xsd">
  <!-- Basic -->
  <configstore name="COMP_LEVEL">
    <checkitem desc="Age of Component Level - ABAP" id="ABAP.AGE_COMP.01" not_found="ignore" system_attributes="SYSTEM_TYPE:ABAP">
      <compliant>
      COMPONENT like '%' and VERSION like '%' and SP_REL_DATE != '' and (add_days(current_date,-730)) &lt; (CASE WHEN SP_REL_DATE like_regexpr '^\d{8,8}$' THEN SP_REL_DATE WHEN SP_REL_DATE = 'NEWER' THEN CURRENT_DATE ELSE '00000000' END)
      </compliant>
      <noncompliant>
      COMPONENT like '%' and VERSION like '%' and SP_REL_DATE != '' and not (add_days(current_date,-730)) &lt; (CASE WHEN SP_REL_DATE like_regexpr '^\d{8,8}$' THEN SP_REL_DATE WHEN SP_REL_DATE = 'NEWER' THEN CURRENT_DATE ELSE '00000000' END)
      </noncompliant>
    </checkitem>
    <checkitem desc="Age of Component Level - JAVA" id="JAVA.AGE_COMP.01" not_found="ignore" system_attributes="SYSTEM_TYPE:JAVA">
      <compliant>
      COMPONENT like '%' and VERSION like '%' and SP_REL_DATE != ''and (add_days(current_date,-730)) &lt; (CASE WHEN SP_REL_DATE like_regexpr '^\d{8,8}$' THEN SP_REL_DATE WHEN SP_REL_DATE = 'NEWER' THEN CURRENT_DATE ELSE '00000000' END)
      </compliant>
      <noncompliant>
      COMPONENT like '%' and VERSION like '%' and SP_REL_DATE != '' and not (add_days(current_date,-730)) &lt; (CASE WHEN SP_REL_DATE like_regexpr '^\d{8,8}$' THEN SP_REL_DATE WHEN SP_REL_DATE = 'NEWER' THEN CURRENT_DATE ELSE '00000000' END)
      </noncompliant>
    </checkitem>
  </configstore>
</targetsystem>

Use this to set up a new policy called AGE_COMP (for detailed instructions for setting up new policy, see this blog):

By default the rule is taking 730 days. You can adjust the value as per your needs.

Now you can run the query to get an easy overview across the systems:

Don’t be afraid if you have high number in the beginning; most of the cases this is due to HR components being outdated.

Trend analysis for configuration and security analytics…

Since Focused Run 3.0 feature pack 2 a new FIORI tile is present: trend analysis for configuration and security analytics:

Prerequisites

For the policy to work, you first need to schedule it in the policy management tile. Select the policy and press the Configure button:

On the popup screen press the Edit button:

Set the scheduling frequency and save the data.

Use of the trend analysis

Opening the trend analysis tile starts with the overview screen:

You can change the timeframe of the analysis and scope with the normal icons top right.

Selecting a policy will open the trend graph below:

Below that graph are the details for the systems:

Organizational use of the trend analysis

The trend analysis can be used to quickly see for your important security policies how the situation is developing.

When strengthening the policies, you will see many non compliant systems initially. Often some sandboxes, or development systems are forgotten. The trend analytics will spot it, and you can act on it.

Configuration and security monitoring overview…

This blog will give an overview of the Configuration and Security monitoring function of SAP Focused Run.

Questions that will be answered in this blog are:

  • How does the Configuration and Security monitoring function of SAP Focused Run work?
  • How can I quickly check my security baseline against all my systems?
  • How can I quickly check the status of application of the security OSS notes?

Configuration and security monitoring goal

The goal of configuration monitoring is to compare system settings for security versus the baseline defined in Focused Run. Deviations from the baseline can be reported.

The security validation can be used for:

  • Validation of ABAP security parameters
  • Validation of JAVA security parameters
  • Validation of HANA security parameters
  • Security OSS notes
  • Diverse topics like client opening and SAP_ALL assignments

The technical explanation is perfectly explained on the SAP Focused Run expert portal.

Configuration and security monitoring policy

To view the policies for configuration monitoring click on the FIORI tile for Policy Management:

You now reach the policy maintenance overview screen:

By selecting a policy, you can display the XML definition of the policy:

In a later blog we will explain fine tuning these XML definitions.

Running a policy

With the FIORI tile Configuration monitoring analytics you can run the policy against your systems:

After opening the tile you have to set the scope of systems. Then you reach the initial screen:

Now use the Select button to select the policy you want to run. The system will run the policy against the systems selected in the scope and show you the results:

This is the overview across the systems. By clicking on a row you can zoom into that specific system:

Security baseline validation

The example above is a simple single check. You can define your own XML with your security baseline settings. The running is identical as the example above.

What you can do now as well is go to the Checks tab to see which item has the most compliance issues across all the systems:

By clicking the Systems/Checks tab you can list out all items across all systems:

Remark: the default only shows 4 columns. You have to switch to multiple columns.

For the details on the setup of the configuration baseline, read this dedicated blog.

Read this blog on how to set up mail notification of the configuration baseline result.

Security OSS notes

On the SAP github XML files can be downloaded for security note validation. You upload the XML as a policy in the Policy Administration. You now can run this policy against your systems to follow up on the status of the security OSS notes:

The XML file delivered by SAP checks the base version of the ABAP stack. So not all notes are relevant for all releases. If a note is not relevant the items is blank. If it is green, the note has been applied. If it is red, the note is not applied.

For more information about the setup and running of this function, read this dedicated blog.

SAP solution manager has a similar function called System Recommendations. The setup is more complex and follow up is far more cumbersome than with Focused Run. The only advantage of SAP solution manager System Recommendations is that the security notes content gets updated automatically. With SAP Focused Run you will need to monthly download the latest XML file on the security patch day.

Monitoring based on configuration

The configuration and validation rules can also be used to trigger monitoring. Read this blog for the example of using configuration validation to trigger monitoring events for to-be expired ABAP PSE certificates.

OSS note 3197989 – How to use Configuration and Security Analytics in System Monitoring Alerting – SAP Focused RUN contains a PDF document explaining in detail the steps to perform.

Other use cases

There are many more use cases: