OSS note 2258786 – Potential information disclosure relating to SAP Web Administration Interface is describing the issue that the web administration interface is publicly available if you didn’t configure your system correctly. More background can be found in this blog. This item is misconfigured on a lot of systems. It is present in ABAP, JAVA and web dispatcher.
If you start to fix this item, you want to keep track of the progress, and also in the future you want to check if the setting is done correctly for new systems and after updates, upgrades, etc.
Setting up the configuration validation rule
Go to the security and configuration validation policy tile:
Create a new policy with the following syntax for ABAP:
<configstore name="ABAP_INSTANCE_PAHI"> <checkitem desc="icm/HTTP/admin_0" id="ICM_HTTP_ADMIN"> <compliant>NAME = 'icm/HTTP/admin_0' and VALUE like '%ALLOWPUB=FALSE%' </compliant> <complianttext/> <noncompliant>NAME = 'icm/HTTP/admin_0' and not ( VALUE like '%ALLOWPUB=FALSE%' ) </noncompliant> <noncomplianttext/> </checkitem> </configstore>
For JAVA and webdispatcher:
<configstore name="DEFAULT.PFL">
<checkitem desc="icm/HTTP/admin_0" id="ICM_HTTP_ADMIN">
<compliant>TEXT like '%admin_0%' and TEXT like '%ALLOWPUB=FALSE%' </compliant>
<complianttext/>
<noncompliant>TEXT like '%admin_0%' and not ( TEXT like '%ALLOWPUB=FALSE%' ) </noncompliant>
<noncomplianttext/>
</checkitem>
</configstore>The rule says: if the subparameter ALLOWPUB is defined with value FALSE it is ok. In all other cases it is not ok.
Running the rule
Now you can run the rule and check if your systems are compliant:
