New Scan

This will start a new wizard for the scan. You may create multiple scans inside a single project. Each time you do, the scan wizard is started again.

Scan configuration

In "Scan configuration" you must supply a description and you may optionally select the “Active” and “Save system context” flags:

• ✔ “Active” means that the scan will be executed whenever the project is started for execution.

IMPORTANT

• ✔ The flag “Save System context” means that the complete state of the target system will be recorded for each Scan. When this flag is not selected, it means that it is not possible to inspect the actual state of the target system during the time that the scan was executed.

  See Appendix F for a detailed description of the system context.

• ✔ The flag "Export to SIEM" means that a file will be produced after each Scan containing the vulnerabilities found. The location to which these files are exported can be specified in the Application settings. It is possible to select only those vulnerabilities that have a specific risk value or higher by using the value dropdown box under "SIEM export as from risk".

When done, press next in order to select a satellite system.

System selection

System selection

In this step, you must select a target system. Press the selector button attached to the right hand side of the System ID field and a secondary list will open for which you may select any target system that was created earlier.

After selection, the system header data and that of the company that owns the system, will show:

Template selection

In the next step you may either select an existing check template or you may skip this and manually select the checks that will be executed on the target system.

If you select a template in this step, then it will run and execute the check with the default template values. You cannot change a template that has been delivered by Protect4S VM.

• ✔ Should you want to run all checks on a System, then it is recommended to use the check template #1: "All Checks with default value". This ensures that all checks will always be run even after the delivery of new checks via a support package.

• ✔ Should you want to check your SAP systems against the SAP Security baseline then please choose the version of your choice or use the "SAP security baseline version 2.2 - SAP Note 2253549" template to always have the latest version.

• ✔ You can also create your own check templates to check your SAP landscape against your own baseline.

Alternatively, you may skip the template selection and manually select the required checks:

Check selection

When this list is displayed, it means that the application has determined which check are suited to be executed on the target system. Protect4S VM has made a pre-selection of all available checks from its repository. For instance: no UNIX type Checks will be shown if the target System runs on Windows.

By selecting “Adapt check template” from the menu, it will be possible to select a template and adapt the values that it is checking against.

By selecting the Display type, it is possible to toggle between a “Tree” or a “Group / Subgroup” type overview. The latter overview shows a hierarchical selection possibility in which a subset of checks may be selected:

For instance: In the picture above the subgroup "ABAP Security Notes" is selected. In the list overview in the bottom of the picture, only this category is shown.

In both views it is possible to select all available checks in one go by using the “Select all” button.

Reference values

Some checks will execute a check against a reference value. For instance, the length of a SAP password as specified by SAP parameter login/min_password_lng may be checked and compared with a reference value of 10.

However, if a company security policy dictates that the password length should be 9 characters instead of 10, then it is possible to change the reference value:

The change can be made by selecting the pencil button in the record that belongs to the check. This will start a popup containing the reference value. This value can be changed and saved. After the change has been made, the check record is shown as:

After changing the reference value, it is possible to identify the check because it now shows a change Icon next to it. If you click this indicator, the value will be reset to its standard, best practice value.

After all relevant checks have been selected and all relevant check reference values have been adapted, you may select the button “Back” and leave the scan wizard:

Now you may either:

• Configure a new scan by pressing the "New" button

• Schedule or start the project directly by pressing the "Next" button.

Scheduling the Project

The 3rd step in the project configuration is the "Schedule" step.

It is possible to schedule a Project for:

• immediate execution (default)

• scheduled execution one-time at a later time

• repeated execution starting immediately

• repeated execution starting at a later time

By de-selecting the Immediate flag, it becomes possible to schedule the Project to run on a specific date and at a specific time:

In addition, by selection of the Periodic flag it becomes possible to select a suitable interval for repeated project execution. In order to activate the schedule, press the button " Back to project" and press the Save button. you will see the schedule data in the list:

The project will be scheduled as a standard SAP Background job called "/ESEC/SAPROJECT<Project number>".

The program that it runs is called: /ESEC/SA_PROJECT_EXECUTOR and the variant contains the number of the Project.