Protect4S - VM User Guide
  • Protect4S - VM User Guide
  • Introduction
    • Quick setup
    • Support
    • Protect4S VM place in SAP system landscape
  • Pre-conditions and installation
    • Supported operating system and database types
    • Software version requirements
    • Recommendations
    • Heterogeneous database connections
  • Protect4S VM Software Installation
    • Add-On Installation, import support packages and upgrade
    • Installation post-processing
  • Create Protect4S VM users and roles
    • Distribution of satellite roles
    • satellite system ABAP RFC user using wizard
    • satellite system ABAP RFC user MANUAL SETUP
    • satellite system JAVA user
    • satellite system database user
    • satellite system operating system user
    • Operating system user other than <sid>adm
    • Satellite system BusinessObjects user
  • Check and set Application settings
  • Protect4S VM Menu
  • Execute the Quick setup
    • Company
    • Systems
      • Creating an ABAP system
      • Creating a JAVA system
      • Creating a BusinessObjects BI system
      • Creating a HANA standalone system
      • Creating a SAP Web Dispatcher system
      • Creating a SAProuter system
      • Creating a SAP Cloud Connector system
      • SAPControl security settings
  • Create a project
    • New project
    • New Scan
  • Check Template
  • Contact persons and Scan subscription
    • Contact persons
    • Scan subscriptions
  • Reports
    • Scan result
    • Scan results information
    • System tab
    • Company tab
    • Scan statistics tab
    • Check overview
    • Risk history
    • Scan statistics
    • Scan export
    • Mitigation report
    • Scan comparison
    • Management overview
    • Connection map
  • Mitigation of Vulnerabilities
    • Mitigation menu
  • Check exemptions
  • SIEM Interface
  • Integration
    • Incident Management
  • Information and support
    • Welcome menu
    • Product information
    • Check information
    • Change log
    • User Guide
    • Report a software defect
    • Feature request
  • Deinstallation
  • Appendix A: Troubleshooting Satellite System connection issues
    • SAPControl connections
    • Database connection
    • JAVA connection
    • HTTPS certificate errors
  • Appendix B: Installation database libraries
    • IBM DB2
    • MSSQL
    • MaxDB
    • Oracle
    • SAP Sybase
    • SAP HANA
  • Appendix C: satellite system Communication Ports
  • Appendix D: Protect4S VM SICF Services
  • Appendix E: using a server group
  • Appendix F System context
  • Appendix G DNS resolving
  • Appendix H Dump in Scan subsciptions
  • Appendix I HTTPURLLOC table
  • Appendix J - Risk Matrix
  • Appendix K - Short dump function module "PFL_GET_SINGLE_PARAMETER" not found
  • FAQs
    • General
    • Installation
    • Configuration
    • Projects and scans
  • Contact us
Powered by GitBook
On this page
  • Mitigation Plan
  • Mitigation of SAP Notes
  • Process Flow
  • Mitigation results of SAP Notes

Was this helpful?

  1. Mitigation of Vulnerabilities

Mitigation menu

PreviousMitigation of VulnerabilitiesNextCheck exemptions

Last updated 2 years ago

Was this helpful?

Protect4S VM offers a mitigation menu that contains shortcuts to programs that assist in the mitigation of vulnerabilities:

Mitigation Plan

With this option one quickly generates a mitigation plan for a specific SAP system. After selection of this option a list of SAP system scans is shown:

Mitigation of SAP Notes

This option starts the automated application of SAP Security Notes in a SAP (Development) system. Please note that:

  • Protect4S VM can apply simple SAP Security Notes, the ones that have little pre-requisites and where no additional manual post-processing is necessary. This category of SAP Security Notes may constitute up to 70% of all applicable SAP Security notes.

  • This option is available for ABAP type systems only.

  • Protect4S VM has used standard SAP tools to build this functionality. The actual updates are consistent, because the SNOTE transaction is run in the background.

There are some preconditions for using such a mitigation system:

  • The RFC user in this satellite mitigation system needs a special security role: ESEC_SA_SATELLITE_MITIGATE. This role may be assigned automatically (using the wizard) or manually. This role should only be used when automated mitigation is used. When implementing SAP Security notes on a S/4HANA system, additionally the role ESEC_SA_SATELLITE_MITIGATE_S4 must be added.

  • The RFC user in this mitigation system must be created as type SERVICE. When this conflicts with a security policy, the user may be changed to type DIALOG after creation. But keep in mind that this might introduce extra maintenance as the passwords for Dialog users may be subject to regular password changes

  • The transaction SNOTE used to implement notes should work fine, so for example the RFC connection SAP-SUPPORT_NOTE_DOWNLOAD in the system chosen for mitigation should work OK.

  • Also the transport mechanism must be setup correctly as for normal operations, this means for example that the field Target System in transports must not be empty:

Furthermore:

With reference to the applicable License Terms, this application is provided as-is. Protect4S VM cannot be held responsible for any complications that might arise from the use of this functionality. Customers must accept a disclaimer every time the automated SAP Security notes feature is used.

Process Flow

Select the "Mitigation of SAP notes" functionality. The starting point is the list of SAP system scans. After selecting a scan (best practice is to use one from a development system), a wizard is presented that will guide the user through the steps necessary to start the automated application of SAP Security notes.

The SAP system in which the scan has taken place does not necessarily need to be the system in which the SAP Security Notes are downloaded and implemented. If a scan of a Production system exists, then the missing SAP Security Notes may also be implemented in the SAP Development system that corresponds with it. But typically you will use a scan of a development system as Development and Production system are not always fully aligned.

An example:

After scanning a Development System (D30), the missing SAP Security Notes can be applied in the same system. In this case, the SAP Security Notes will be applied in the D30 development system and then moved further along the landscape via the regular transport mechanism to A30 (Acceptance) and P30 (Production) systems.

After verification of the system in which the SAP Security notes will be downloaded and applied, in step 2 of the wizard the specific SAP Security notes to be applied, may be selected:

In step 3 of the wizard, the Mitigation options may be selected:

It is possible to download and/or implement the SAP Security notes (provided these have been downloaded first). The client in which they are applied can be chosen provided:

  • a Protect4S VM RFC connection exists

  • the transaction SNOTE has been configured and the standard RFC connection to SAP OSS works correctly.

It is also possible to select a transport request (of type Workbench) that has already been created in advance via, for example, CHaRM functionality. All SAP Security Notes will be applied as part of this transport. If Request/Task field is left open, a new workbench transport will be created to hold all SAP Security notes implemented.

Step 4 of the wizard is a display of the disclaimer:

After pressing the button Confirm and Implement, a SAP GUI connection is started to the system that is selected for mitigation:

After pressing the button Open, the download and implementation of SAP Security notes in the system selected for mitigation will begin. Do not close this connection before all SAP Security notes have been applied.

Mitigation results of SAP Notes

The result of the SAP Security notes application can be displayed in the 3rd menu item labelled “Mitigation results of SAP Notes”. The starting screen contains a list of Scans for which SAP Security Notes mitigation has been executed:

After selection, the result of this mitigation run is shown:

The main overview graph shows the Run ID of the original system scan and the choices that were made for this specific scan. The Statistics tab shows how many Security notes were successfully implemented:

It is also possible to see which Security Notes could not be implemented, using the SAP Notes overview button:

It is also possible to see the implementation status of each Security Note using the SAP Notes overview button:

The Security Notes with the red status lights could not be implemented due to too many pre-requisites or manual pre- and/or post-processing steps. These must be manually implemented.

It is advised that when all notes have been applied in the DEV system and are transported until the PRD system, to then scan the systems in your landscape again and compare them with the Scan Comparison report to see if these systems are consistent and all notes are applied in all systems.

From the list a specific scan can be selected, for which a mitigation plan will be generated as described .

The System ID for mitigation must first be created using the . It is this system in which the missing SAP Security Notes are downloaded and applied in a single transport. Usually it is either a Sandbox or Development system.

here
System menu
Selecting a scan for creating a Mitigation plan
Selecting a System ID for mitigation of OSS Notes
Transport properties
Mitigation of SAP Security notes
Selection of SAP Security Notes to apply
Mitigation options
Disclaimer for the application of SAP Security notes
Popup for SAP GUI connection
Selecting a Mitigation run
Results of OSS Notes Mitigation run
Mitigation run statistics
Inspecting the implementation status of the SAP Security notes