Protecting Specific Properties, Files and Services

There are certain precautions to take when using any of the following properties, files or services:

·        SUID/SGID programs

The SUID/SGID property gives programs extended privileges that exceed the privileges possessed by the caller.

Every UNIX system contains a large number of these programs for administrative purposes. These programs may contain known errors that unauthorized users may be able to take advantage of in order to assign new access rights to themselves.

For example, the SENDMAILprogram is such a SUID program. We suggest that you only use versions of SENDMAIL (or similar SUID programs) in which known errors have been corrected.

·        Password file (passwd)

Although UNIX hashes passwords before storing them in this file, a user could use a dictionary-attack program to discover password information contained in this file.

You can improve security by using a shadow password file that allows only the user root to access the password information.

·        BSD services rlogin and remsh/rsh,

These services permit remote access to UNIX machines. At logon, the files /etc/host.equiv and $HOME/.rhosts are checked. If either of these files contains the hostname or the IP address of the connection originator or a wildcard character (+), then the user can log on without having to supply a password.

You should be aware that the UNIX services for rlogin and remsh/rsh are especially dangerous in regard to security. We recommend you deactivate these services in the inetd.conffile unless you need them for specific purposes.

·        Services such as Network Information System (NIS) or Network File System (NFS)

You can use the Network Information System (NIS) to manage user data and passwords centrally. This service allows every UNIX machine in a local area network to read the password file using the ypcat passwd command, including shadow password files.

Another service is the Network File System (NFS) service. This service makes directories available across the network. It is a service that is also frequently used in the SAP System environment to make transport and work directories accessible over the network.

There are certain security risks involved when using these services and you should take special precautions. For example, when using NFS, you should be cautious when determining which directories should be made available. Do not export directories that contain SAP data to arbitrary recipients using NFS. Export to known and "trustworthy" systems only. Be cautious when assigning write authorization for NFS paths and avoid distributing the home directories of users across NFS.

·        X Windows

There are security issues involved with the use of X Windows. Therefore, for an SAP Web AS installation, you should check and see if you need to have the corresponding X server running on an SAP application server. If not, then disable this service. Otherwise, take precautions according to your vendor to protect this service.

·        Summary

To summarize the precautions that you should take, especially pertaining to NIS, NFS and the BSD remote services, adhere to the following guidelines:

Ў        Disable any services that you do not need.

Ў        To ensure a safe environment when using any of these services, follow the instructions of your OS vendor. Also use tools for monitoring activities to help you detect potential misuse of these services.

Ў        If you do use these services, then use them only within a secure LAN.

Ў        Do not export directories that contain SAP data to arbitrary recipients using NFS. Export to "trustworthy" systems only.

Ў        Protect the following users: root, <sid>adm and <db><sid>. These should be the only users that exist on your application servers and your main instance at the operating system level. After installation, you should lock <db><sid> on your application servers.

Ў        For critical users, empty the .rhosts files and assign it the access rights "000".

Ў        Either delete the file /etc/hosts.equiv or make sure that it is empty.

Ў        Keep your operating system up to date regarding security-related patches that are released by your operating system vendor!