Pages

Tuesday, 8 September 2015

How to ensure security log is running after SAP service restart

Scenario: The SM20 audit log was not activated after SAP service restart and require to startup manually.



Solutions:

A) Turn on the audit log every time the SAP started
1) Execute tcode: SM19 -> Click Edit -> Click save to enable the audit log


2) Test the SM20 to determine activities been capture


B) Set the profile parameter: rsau/enable = 1
1) Execute tcode: SM19  - > Click Environment -> Click Profile Parameter -> Check the value of "rsau/enable" parameter whether been set to 1 (0 = audit is not activated, 1 = audit is activated)


2)  If the current value = 0 change the value to = 1 using tcode: RZ10

3) Test the SM20 after SAP service restart  to determine activities been capture


References: SAP security log

Tuesday, 12 May 2015

HPUX: How to create an native OS backup using make_tape_recovery

Scenario:
After a clean HPUX OS installation, you would like to perform a native backup of the OS before further configuring it.

*Assupmtion: hostname and network has been pre-configure during the OS installation from DVD

Steps:
Option 1 (using menu):
Limitation of this option: unable to backup file > 8GB

1) Enter: make_tape_recovery -i -> Press "Enter"

2) Select the tape drive

3) Select with the "default" options

4) Highlight the "vg00"

5) select "add the selected disk/vgs", the selection will shown on the lower right hand box

6) Highlight the "vg01"

7) Select “add the selected disk/vgs”, the "vg01" will shown on the lower right hand box


Option 2 (using command):

1) Perform "ioscan -fnkC tape"  to obtain the drive to use later in the ignite command

2) Enter "make_tape_recovery –m pax -a /dev/rmt/0mn -x inc_entire=vg00 -x inc_entire=vg01"
    Parameter explanation:    
    - pax parameter is to enable backup of files > 8GB
    - -x inc_entire=vg00 or vg01 is the parameter to include which vg for the backup
    - /dev/rmt/0mn = /dev/rmt/c2t0d0BESTn

3) wait until the tape creation complete

4) Sample message of the make tape complete successfully


Troubleshooting:
If encounter Ignite backup tool versioning error, perform an patch/fix and retry the backup steps above.

1) Download and execute the Ignite software and execute the install software command (#swinstall –s)

2) Select all the Ignite software

3) "Actions" -> "Mark it for install"

4) Once it’s marked

5) "Actions" -> Select "Install"

6) Click on “OK”  when it’s ready to start the installation

7) Installation in progress

8) Once installation completed. Select “Done”

9) That's all the steps to re-install the Ignite software in HPUX

Monday, 30 March 2015

Authorization: User been granted with additional roles unintentionally

Scenario:
During "SM20" audit log review, encounter user was granted with additional access. Ex: user suppose to only have display access for certain tcode but end up with write access etc.

Initial Findings: 
1) Review the problematic user role and profile assignment (Found:composite roles were assigned)
     Aware on the "Validity From" (23.03.2015)

2) Double click any of the roles (in blue) which assigned from composites role to view the role details in "PFCG"

3) Checked on the last modified date/time


4) Use "SUIM" to further track down the role changes (Change Documents -> For Users)


5) Enter the afected user ID, Changed by and date according to the details in step 1 (PFCG) and select the roles tab accordingly.

6) The result clearly shown that there are 76 of roles been added into the affected user

7) Further review the daily schedule job: PFCG_DEPENDENCY_TIME (Based on experience the background job that perform daily maintenance on all the role/profile for all the user)
     - Enter the relevant job name, user and date.

8) Select "Job log"

9) Some activities happen on all the composites role and single role that found assigned to the problematic user

10) Another alternative is to use "sm20" to trace/view all the changes perform by the PFCG_TIME_DEPENDENCY (Enter the relevant user and date/time)


11) Sample of users that been process by the "PFCG_TIME_DEPENDENCY" batch job
      Observe the creation date/time of program: RHAUTUPD_NEW and the user that been changed


12) Continue investigation by executing "SE16N" to view the correct role name that assigned to user (Z_Audit_Finance) and found child roles attach to it.


13) Review the role that suppose to assign (Z_Audit_Finance) in "PFCG" which showing it was a single role instead of composite role




How to simulate the issue:
1) Assigned the same role to a new test user

2) Wait for the schedule job execution to be complete (PFCG_DEPENDENCY_TIME) or execute tcode: PFUD to perform the similar maintenance task


3) Unwanted roles been assigned

Conclusion: Composite roles been assigned to user unintentionally after batch job execution.

Solution:
1) Apply SAP Note: 1987850






or

2) Delete all the roles in the affected user, clone the affected role into a new single role name and reassign to the user. Observe after the schedule job complete (PFCG_DEPENDENCY_TIME) and the user should no longer be assign with unwanted roles.