SAP security analysis tool using SAP GUI scripting
Project description
SAP security analysis tool using sap gui scripting
The SAPSEC tool does not need to know and store your login and password to SAP server (log in to SAP yourself). The SAPSEC is open source to ensure that unwanted actions are not performed in the code. Of cource we don't recommend to scan with SAP_ALL user rights.
Table of contents
Python installation
- Download last version of Python 3.x installer
- Run the installer
- While installation choose folowing option:
- Add python 3.x to PATH
Install
Pip installation (recomended)
Installation is easy. Run in windows console (command line interpreter - cmd):
pip install sapsec
If your computer is behind a proxy set additional option --proxy in following format:
pip install sapsec --proxy http://user:password@proxyserver:port
Installation from github
If for some reason the installation was not successful (with pip) there is an opportunity to install sapsec from github source files.
- Download zip archive with project source codes. Or use git clone:
git clone https://github.com/gutskodv/sap-security.git
- Unpack files from dowloaded zip archive. And go to project directory with setup.py file.
- Ugrade pip, Install Wheel package, Collect sapsec package:
python -m pip install --upgrade pip
pip install wheel
python setup.py bdist_wheel
- Install sapsec package from generaed python wheel in dist subdirectory:
python setup.py dist\sapsec*.whl
Requirements
You can manually intall requirements if they were not installed in automatic mode.
- PyWin32 (Python extensions for Microsoft Windows Provides access to much of the Win32 API, the ability to create and use COM objects, and the Pythonwin environment).
pip install pywin32
- XlsxWriter (Python module for writing files in the Excel 2007+ XLSX file format).
pip install xlsxwriter
- PyYaml (a YAML parser and emitter for Python).
pip install xlsxwriter
Before running
- РЎheck that gui scripting is enabled on the SAP server. The parameter sapgui/user_scripting should be set to TRUE. If the parameter value is currently set to FALSE, change it before start. For more information about GUI scripting read the article.
- If the paramaeter sapgui/user_scripting_per_user is also set to TRUE, make sure the SAP user is assigned S_SCR:ACTVT=16 (Authorization for SAP GUI Scripting).
Usage
- Run SAP Logon application.
- Log in to the SAP server (enter your user name and password).
- Go to windows console (command line interpreter - cmd). Change directory
- Run sapsec:
sapsec
or
python -m sapsec
or you'd like use your own config:
sapsec --rules rules_config.yaml
- Inspect generated excel report (in directory you choosen).
Predefined SAP security packs
- Weak(redundant) password hashes (BCODE, PASSCODE) in SAP tables.
Privelege to scan:
- S_TABU_NAME:ACTVT=03, TABLE=USR02, USH02, USRPWDHISTORY, USH02_ARC_TMP, VUSER001, VUSR02_PWD, TDDAT
- S_PROGRAM:P_ACTION=SUBMIT
- S_GUI:ACTVT=61
- S_SCR:ACTVT=16
- S_TCODE:TCD=SE16, SA38
- S_USER_AGR:ACTVT=03, ACT_GROUP=*
- S_USER_AUT:ACTVT=03, OBJECT=* , AUTH=*
- S_USER_GRP:ACTVT=03, CLASS=*
- S_USER_PRO:ACTVT=03
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
