Rules Related To 'sap'

Only sidadm and orasid/oracle User Accounts Exist on Operating System

Description

SAP tends to use the server or virtual machine exclusively. There should be only SAP system users sidadm and orasid that exist on the operating system (or virtual machine). If SAP Host Agent is installed, the user sapadm must exist too. With Oracle Database using oracle user, the user oracle should exist as well. While SID is the SAP System ID, which is always three alphanumeric characters in upper case, beginning with an alphabetic character, the user names sidadm and orasid are in lower case.

Besides the above SAP users that are automatically detected, other operating system users can be customized in the refine value variable var_accounts_authorized_local_users_regex. OVAL regular expression is used for the user list.

Test result of both fail or error means mismatch of user names and SAP system. The bash remediation commands can be used to delete unexpected users on the operating system.

Rationale

Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.

Package glibc Installed

Description

The package glibc is installed on Linux by default, but the glibc version might not be sufficient for SAP. Please refer to SAP note of your Linux version for the minimum requirement on glibc. The glibc package can be installed with the following command:

$ sudo yum install glibc

Rationale

The glibc package contains standard C and math libraries used by multiple programs on Linux. The glibc shipped with first release of each major Linux version is often not sufficient for SAP. An update is required after the first OS installation.

Package uuidd Installed

Description

The package uuidd is not installed on normal Linux distribution by default. Applications require this package to avoid database inconsistences caused by duplicated UUIDs. Especially in banking services with SAP where massive UUIDs are created in a short time period, it is important to install the package uuidd. More information can be found in SAP note 1391070. The uuidd package can be installed with the following command:

$ sudo yum install uuidd

Rationale

The uuidd package contains a userspace daemon (uuidd) which is used to generate unique identifiers even at very high rates on SMP systems.