on 07-08-2009 11:01 PM
Hi,
I need to create a perl script for all th eprofile parameter to check as a security directive ,so that whenever the system is started it checks for this profile parameter.
As per my company sap directive ,these are the profile parameter i need to set.
Can anyone let me know how to write the scripts.
login/min_password_lng Minimum password length for user password 320 Min.
8
login/password_expiration_t
ime
Number of days between forced password change. 0 Max.
35
login/fails_to_session_end Number of invalid logon attempts allowed before the
SAP GUI is disconnected.
3 Max.
3
login/fails_to_user_lock Number of invalid logon attempts before the user id is
automatically locked by the system.
12 Max.
6
rdisp/gui_auto_logout Time, in seconds, that SAPGUI is automatically disconnected
because of in-activity.
0 60-
7200
21
auth/test_mode Jump into report RSUSR400 at every authority check N N22
auth/system_access_check_
off
Switch off automatic authority check for special ABAP
commands
0 0
auth/no_check_in_some_ca
ses
Special authorization checks turned off by customer.
Enabling of Profile Generator
N/Y23 Y
login/ext_security Security access controlled by external software. N N24
auth/rfc_authority_check Permission for remote function calls from within ABAP
programs
0 1
login/failed_user_auto_unlo
ck
Enable system function for automatic unlock of users
at midnight. (0 = locks remain)
0 0
login/
no_automatic_user_sapstar
(as of 3.1h)
login/no_automatic_user_sa
p* (prior to 3.1h)
Disable ability to logon as SAP* with PASS as password
when SAP* deleted.
0 125,26
auth/tcodes_not_checked TCode checking for SU53 & SU56 analysis disabled (empty
)
"SU5
3
Regards,
Chetan.
> I need to create a perl script
Just pasting your requirements isn't going to help, we prefer questions which tell us the poster already has put some effort in it.
Besides that there's one thing to keep in mind: A lot of profile parameters have default settings so they do not need to be present in the file(s) to create dangers/security loopholes.
Am I correct in assuming you want to create a pre-check which is incorporated in the (unix/linux) system start script to make sure it will not be started unless all parameters adhere to company policy?
edit: deleted comment about wrong froum since thread was moved.
Edited by: Jurjen Heeck on Jul 9, 2009 9:24 AM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Here's a simple perl script that should help you get what it is you're looking for - you can add all the parameters you want to search for, I just took a few of them:
#!/usr/bin/perl -w
use strict;
use sapnwrfc;
SAPNW::Rfc->load_config;
my $rfc = SAPNW::Rfc->rfc_connect;
my @parms = ( "login/min_password_lng",
"login/password_expiration_time",
"login/fails_to_session_end",
"login/fails_to_user_lock" );
for my $x (0 .. $#parms) {
my $rcc = $rfc->function_lookup("SXPG_PROFILE_PARAMETER_GET");
my $slr = $rcc->create_function_call;
$slr->PARAMETER_NAME($parms[$x]);
$slr->invoke;
print "Value for $parms[$x] is: ".$slr->PARAMETER_VALUE."\n";
}
$rfc->disconnect();
And running it, you'll get:
[dhull@397 scripts]$ ./read-profile.pl
Value for login/min_password_lng is: 7
Value for login/password_expiration_time is: 90
Value for login/fails_to_session_end is: 3
Value for login/fails_to_user_lock is: 6
[dhull@397 scripts]$
If you need to get your perl environment read to make RFC calls to your SAP system, check my series of blogs on how to do so here:
https://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/u/251752730
Cheers,
David.
I assume that you only want a perl answer and that it is coincidence that these parameters are security related, so will move it to the scripting forums.
Cheers,
Julius
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
>
> Hi,
>
> I need to create a perl script for all th eprofile parameter to check as a security directive ,so that whenever the system is started it checks for this profile parameter.
>
What do you mean by this "system is started"? Is it restarting the Application Servers or Just a User logging into system?
If you are thinking of SAP system bonce, then you don't need to create any such script to enforce the readiness of the parameters. It will be read while system reads Different Profiles.
For the 2nd case also there is no such requirement is evident.
Let me know if I understood your requirement incorrectly.
Regards,
Dipanjan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.