The SAP EarlyWatch Alert report contains selected checks about "Security". Among other things, there is a check to determine whether or not selected and required security-relevant notes or HotNews have been implemented in the system. The report displays an overall status. An administrator uses the tool RSECNOTE to create the detailed evaluation of the required security-relevant notes in the system to be analyzed.
This note responds to the following situations:
You want to use the tool RSECNOTE to check the implementation status of security-relevant notes in your system. However, this tool is not yet available in your system.
You require detailed information on implementing and executing the tool RSECNOTE, and on interpreting the results.
You call transaction ST13. In the F4 help for the "Tool Name" field, the entry RSECNOTE is missing. If you manually enter RSECNOTE and then execute it, the system issues the message "The tool RSECNOTE does not exist".
The tool RTCCTOOL shows that the tool RSECNOTE is missing.
The tool RSECNOTE is part of the software component ST-A/PI as of Release 01M_*. Correction instructions are available for the installation in Release 01L_*.
As of Support Package 3 for the Service Content Plug-In ST-SER 701_2008_2, various services in the Solution Manager require the tool RSECNOTE on the managed system to check whether or not security-relevant notes are implemented.
Guide for creating the tool RSECNOTE
1. Install the tool RSECNOTE in all systems in which you want to use the tool. SAP recommends that you install Release 01M_* of the software component ST-A/PI. You can also install the tool RSECNOTE in Release 01L_* by implementing the correction instructions using transaction SNOTE. Go to "System Change Option" in transaction SE06 and set the software component ST-A/PI and the namespaces/name ranges "General SAP Name Range", /SSA/, and /SSF/ to "Modifiable". Enter /SSA/RTC if you are asked to specify a main program for /SSA/INT.
2. Assign the following authorizations to all the users for whom you want to provide access to the tool.
Object Field Value
S_TCODE TCD ST13
S_ADMI_FCD S_ADMI_FCD ST0R
S_PTCH_ADM TABLE ' (or empty)
ACTVT 02 (change)
Documentation for the tool RSECNOTE
You use transaction ST13 to start the tool RSECNOTE. In transaction ST13, select the tool and start it by choosing "Execute" or F8.
Comment: As of SAP_BASIS Release 620 Support Package 55, SAP_BASIS Release 640 Support Package 13, SAP_BASIS Release 700 and subsequent releases, you can also start the tool as the report RSECNOTE by using transaction SA38, for example.
As a result of the tool RSECNOTE, notes that contain security corrections and notes that are relevant for your system due to the existing software components (taking the releases and the Support Packages into account) are displayed.
The report shows the following three sections:
This section shows the required security-relevant SAP Notes and HotNews.
HotNews are flagged with a red traffic light and notes are flagged with a yellow traffic light.
"Manually confirmed recommendations"
Report messages can also be confirmed manually. This should only happen in exceptional cases that require it.
For example: You cannot implement a specific note using transaction SNOTE because you manually changed the affected program beforehand. In this case, implement the corrections manually and confirm the message.
"Successfully implemented recommendations"
This section shows the security-relevant notes and HotNews that are required for the system and that are implemented successfully.
A note or a HotNews is no longer required if your system release or Support Package level already contains the correction. After the system is upgraded or Support Packages are imported, a note that was implemented earlier may no longer be listed.
List of security-relevant notes that are checked
The tool RSECNOTE checks security-relevant notes or HotNews that are entered as related notes in this present note.
"Security note: Bypassing security in reginfo & secinfo", however, the system checks only that at least the required kernel patch is installed. It does not check whether the gateway has also been safeguarded.
The quantity of checked notes or HotNews is managed online by SAP. During a check, a system loads the list automatically using the service connection to SAPNet once a day. You can also use the tool RSECNOTE to update the list manually (menu path: List -> Refresh from SAPNet).
If the system to be checked does not have an online connection to SAPNet, then you can also use a transport to import the current recommendations from another system that has a connection to SAPNet. To do this, create a "Transport of Copies" and enter the object key R3TR TABU /SSF/PTAB. Enter ND* as the table key. This means that all recommendations are selected, including the recommendations for the tools RTCCTOOL and RSECNOTE. Make sure that you have specified a table key. Start the tool RTCCTOOL or RSECNOTE before you export the transport request, to update the recommendations.
Attached to this note is the file
Transport_Files_<date>.zip, which contains the recommendations for the tool RSECNOTE for the specified date. Use the transport files contained in it if you do not have any systems that have an online connection to SAPNet.
EarlyWatch Alert report
The SAP EarlyWatch Alert report also provides a summary of the results of the tool RSECNOTE. For further information on the SAP EarlyWatch Alert report, see Note 863362.
You can use the Note Assistant (transaction SNOTE) to implement the correction instructions. You can find additional information about the Note Assistant on SAP Service Marketplace under the quick link /NOTE-ASSISTANT .