Only sidadm and orasid/oracle User Accounts Exist on Operating System

An XCCDF Rule

Description

SAP tends to use the server or virtual machine exclusively. There should be only SAP system users sidadm and orasid that exist on the operating system (or virtual machine). If SAP Host Agent is installed, the user sapadm must exist too. With Oracle Database using oracle user, the user oracle should exist as well. While SID is the SAP System ID, which is always three alphanumeric characters in upper case, beginning with an alphabetic character, the user names sidadm and orasid are in lower case.

Besides the above SAP users that are automatically detected, other operating system users can be customized in the refine value variable var_accounts_authorized_local_users_regex. OVAL regular expression is used for the user list.

Test result of both fail or error means mismatch of user names and SAP system. The bash remediation commands can be used to delete unexpected users on the operating system.

warning alert: Warning

Currently this rule only works with following limitations:
1. SAP system mount directory is /sapmnt (mounted or local file system or a symbolic link to the target directory);
2. there is maximum one SAP System on each operating system or virtual machine (maximum one SID in /sapmnt and /usr/sap).
With the above limitations, the SAP system users sidadm, orasid, sapadm and oracle can be automatically detected.

For other cases, please use the general purpose rule accounts_authorized_local_users and customize the refine value variable var_accounts_authorized_local_users_regex by adding all the authorized user names to the list.

The bash remediation is not limited by the above two conditions, it works in all the cases regardless there is zero, one or multiple SAP systems on the OS/VM.

Rationale

Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.

ID: xccdf_org.ssgproject.content_rule_accounts_authorized_local_users_sidadm_orasid
Severity: Medium
Updated: 5 days ago


var_accounts_authorized_local_users_regex='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_authorized_local_users_regex" use="legacy"/>'


# never delete the root user
default_os_user="root"
# add users sidamd, orasid, sapadm and oracle if needed
userlist="root"
sapmnt_SID_stem="/sapmnt/[A-Z][A-Z0-9][A-Z0-9]"
oracle_SID_stem="/oracle/[A-Z][A-Z0-9][A-Z0-9]"

# if owner of any directory or file in the given list is the user oracle,
# add the user oracle to the variable userlist. 
# Usage: verify_oracle_user_to_userlist "$path_list"
# Note: this function might modify the value of the global variable userlist
function verify_oracle_user_to_userlist {
	local path_list="$1"
	local is_oracle=no
	for path in $path_list ; do
		if [ "$(stat -c %U -- "$path")" = "oracle" ]; then
			is_oracle=yes
		fi
	done
	if test "$is_oracle" = yes ; then
		userlist="$userlist|oracle" ;
	fi
} 

# if /sapmnt is a directory or a symbolic link to a directory,
# then try to add SAP system users to the userlist
if [ -d "/sapmnt" ] ; then 
	# if /sapmnt/SID exists, add sidadm to the userlist
	path_sapmnt_SID_list=$(find /sapmnt/ -regex "^$sapmnt_SID_stem$")
	for path_sapmnt_SID in $path_sapmnt_SID_list ; do
		SID=${path_sapmnt_SID:8:3}
		userlist="$userlist|$(echo "$SID" | sed -e 's/\(.*\)/\L\1/')adm"
	done

	# try to get brspace from directories /sapmnt/SID/exe (SAP binaries of old structure)
	# and /sapmnt/SID/exe/<codepage>/<platform> (SAP binaries of new structure)
	path_to_brspace_list=$(find /sapmnt/ -regex "^$sapmnt_SID_stem/exe/\(\|\(\|n\)uc/[a-z0-9_]+/\)brspace$")

	# if brspace exist in any of the above directory of a SID, add orasid to the userlist 
	for path_to_brspace in $path_to_brspace_list ; do
		SID=${path_to_brspace:8:3}
		userlist="$userlist|ora$(echo "$SID" | sed -e 's/\(.*\)/\L\1/')"
	done

	# if owner of any brspace file is oracle, add oracle to the userlist
	verify_oracle_user_to_userlist "$path_to_brspace_list"
fi

# if owner of any /oracle/SID directory is oracle, add oracle to the userlist
# the user oracle could be added twice in the userlist, but it is harmlos to the final result
if [ -d "/oracle" ] ; then
	path_oracle_SID_list=$(find /oracle/ -regex "^$oracle_SID_stem$")
	verify_oracle_user_to_userlist "$path_oracle_SID_list"
fi

# if /usr/sap/hostctrl is a directory or a symbolic link to a directory, add sapadm to the list
if [ -d /usr/sap/hostctrl ] ; then
	userlist="$userlist|sapadm"
fi

# delete users that is in /etc/passwd but neither in the userlist
# nor in default_os_user nor in the var_accounts_authorized_local_users_regex
default_os_user=^$default_os_user$
userlist=^$userlist$
for username in $( sed 's/:.*//' /etc/passwd ) ; do
	if [[ ! "$username" =~ ($default_os_user|$userlist|$var_accounts_authorized_local_users_regex) ]]; then
		userdel $username ; 
	fi
done

Only sidadm and orasid/oracle User Accounts Exist on Operating System

Description

Rationale

Remediation - Shell Script