S 4.257 Protection of the SAP installation directory on operating system level

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

During the SAP installation, the installation program extracts the data from the installation sources (e.g. from a directory in the network or a CD/DVD) to an installation directory (e.g. /sapinst) first. All operations performed during the installation are also logged in this directory.

Depending on the installation program, information worthy of protection may be written to the log files. This includes information on the SAP system ID (SAPSID) selected, information on the local computer (e.g. its IP address and host name), and the names of the selected technical users. However, the log files may also contain the passwords entered during installation as plain text. This applies in particular to older versions of the installer.

For this reason, the following procedure is recommended after completing installation:

• The entire installation directory must be backed up. The backup should be created in such a way that unauthorised persons cannot access the data.
• If there are problems with the SAP installation, the backed up data and log files must be examined by SAP experts. They can be sent to SAP for examination or can be examined by an SAP consultant. In this case, it is necessary for authorised administrators to be able to access the data. If the data is sent to SAP or examined by third parties, it must be taken into account that these persons will receive system information worthy of protection. For this reason, a corresponding non-disclosure agreement must be concluded.
• The installation directory backed up can be deleted from the installed system afterwards.

Depending on the protection requirements of the SAP system, it may make sense to examine the logged data for plain text passwords before it is viewed by third parties and to delete these passwords or mask them. This is already implemented in newer versions of the installer while creating the log files so that the support service is not affected adversely even if the changed log files are needed to obtain support.

Review questions:

• Is the entire installation directory backed up upon completion of the SAP installation?
• Has it been ensured that unauthorised persons are prevented from accessing the data of the SAP installation directory?
• Required examination of SAP data by third parties: Is a corresponding non-disclosure agreement concluded with third parties?
• Is the installation directory deleted from the installed system upon completion of the SAP installation?