{"description": "SAP tends to use the server or virtual machine exclusively. There should be only\nSAP system users <tt>sidadm</tt> and <tt>orasid</tt> that exist on the operating\nsystem (or virtual machine). If SAP Host Agent is installed, the user <tt>sapadm</tt>\nmust exist too. With Oracle Database using <tt>oracle</tt> user, the user <tt>oracle</tt>\nshould exist as well. While <tt>SID</tt> is the SAP System ID, which is always\nthree alphanumeric characters in upper case, beginning with an alphabetic character,\nthe user names <tt>sidadm</tt> and <tt>orasid</tt> are in lower case.\n<br /> <br />\nBesides the above SAP users that are automatically detected, other operating system\nusers can be customized in the refine value variable\n<tt>var_accounts_authorized_local_users_regex</tt>.\nOVAL regular expression is used for the user list.\n<br /> <br />\nTest result of both <tt>fail</tt> or <tt>error</tt> means mismatch of user names and\nSAP system. The bash remediation commands can be used to delete unexpected users on\nthe operating system.", "rationale": "Accounts providing no operational purpose provide additional opportunities for\nsystem compromise. Unnecessary accounts include user accounts for individuals not\nrequiring access to the system and application accounts for applications not installed\non the system.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "there are unauthorized local user accounts on the system", "ocil": "To verify that there are no unauthorized local user accounts, run the following command:\n<pre>$ less /etc/passwd </pre>\nInspect the results, and if unauthorized local user accounts exist, remove them by\nrunning the following command:\n<pre>$ sudo userdel <i>unauthorized_user</i></pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "Currently this rule only works with following limitations:\n<br />\n1. <tt>SAP system mount directory</tt> is <tt>/sapmnt</tt> (mounted or local file system\nor a symbolic link to the target directory);\n<br />\n2. there is maximum one SAP System on each operating system or virtual machine (maximum\none SID in /sapmnt and /usr/sap).\n<br />\nWith the above limitations, the SAP system users <tt>sidadm</tt>, <tt>orasid</tt>, <tt>sapadm</tt>\nand <tt>oracle</tt> can be automatically detected.\n<br /> <br />\nFor other cases, please use the general purpose rule <tt>accounts_authorized_local_users</tt>\nand customize the refine value variable <tt>var_accounts_authorized_local_users_regex</tt>\nby adding all the authorized user names to the list.\n<br /> <br />\nThe bash remediation is not limited by the above two conditions, it works in all the cases\nregardless there is zero, one or multiple SAP systems on the OS/VM."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Only sidadm and orasid/oracle User Accounts Exist on Operating System", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/sap_host/accounts_authorized_local_users_sidadm_orasid/rule.yml", "template": null}