Monitoring SecurityWithStandard SAP ToolsSession Code 805
Sandi McKinney
Introduction
• TELUS Enterprise Solutions, a division of TELUS
• Second largest Telecommunications provider in Canada
• Approximately 20,000 employees
• $7 Billion in Revenues in 2002
• Senior SAP Consultant specializing in SAP Authorizations • [email protected]
Why Audit?
AIS – Audit Information System
Security Audit Log
RBE – Reverse Business Engineering(as applied to Security)
Outline
Why Audit ?
• Risk• Compliance• Configuration
Why Audit ?
Availability, Integrity and Confidentiality
Outline
Why Audit
AIS – Audit Information System Security Audit Log
RBE – Reverse Business Engineering(as applied to Security)
AIS – Audit Information System
• Review
• Analysis • Monitor
Transactions
SECR – Audit Information System
PFCG - Role Maintenance
Transaction - SECR
SECR is still available
Possible error message:‘AIS Structure AUDIT_ALL does not exist’
OSS Note 328019
Reports and Queries
• Import from Client 000
• Different Types of Reports
•OSS Note 100609
Set-Up Roles
Roles for:
Security Team
Internal Audit
External Audit
Set-Up Roles
• Administration Work
• Excellent On-Line Help
• Defaults
• Queries
Testing Roles
OSS Note 92124
OSS Note 100609
User Assignment
•Security Team
• Staff Employee
• Measurement Data setting – 01
•Audit Team
• External Audit Employee
• Measurement Data setting – 02
• Internal Audit
• Staff Employee
• Measurement Data setting – 02
Customization
• At your discretion
• Use Variants
Favorites
• Top Ten Security Reports, notably• SM20 Security Audit Log Assessment• SUIM User Information System• RSUSR200 List of Users Per Login Date
• S_ALR_87101194 - Check Passwords of Special Users
• Documentation
• Flexibility in assigning roles
Additional Information
AIS
SAP Course
•BC940 – Security and Auditing
Resource
•SAP Service Marketplace
Quick Links – AIS
Additional Information
AIS
OSS Notes
• 375609 – Audit Info. System (AIS): Roles for System Auditors
• 451960 – Audit Information System (AIS), role concept
• 77503 – Audit Information System (AIS)
• 328019 – AIS Structure AUDIT_ALL does not exist
• 202504 – Audit Information System (AIS) 4.6C – collect. note
• 182699 – Audit Information System (AIS): Download of Query
Next: Security Audit Log
Questions ?
Outline
Why Audit?
AIS – Audit Information System
Security Audit Log
RBE – Reverse Business Engineering(as applied to Security)
Audit Log
What is Audited?
Dialog logon Monitor Special IDs for Log on
RFC/CPIC logon Monitor specific logons
RFC function call Monitor remote function calls
What is Audited?
Transaction start Monitor the transactions that are being started for specific IDs
Report start Monitor the reports that are being started for specific IDs
User master change Monitor for User Master Changes
Other Monitor changes to the Audit Log configuration
System Parameters
RSAU/MAX_DISKSPACE/LOCAL = 5000000 used to size the audit file
RSAU/ENABLE = 1 enabling the audit log
Configuration
RSAU/LOCAL/FILE = /usr/sap/PRD111/audit_++++++++
naming and directory location
RSAU/SELECTION_SLOTS = 10 number of audit filters (max 10)
Transactions
SM19 – Security Audit Configuration
SM20 – Security Audit Log Assessment
SM18 – Reorganize Security Audit Log
SM19 – Security Audit Configuration
Define Filters
SM19 – Security Audit Configuration
Create your profile
Enter the profile name
The client number
Enter the user Id
SM19 – Security Audit Configuration
Select Audit Classes
Select Weight of Events
Activate Filter
Re-cycle the system
SM20 – Security Audit Log Assessment
Select Audit Log
Read Audit Log
Refine SearchBy Audit Class and/orWeight of Event
SM20 – Security Audit Log Assessment
Sample
Report
SM20 – Security Audit Log Assessment
Sample
Statistics
SM18 – Reorganize Security Audit Log
•Simulate
•Archive
•Delete
•Cannot Delete or archive files that are less than 3 days old
Alert Monitor
• Computer Center Management System (CCMS)
• Events triggered in Audit Log will trigger event in CCMS
• Alerts are logged by Application Server
• No system configuration required to use CCMS
Computer Center Management System
Transaction RZ20
Computer Center Management System
Favorites
Audit Log
• Easy to set-up.
• Quicker to review results of the audit log
• Entries are highlighted in Red for Critical and Yellow for Important, based on your definitions in the Audit Log filter(s).
• Assists with tracking if an alert has been analyzed and resolved.
• Contains a history
Additonal Information
Audit Log
SAP Course • WNA210 – R/3 for Auditors
ResourceSAP R/3 Audit Guide
Additional Information
Audit LogOSS Notes
30724 – Data Protection and security in SAP Systems486717 – SecAudit: SM20 selection documentation is missing317883 – SecAudit: Transactions are not recorded139418 – Logging User Actions198646 – SecAudit: SM18 composite note539404 – FAQ173743 – SecAudit; Changing Parameters139418 – Logging user actions
Questions ?
Next: Reverse Business Engineering
Outline
Why Audit?
AIS – Audit Information System
Security Audit Log
RBE – Reverse Business Engineering (as applied to Security)
What is RBE?
RBE is a tool to support CBI (Continual Business Improvement) • Data Extraction
• Data Analysis
• Reporting
ABAP
SAP Supplied Program
• is in text format
• must download and generate into the ABAP Workbench
Transaction Monitor
Transaction ST03 after Menu pathWorkload->Reorganization->Parameters_Performance Database
Use a minimumof 3 months
Cannot use aTime-line ofdays or weeks
What can be extracted?
• Transactional Data
• Configuration Data
• Master Data
How to Extract
Logon to your R/3 system
Execute Extract Program
How to Extract
Time Line
Type of Data
Output to Spool
Execute
How to Extract
Sample
Spool File
How to Extract
Select Spool File
Select Drive Path
Download Extract
Preparing for Analysis
• Set-Up Company
• Import the data that has just be exported
• Rename the imported file when prompted
• Successful completion message will be displayed
Preparing for Analysis
My Company Name
Extract File
Preparing for Analysis
Analysis
Analysis
Sample
Report
Analysis
Select Plant Placeholder
Add User(s) toAnalysis
Analysis
Analysis
Analysis
Favorites
• Many reports to work with
• Can create customized reports
• Well documented
• Easy to use
Additional Information
RBE
SAP Course • VSAP50 – Reverse Business Engineering
Resource• RBE White Paper
OSS Notes• 367378 – How to get the Reverse Business Engineer
Questions ?
Next: Summary
Summary
Availability, Integrity and Confidentiality
AIS – Audit Information Systemassists with the ongoing audit requirements
Audit Logassists with the monitoring of system activities
RBE – Reverse Business Engineeringassists with the maintenance of roles
Thank you for attending!Please remember to complete and return your evaluation form following this session.
Session Code: 805