AGLEA Blog

SAP Security Audit Log

Written by Marta Ortona | Jan 20, 2022 11:00:00 PM

What is it for?

This tool allows you to trace the activities of one or more SAP users at application level. Can also be used to connect SAP to a third SIEM (Security Information and Event Management) or the solution SAP Enterprise Threat Detection (ETD).

Typically, this feature is enabled to monitor “super” user activities which, with very broad authorizations, could be a source of risk. The control to mitigate this risk could be the Security Audit Log and the adoption of a control procedure of the instrument’s output. 

 

The main objectives of the audit log are:

  • Monitoring changes in security administrator of SAP system. For example, changes to the user registry.
  • User logon information, identity theft attempts.
  • Information useful for the reconstruction of a series of events (for example the execution or not of a transaction) 

 

In detail the recordable informations are:

  • Attempts to logon by the users that have been successful and not 
  • Attempts to logon via RFC that have been successful and not 
  • Use of function modules via RFC
  • Recording the use of transactions performed successfully and not 
  • Recording the execution of report went well and not 
  • Changes to user registry
  • Changes to the Security Audit Log configuration.

 

It's important to consider the legal aspects of this instrument. Inappropriate use may be in conflict with the law 300/1970 (Statuto dei lavoratori, in particolare art. 4) with the Dlgs. 196/2003 Data protection code or 679/2016 GDPR, for the latter read here

 


Security Audit Log (SAL) record the activities performed in an ABAP system. This informations are recorded daily in an audit file on the application server (AS). In order to store the information of interest in this file it is necessary to specify which filters are to be implemented.

 

When an event occurs (execution of a transaction) and the latter is one of the active filters, then an activity will be recorded or an audio file message or CCMS alert monitor.
The Security Audit Log architecture is shown in the following image (from help SAP).

Configuration

SAL, to be active and usable, must be properly configured, using SAP instance profile parameters. The parameters to be activated are shown in the following table.

 

Parameter Value Description
rsau/enable 1 (Default 0) Enable SAL
rsau/max_diskspace/local (Default 2000000) Indicates in bytes how large the audit file can be
rsau/selection_slots (Default 2) Indicates how many filters can be specified to perform SAL
rsau/local/file audit_++++++++ (Default blank) Specifies the name of the audit file, there must be 8 symbols "+", the system will insert the date
DIR_AUDIT   Directory to save audit files
rsau/user_selection Check if this parameter is supported by the release Specifies how should be the selection criterion of a user in the filter, punctual or with special characters such as AMS* 

 

The default of some values may change from the release, regarding the disk space of the audit file, if the maximum size is reached the log will be stopped. While the number of slot (how many users can be put under trace) depends on the release (Note 107417 - SecAudit configuration with SM19 no. of filters (slots)).


The activity of configuring these parameters must be carried out by the system engineers, in fact to make the changes active you need to restart the machine.

 

Usage

Through SM19 transaction it's possible to set filters depending on the user. Subsequently through the transaction SM20 or SM20N it will be possible to read the output and though the transaction SM18 to delete files (only files older than three days can be deleted).   The procedure is shown below.

  1. Set filters
  2. Read the performed audit
  3. Delete files

In the image above is reported the transaction SM19. Of fundamental importance is the distinction between the highlighted tabs.

 

There are two different configurations:

  1. Static configuration, is created using a profile and specifying the users to track. To activate the static configuration, it's necessary to restart the application server.
  2. Dynamic configuration can also be activated without rebooting the machine. The dynamic configuration is lost (the configuration is lost) after the reboot of the machine. As already said, the necessary prerequisites are the activation of the parameters of the SAP instance defined in the table above. 

Static configuration

It's possible through SM19 transaction, see the following image. By clicking on the highlighted button and creating, for example, the TEST_D profile.

 

Set the reference mandator and the user to track by also selecting the active filter and the activities to trace. SAP user can't contain special characters, for example AMS*, but must be precise (Note 574914 - SecAudit: Generic user selection) check if the release supports this feature. 

 

 

At the end press the SAVE button, as shown in the image below

 

 

At the end of the saving, it is necessary to activate the audit.  The message in the bar shows that it will be active on the next restart of the machine.

 

Dynamic configuration

As a result of parameter configurations rsau* simply select the tab named Dynamic Configuration and activate the log by clicking the highlighted button below. 

 

 

After the light will turn green. To the return message about active instances, reply yes.

 

 

Then click on the edit button, the filters will become editable.

 

 

Just set the reference mandator and the user as was done for static configuration.

 

How to read the product log? 

Through SM20 transaction is possible to display the operations that the selected user performed. 

 

Simply enter the user’s date and name and eventually select the audit classes of interest. Click then on the button drawing up audits.

 

The output will be like that shown below.

 

 

Deletion of log files

Through SM18 transaction is possible to delete audit file. Files with less than three days of life cannot be deleted. You can do a simulation before making the deletion operational.

 

 

What’s new in the security audit log?

With the update to SAP BASIS 7.50 SP03 the management of the security audit log has been revised. the transactions SM19, SM20N e SM18 will be replaced from RSAU_CONFIG, RSAU_READ_LOG, RSAU_ADMIN.

 

There are several new feature:

 

  • Saving logs directly to the SAP database and not on the application server file
  • Ability to filter by user group
  • Number of filters extended to 90
  • The ability to verify the integrity of written files

 

Below is an image of the new transaction that allows the configuration of the security audit log

 

 

Through RZ20 transaction is possible to display the alerts produced in the CCMS.

 

Learn more about how to improve SAP security here!

 

  • OSS relevant notes
  • Note 107417 - SecAudit configuration with SM19 no. of filters (slots)
  • Note 574914 - SecAudit: Generic user selection
  • Note 173743 - SecAudit: Changing parameters does not perform
  • Note 198646 - Security Audit: SM18 collective note
  • Note 539404 - FAQ: Answers to questions about the Security Audit Log
    • Note 1497445 - SAL | Logging of IP address instead of terminal name, here you can find how to activate the IP log of a certain machine, through the instance profile  rsau/ip_only = 1

 

If you need to connect a SIEM you could use if available in your system this API to read Security Audit Log data: RSAU_API_GET_LOG_DATA or, if available (SAP_BASIS 7.56), the service RSAU_LOG_API

 

SAP Security Consulting? Contact us!

 

This article has been translated from: SAP Security Audit Log

 

 
View full post