{"id":1242,"date":"2012-09-16T16:06:05","date_gmt":"2012-09-16T16:06:05","guid":{"rendered":"http:\/\/sapsecurityanalyst.com\/WP\/?page_id=1242"},"modified":"2015-12-09T19:20:58","modified_gmt":"2015-12-09T19:20:58","slug":"sap-security-audit-guidelines-part-i","status":"publish","type":"page","link":"https:\/\/sapsecurityanalyst.com\/WP\/sap-security-audit-guidelines-part-i\/","title":{"rendered":"Audit"},"content":{"rendered":"<p><span style=\"color: #0000ff; font-family: verdana;\"><!--more--><\/span><\/p>\n<p><span style=\"color: #0000ff; font-family: verdana;\"><br \/>\n<span style=\"color: #4c4c4c;\">In this post we will be discussing about some of the basic SAP Security Audit Guidelines. Since each company has its own set of business requirements and various business processes, the audit guidelines may also slightly differ from company to company. The points which are being discussed in this post and in the subsequent post on Security audit (SAP Security Audit Guidelines &#8211; Part II), more or less cover the basic points which need to be taken care of during SAP Security audit.<\/span><br \/>\n<\/span><!--more--><br \/>\n<span style=\"color: #0000ff; font-family: verdana;\"><br \/>\n<span style=\"color: #4c4c4c;\">SAP Role administrators and compliance managers should follow these guidelines while preparing for the SAP System audit:<\/span><br \/>\n<\/span><!--more--><br \/>\n<span style=\"color: #0000ff; font-family: verdana;\"><br \/>\n<span style=\"color: #4c4c4c;\"><span style=\"color: #0000ff;\"> (1) <strong>Status of SAP Standard user ids should be checked using report RSUSR003.<\/strong><\/span> The SAP Standard user ids are SAP*, DDIC, EARLYWATCH and SAPCPIC. <em>From audit point of view, the passwords of these user ids <strong>should not<\/strong> be default.<\/em><\/span><br \/>\n<\/span><br \/>\n<span style=\"color: #0000ff; font-family: verdana;\"><!--more--><br \/>\n<span style=\"color: #4c4c4c;\">Default passwords of SAP Standard user ids are as follows:<\/span><br \/>\n<\/span><\/p>\n<ul>\n<li>\n<h4><span style=\"color: #0000ff; font-family: verdana;\">SAP* &#8211; 06071992<\/span><\/h4>\n<\/li>\n<li>\n<h4><span style=\"color: #0000ff; font-family: verdana;\">DDIC &#8211; 19920706<\/span><\/h4>\n<\/li>\n<li>\n<h4><span style=\"color: #0000ff; font-family: verdana;\">EARLYWATCH &#8211; SUPPORT<\/span><\/h4>\n<\/li>\n<li>\n<h4><span style=\"color: #0000ff; font-family: verdana;\">SAPCPIC &#8211; ADMIN<\/span><\/h4>\n<\/li>\n<\/ul>\n<p><span style=\"color: #0000ff; font-family: verdana;\"><!--more--><\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #4c4c4c;\"><span style=\"font-family: verdana;\"><br \/>\n<span style=\"color: #0000ff;\">(2) <strong>Security audit log should be properly configured.<\/strong><\/span> It is configured using transaction code <strong>SM19<\/strong>. Certain parameters need to be enabled during configuration of audit logs.<br \/>\n<\/span><!--more--><\/span><br \/>\n<span style=\"color: #4c4c4c; font-family: verdana;\"> The parameters are:<\/span><\/p>\n<ul>\n<li><span style=\"color: #0000ff; font-family: verdana;\"><strong>rsau\/enable<\/strong> &#8211; <span style=\"color: #4c4c4c;\">The value should be set to 1.<\/span><\/span><\/li>\n<li><span style=\"color: #0000ff; font-family: verdana;\"><strong>rsau\/max_diskspace\/per_day<\/strong> or <strong>rsau\/max_diskspace\/per_file<\/strong> &#8211; <span style=\"color: #4c4c4c;\">Either of the two can be set<\/span><\/span><\/li>\n<li><span style=\"color: #0000ff; font-family: verdana;\"><strong>rsau\/selection_slots<\/strong> &#8211; <span style=\"color: #4c4c4c;\">This is used for deciding the number of filters based on the various types of logs needed (like a filter for logs related to RFC function calls, filter for logs related to transaction and reports executed by users etc.)<\/span><\/span><\/li>\n<\/ul>\n<p><span style=\"color: #4c4c4c; font-family: verdana;\"><!--more--><br \/>\nThe logs which get generated can be seen using tcode <strong>SM20<\/strong>. SM20 gives logs based on the filter which has been set ( like what transaction or report was executed by what user at what time etc.) It also gives a very important information &#8211; i.e. from what terminal the transactions were executed.<\/span><br \/>\n<span style=\"color: #4c4c4c; font-family: verdana;\"> <!--more--><br \/>\nThe old logs can be deleted using tcode <strong>SM18<\/strong>. This access should be restricted to Basis team only.<br \/>\n<\/span><br \/>\n<span style=\"color: #4c4c4c; font-family: verdana;\"> <!--more--><\/span><\/p>\n<p><span style=\"color: #4c4c4c; font-family: verdana;\"><br \/>\n<span style=\"color: #0000ff;\">(3) <strong>Maintaining User Groups<\/strong> :<\/span> It is a Best Practice to maintain User groups. User groups can be created using transaction code SUGR and can be assigned to users. User groups are very helpful as they help in identifying whether the user is a business user or an IT user or System user etc. To some extent this helps in identifying the responsibilities that a user is supposed to have.<br \/>\n<\/span><br \/>\n<span style=\"color: #4c4c4c; font-family: verdana;\"> <!--more--><br \/>\nSome of the user groups can be as follows (name can be used as per convenience):<\/span><br \/>\n<span style=\"color: #4c4c4c; font-family: verdana;\"> <!--more--><br \/>\n<\/span><\/p>\n<ul>\n<li>\n<h4><span style=\"color: #0000ff; font-family: verdana;\">BASIS &#8211; <span style=\"color: #4c4c4c;\">For Basis Team members<\/span><\/span><\/h4>\n<\/li>\n<li>\n<h4><span style=\"color: #0000ff; font-family: verdana;\">SECURITY &#8211; <span style=\"color: #4c4c4c;\">For Security Team Members<\/span><\/span><\/h4>\n<\/li>\n<li>\n<h4><span style=\"color: #0000ff; font-family: verdana;\">MM, SD, FI etc &#8211; <span style=\"color: #4c4c4c;\">For IT production support users belonging to various functional modules<\/span><\/span><\/h4>\n<\/li>\n<li>\n<h4><span style=\"color: #0000ff; font-family: verdana;\">BUSINESS &#8211; <span style=\"color: #4c4c4c;\">Business Users<\/span><\/span><\/h4>\n<\/li>\n<li>\n<h4><span style=\"color: #0000ff; font-family: verdana;\">ESS &#8211; <span style=\"color: #4c4c4c;\">For users who login through portal<\/span><\/span><\/h4>\n<\/li>\n<li>\n<h4><span style=\"color: #0000ff; font-family: verdana;\">CANCEL &#8211; <span style=\"color: #4c4c4c;\">For cancelled users<\/span><\/span><\/h4>\n<\/li>\n<li>\n<h4><span style=\"color: #0000ff; font-family: verdana;\">INACTIVE &#8211; <span style=\"color: #4c4c4c;\">For Inactive users<\/span><\/span><\/h4>\n<\/li>\n<li>\n<h4><span style=\"color: #0000ff; font-family: verdana;\">SYSTEM &#8211; <span style=\"color: #4c4c4c;\">For user type system<\/span><\/span><\/h4>\n<\/li>\n<li>\n<h4><span style=\"color: #0000ff; font-family: verdana;\">SUPER &#8211; <span style=\"color: #4c4c4c;\">For super users like SAP*, DDIC, etc<\/span><\/span><\/h4>\n<\/li>\n<\/ul>\n<p><span style=\"color: #0000ff; font-family: verdana;\"><!--more--><\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #0000ff; font-family: verdana;\"><br \/>\n(4) <strong>Table logging<\/strong> : <span style=\"color: #4c4c4c;\">There are certain tables where table logging should be enabled in Production system. The technical setting of such tables need to be adjusted to \u201c<em>Log data changes<\/em>\u201d. Transaction code <strong>SE13<\/strong> can be used for verifying whether table logging is enabled or not. Table <strong>DD09L<\/strong> can also be used with the condition <em>Log = X<\/em> to get an overview of the tables for which table logging is enabled. Change document for such tables can be viewed using table <strong>DBTABLOG<\/strong>.<\/span><br \/>\n<\/span><\/p>\n<p><span style=\"color: #0000ff; font-family: verdana;\"><!--more--><\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #0000ff; font-family: verdana;\"><br \/>\n<\/span><span style=\"color: #0000ff;\"><span style=\"font-family: verdana;\">(5) <\/span><span style=\"font-family: verdana;\"><strong>Maintaining proper values for Profile Parameters<\/strong> <\/span><span style=\"font-family: verdana;\">:<\/span><\/span><span style=\"color: #0000ff; font-family: verdana;\"><span style=\"color: #4c4c4c;\"> Proper profile parameters values must be maintained as per the Best Practices so as to satisfy Security Audit Requirements. Below are examples of some such profile parameters.<\/span><\/span><\/p>\n<p><span style=\"color: #0000ff; font-family: verdana;\"><!--more--><br \/>\n<\/span><\/p>\n<table class=\"easy-table-creator tablesorter\" style=\"width: 100%;\">\n<thead>\n<tr>\n<th>\n<h2><span style=\"color: #0000ff; font-family: verdana;\">Profile Parameter<\/span><\/h2>\n<\/th>\n<th>\n<h2><span style=\"color: #0000ff; font-family: verdana;\">Description<\/span><\/h2>\n<\/th>\n<th>\n<h2><span style=\"color: #0000ff; font-family: verdana;\">Expected Value<\/span><\/h2>\n<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">login\/min_password_lng<\/span><\/h3>\n<\/td>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">\u00a0Minimum length of password that user\u00a0need to Input<\/span><\/h3>\n<\/td>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">\u00a08<\/span><\/h3>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">login\/password_expiration_time<\/span><\/h3>\n<\/td>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">\u00a0Number of days after which password\u00a0expires<\/span><\/h3>\n<\/td>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">\u00a090<\/span><\/h3>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">login\/password_max_idle_productive<\/span><\/h3>\n<\/td>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">\u00a0Maximum period for which a productive password (a password chosen by the user) remains valid if it is not used.<\/span><\/h3>\n<\/td>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">\u00a060<\/span><\/h3>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">login\/password_max_idle_initial<\/span><\/h3>\n<\/td>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">\u00a0Maximum number of days for which initial\u00a0password remains valid<\/span><\/h3>\n<\/td>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">\u00a07<\/span><\/h3>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">login\/fails_to_session_end<\/span><\/h3>\n<\/td>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">\u00a0Number of invalid login attempts until\u00a0session ends<\/span><\/h3>\n<\/td>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">\u00a03<\/span><\/h3>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">rdisp\/gui_auto_logout<\/span><\/h3>\n<\/td>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">\u00a0Maximum time in seconds after which\u00a0GUI session will automatically logout<\/span><\/h3>\n<\/td>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">\u00a03600<\/span><\/h3>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">login\/fails_to_user_lock<\/span><\/h3>\n<\/td>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">\u00a0Number of invalid login attempts until\u00a0user gets locked<\/span><\/h3>\n<\/td>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">\u00a05<\/span><\/h3>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">login\/no_automatic_user_sapstar<\/span><\/h3>\n<\/td>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">\u00a0Controls automatic login using SAP* with\u00a0default password in the case when user master record of SAP* has been \u00a0 deleted<\/span><\/h3>\n<\/td>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">\u00a01<\/span><\/h3>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">rec\/client<\/span><\/h3>\n<\/td>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">\u00a0Activate or Deactivate Table logging in a\u00a0client<\/span><\/h3>\n<\/td>\n<td>\n<h3><span style=\"color: #4c4c4c; font-family: verdana;\">\u00a0ALL \u2013 which means\u00a0table logging activated in all clients<\/span><\/h3>\n<\/td>\n<\/tr>\n<\/tbody>\n<tfoot>\n<tr>\n<td>\n<h3><span style=\"color: #4c4c4c;\">\u00a0<\/span><\/h3>\n<\/td>\n<td>\n<h3><span style=\"color: #4c4c4c;\">\u00a0<\/span><\/h3>\n<\/td>\n<td>\n<h3><span style=\"color: #4c4c4c;\">\u00a0<\/span><\/h3>\n<\/td>\n<\/tr>\n<\/tfoot>\n<\/table>\n<p><span style=\"color: #0000ff; font-family: verdana;\"><!--more--><\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #0000ff; font-family: verdana;\"><!--more--><br \/>\n(6) <strong>System and Client Setting options:<\/strong><br \/>\n<\/span><!--more--><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #0000ff; font-family: verdana;\"><span style=\"color: #4c4c4c;\"><span style=\"text-decoration: underline;\">Following System change options should be set for Production environment<\/span>. These can be set using transaction code SE06 (System Change Option):<\/span><\/span><br \/>\n<span style=\"color: #0000ff; font-family: verdana;\"><!--more--><br \/>\n<\/span><\/p>\n<ul>\n<li><span style=\"color: #0000ff; font-family: verdana;\"><strong>Global Settings<\/strong>: <span style=\"color: #4c4c4c;\">Not Modifiable<\/span><\/span><\/li>\n<li><span style=\"color: #0000ff; font-family: verdana;\"><strong>Software Component<\/strong>: <span style=\"color: #4c4c4c;\">Not Modifiable<\/span><\/span><\/li>\n<li><span style=\"color: #0000ff; font-family: verdana;\"><strong>Namespace \/ Name Range<\/strong>: <span style=\"color: #4c4c4c;\">Not Modifiable<\/span><\/span><\/li>\n<\/ul>\n<p><span style=\"color: #0000ff; font-family: verdana;\"><!--more--><\/span><\/p>\n<p><span style=\"color: #0000ff; font-family: verdana;\"><br \/>\n<span style=\"text-decoration: underline; color: #4c4c4c;\">Following client setting should be set in Production environment:<\/span><\/span><\/p>\n<p><span style=\"color: #0000ff; font-family: verdana;\"><!--more--><br \/>\n<\/span><\/p>\n<ul>\n<li><span style=\"color: #0000ff; font-family: verdana;\"><strong>Client Role<\/strong>: <span style=\"color: #4c4c4c;\">Production<\/span><\/span><\/li>\n<li><span style=\"color: #0000ff; font-family: verdana;\"><strong>Changes and Transports for Client-Specific objects<\/strong>: <span style=\"color: #4c4c4c;\">No changes allowed<\/span><\/span><\/li>\n<li><span style=\"color: #0000ff; font-family: verdana;\"><strong>Cross-Client Object Changes<\/strong>: <span style=\"color: #4c4c4c;\">No changes to Repository and cross-client customizing objects<\/span><\/span><\/li>\n<li><span style=\"color: #0000ff; font-family: verdana;\"><strong>Catt and eCatt Restrictions<\/strong>: <span style=\"color: #4c4c4c;\">Catt and eCatt not Allowed<\/span><\/span><\/li>\n<\/ul>\n<p><span style=\"color: #0000ff; font-family: verdana;\"><!--more--><\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #0000ff; font-family: verdana;\"><br \/>\n<span style=\"color: #4c4c4c;\">Audit is a never ending topic. We can continue to talk about as many security audit concepts as possible. We will discuss about some other very important points in our <span style=\"text-decoration: underline;\"><em><strong>next post<\/strong><\/em><\/span> on SAP Security Audit Guidelines.<\/span><\/span><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"_links":{"self":[{"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/pages\/1242"}],"collection":[{"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/comments?post=1242"}],"version-history":[{"count":24,"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/pages\/1242\/revisions"}],"predecessor-version":[{"id":2168,"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/pages\/1242\/revisions\/2168"}],"wp:attachment":[{"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/media?parent=1242"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}