Monitoring SecurityWithStandard SAP ToolsSession Code 805

Sandi McKinney

Introduction

• TELUS Enterprise Solutions, a division of TELUS

• Second largest Telecommunications provider in Canada

• Approximately 20,000 employees

• $7 Billion in Revenues in 2002

• Senior SAP Consultant specializing in SAP Authorizations • Sandi.mckinney@telus.com

Why Audit?

AIS – Audit Information System

Security Audit Log

RBE – Reverse Business Engineering(as applied to Security)

Outline

Why Audit ?

• Risk• Compliance• Configuration

Why Audit ?

Availability, Integrity and Confidentiality

Outline

Why Audit

AIS – Audit Information System Security Audit Log

RBE – Reverse Business Engineering(as applied to Security)

AIS – Audit Information System

• Review

• Analysis • Monitor

Transactions

SECR – Audit Information System

PFCG - Role Maintenance

Transaction - SECR

SECR is still available

Possible error message:‘AIS Structure AUDIT_ALL does not exist’

OSS Note 328019

Reports and Queries

• Import from Client 000

• Different Types of Reports

•OSS Note 100609

Set-Up Roles

Roles for:

Security Team

Internal Audit

External Audit

Set-Up Roles

• Administration Work

• Excellent On-Line Help

• Defaults

• Queries

Testing Roles

OSS Note 92124

OSS Note 100609

User Assignment

•Security Team

• Staff Employee

• Measurement Data setting – 01

•Audit Team

• External Audit Employee

• Measurement Data setting – 02

• Internal Audit

• Staff Employee

• Measurement Data setting – 02

Customization

• At your discretion

• Use Variants

Favorites

• Top Ten Security Reports, notably• SM20 Security Audit Log Assessment• SUIM User Information System• RSUSR200 List of Users Per Login Date

• S_ALR_87101194 - Check Passwords of Special Users

• Documentation

• Flexibility in assigning roles

Additional Information

AIS

SAP Course

•BC940 – Security and Auditing

Resource

•SAP Service Marketplace

Quick Links – AIS

Additional Information

AIS

OSS Notes

• 375609 – Audit Info. System (AIS): Roles for System Auditors

• 451960 – Audit Information System (AIS), role concept

• 77503 – Audit Information System (AIS)

• 328019 – AIS Structure AUDIT_ALL does not exist

• 202504 – Audit Information System (AIS) 4.6C – collect. note

• 182699 – Audit Information System (AIS): Download of Query

Next: Security Audit Log

Questions ?

Outline

Why Audit?

AIS – Audit Information System

Security Audit Log

RBE – Reverse Business Engineering(as applied to Security)

Audit Log

What is Audited?

Dialog logon Monitor Special IDs for Log on

RFC/CPIC logon Monitor specific logons

RFC function call Monitor remote function calls

What is Audited?

Transaction start Monitor the transactions that are being started for specific IDs

Report start Monitor the reports that are being started for specific IDs

User master change Monitor for User Master Changes

Other Monitor changes to the Audit Log configuration

System Parameters

RSAU/MAX_DISKSPACE/LOCAL = 5000000 used to size the audit file

RSAU/ENABLE = 1 enabling the audit log

Configuration

RSAU/LOCAL/FILE = /usr/sap/PRD111/audit_++++++++

naming and directory location

RSAU/SELECTION_SLOTS = 10 number of audit filters (max 10)

Transactions

SM19 – Security Audit Configuration

SM20 – Security Audit Log Assessment

SM18 – Reorganize Security Audit Log

SM19 – Security Audit Configuration

Define Filters

SM19 – Security Audit Configuration

Create your profile

Enter the profile name

The client number

Enter the user Id

SM19 – Security Audit Configuration

Select Audit Classes

Select Weight of Events

Activate Filter

Re-cycle the system

SM20 – Security Audit Log Assessment

Select Audit Log

Read Audit Log

Refine SearchBy Audit Class and/orWeight of Event

SM20 – Security Audit Log Assessment

Sample

Report

SM20 – Security Audit Log Assessment

Sample

Statistics

SM18 – Reorganize Security Audit Log

•Simulate

•Archive

•Delete

•Cannot Delete or archive files that are less than 3 days old

Alert Monitor

• Computer Center Management System (CCMS)

• Events triggered in Audit Log will trigger event in CCMS

• Alerts are logged by Application Server

• No system configuration required to use CCMS

Computer Center Management System

Transaction RZ20

Computer Center Management System

Favorites

Audit Log

• Easy to set-up.

• Quicker to review results of the audit log

• Entries are highlighted in Red for Critical and Yellow for Important, based on your definitions in the Audit Log filter(s).

• Assists with tracking if an alert has been analyzed and resolved.

• Contains a history

Additonal Information

Audit Log

SAP Course • WNA210 – R/3 for Auditors

ResourceSAP R/3 Audit Guide

Additional Information

Audit LogOSS Notes

30724 – Data Protection and security in SAP Systems486717 – SecAudit: SM20 selection documentation is missing317883 – SecAudit: Transactions are not recorded139418 – Logging User Actions198646 – SecAudit: SM18 composite note539404 – FAQ173743 – SecAudit; Changing Parameters139418 – Logging user actions

Questions ?

Next: Reverse Business Engineering

Outline

Why Audit?

AIS – Audit Information System

Security Audit Log

RBE – Reverse Business Engineering (as applied to Security)

What is RBE?

RBE is a tool to support CBI (Continual Business Improvement) • Data Extraction

• Data Analysis

• Reporting

ABAP

SAP Supplied Program

• is in text format

• must download and generate into the ABAP Workbench

Transaction Monitor

Transaction ST03 after Menu pathWorkload->Reorganization->Parameters_Performance Database

Use a minimumof 3 months

Cannot use aTime-line ofdays or weeks

What can be extracted?

• Transactional Data

• Configuration Data

• Master Data

How to Extract

Logon to your R/3 system

Execute Extract Program

How to Extract

Time Line

Type of Data

Output to Spool

Execute

How to Extract

Sample

Spool File

How to Extract

Select Spool File

Select Drive Path

Download Extract

Preparing for Analysis

• Set-Up Company

• Import the data that has just be exported

• Rename the imported file when prompted

• Successful completion message will be displayed

Preparing for Analysis

My Company Name

Extract File

Preparing for Analysis

Analysis

Analysis

Sample

Report

Analysis

Select Plant Placeholder

Add User(s) toAnalysis

Analysis

Analysis

Analysis

Favorites

• Many reports to work with

• Can create customized reports

• Well documented

• Easy to use

Additional Information

RBE

SAP Course • VSAP50 – Reverse Business Engineering

Resource• RBE White Paper

OSS Notes• 367378 – How to get the Reverse Business Engineer

Questions ?

Next: Summary

Summary

Availability, Integrity and Confidentiality

AIS – Audit Information Systemassists with the ongoing audit requirements

Audit Logassists with the monitoring of system activities

RBE – Reverse Business Engineeringassists with the maintenance of roles

Thank you for attending!Please remember to complete and return your evaluation form following this session.

Session Code: 805