Below are the points based on SAP Security audit more or less which covers the basic points. It also depends from company to company.
These are the few points that SAP administrators and compliance managers should follow before they do the auditing.
1. Maintaining user groups - It is very important to maintain the user groups.It can be created using SUGR tcode and can be assigned to the users. We can easily identify whether the user is technical,functional,business user etc. It represents what user is responsible for.
For ex :
Security - For security members.
Basis - For basis members
Business - For business users.
SYSTEM - For system user type and so on.
2. Status of the Standard user ID's using report RSUSR003 - The SAP Standard user ID's are SAP* , DDIC, EARLYWATCH and SAPCPIC. The passwords should not be default as per the audit point of view.
Default passwords of the SAP Standard user ID's are :
SAP* - 06071992
DDIC - 19920706
EARLYWATCH - SUPPORT
SAPCPIC - ADMIN
3. Security audit log should be configured - It is configured using SM19 tcode. Certain parameters need to be enabled during configuration of audit logs.
The parameter are :
rsau/enable - The value should be set to 1.
rsau/max_diskspace/per_day or rsau/max_diskspace/per_file - Either of the two can be set.
rsau/selection_slots - This is used for deciding the number of filters based on various types of logs needed( like a filter for logs related to RFC function calls, filter for logs related to transaction and reports executed by users etc)
SM20 gives logs based on the filter set.
4. Table logging - Tcode SE13 is used to check whether table logging is enabled or not. Table DD09L can also be used to check with the condition log = X to get an overview of the tables for which table logging is enabled or not. There are certain tables where table logging should be enabled in production system. Change document for such tables can be viewed using table DBTABLOG.
5. Maintaining proper values for profile parameters - Proper profile parameters values must be maintained as per the best practices so as to satisfy security audit requirements . Below are the examples :
6 . System and client options - Tcode SE06 ( System change option)
Global settings - Not modifiable
Software component - Not modifiable
Namespace/Name range - Not modifiable
Following client setting should be in Production environment :
Client Role - Production
Changes and transports for Client-specific objects - No changes allowed.
Cross-client object changes - No changes to repository and cross-client customizing objects.
catt and ecatt restrictions - catt and ecatt not allowed.
The parameter are :
rsau/enable - The value should be set to 1.
rsau/max_diskspace/per_day or rsau/max_diskspace/per_file - Either of the two can be set.
rsau/selection_slots - This is used for deciding the number of filters based on various types of logs needed( like a filter for logs related to RFC function calls, filter for logs related to transaction and reports executed by users etc)
SM20 gives logs based on the filter set.
4. Table logging - Tcode SE13 is used to check whether table logging is enabled or not. Table DD09L can also be used to check with the condition log = X to get an overview of the tables for which table logging is enabled or not. There are certain tables where table logging should be enabled in production system. Change document for such tables can be viewed using table DBTABLOG.
5. Maintaining proper values for profile parameters - Proper profile parameters values must be maintained as per the best practices so as to satisfy security audit requirements . Below are the examples :
Profile parameter | Description | Expected value |
login/min_password_lng | Minimum length of the password that user need to input | 8 |
login/password_expiration_time | Number of days after which password expires | 90 |
login/password_max_idle_productive | Max period for which a productive password remains valid | 60 |
login/password_max_idle_initial | Max number of days for which initial password remains valid | 7 |
login/fails_to_session_end | Number of invalid attempts until session ends | 3 |
login/fails_to_user_lock | Number of invalid attempts until user gets locked | 5 |
rdisp/gui_auto_logout | Max time in seconds after which GUI session will automatically | 3600 |
logout |
6 . System and client options - Tcode SE06 ( System change option)
Global settings - Not modifiable
Software component - Not modifiable
Namespace/Name range - Not modifiable
Following client setting should be in Production environment :
Client Role - Production
Changes and transports for Client-specific objects - No changes allowed.
Cross-client object changes - No changes to repository and cross-client customizing objects.
catt and ecatt restrictions - catt and ecatt not allowed.
Comments Comments