12/24/2014

SAP Audit guide Part 1

SAP  administrators should follow these guidelines while preparing for the SAP audit:

(1) Status of SAP Standard user ids should be checked using report RSUSR003. The SAP Standard user ids are SAP*, DDIC, EARLYWATCH and SAPCPIC. From audit point of view, the passwords of these user ids should not be default.


Default passwords of SAP Standard user ids are :

  • SAP* – 06071992

  • DDIC – 19920607

  • EARLYWATCH – SUPPORT

  • SAPCPIC – ADMIN




(2) Security audit log should be properly configured. It is configured using transaction code SM19. Certain parameters need to be enabled during configuration of audit logs.

The parameters are:
  • rsau/enable The value should be set to 1.
  • rsau/max_diskspace/per_day or rsau/max_diskspace/per_fileEither of the two can be set
  • rsau/selection_slotsThis is used for deciding the number of filters based on the various types of logs needed (like a filter for logs related to RFC function calls, filter for logs related to transaction and reports executed by users etc.)

The logs which get generated can be seen using tcode SM20. SM20 gives logs based on the filter which has been set ( like what transaction or report was executed by what user at what time etc.) It also gives a very important information – i.e. from what terminal the transactions were executed.


The old logs can be deleted using tcode SM18. This access should be restricted to Basis team only.



(3) Maintaining User Groups : It is a Best Practice to maintain User groups. User groups can be created using transaction code SUGR and can be assigned to users. User groups are very helpful as they help in identifying whether the user is a business user or an IT user or System user etc. To some extent this helps in identifying the responsibilities that a user is supposed to have.


Some of the user groups can be as follows (name can be used as per convenience):


  • BASISFor Basis Team members

  • SECURITY For Security Team Members

  • MM, SD, FI etc For IT production support users belonging to various functional modules

  • BUSINESSBusiness Users

  • ESS For users who login through portal

  • CANCELFor cancelled users

  • INACTIVEFor Inactive users

  • SYSTEM For user type system

  • SUPERFor super users like SAP*, DDIC, etc




(4) Table logging
: There are certain tables where table logging should be enabled in Production system. The technical setting of such tables need to be adjusted to “Log data changes”. Transaction code SE13 can be used for verifying whether table logging is enabled or not. Table DD09L can also be used with the condition Log = X to get an overview of the tables for which table logging is enabled. Change document for such tables can be viewed using table DBTABLOG.



(5) Maintaining proper values for Profile Parameters : Proper profile parameters values must be maintained as per the Best Practices so as to satisfy Security Audit Requirements. Below are examples of some such profile parameters.


Profile Parameter

Description

Expected Value

login/min_password_lng

Minimum length of password that user need to Input

8

login/password_expiration_time

Number of days after which password expires

90

login/password_max_idle_productive

Maximum period for which a productive password (a password chosen by the user) remains valid if it is not used.

60

login/password_max_idle_initial

Maximum number of days for which initial password remains valid

7

login/fails_to_session_end

Number of invalid login attempts until session ends

3

rdisp/gui_auto_logout

Maximum time in seconds after which GUI session will automatically logout

3600

login/fails_to_user_lock

Number of invalid login attempts until user gets locked

5

login/no_automatic_user_sapstar

Controls automatic login using SAP* with default password in the case when user master record of SAP* has been deleted

1

rec/client

Activate or Deactivate Table logging in a client

ALL – which means table logging activated in all clients




(6) System and Client Setting options:


Following System change options should be set for Production environment. These can be set using transaction code SE06 (System Change Option):


  • Global Settings: Not Modifiable
  • Software Component: Not Modifiable
  • Namespace / Name Range: Not Modifiable


Following client setting should be set in Production environment:



  • Client Role: Production
  • Changes and Transports for Client-Specific objects: No changes allowed
  • Cross-Client Object Changes: No changes to Repository and cross-client customizing objects
  • Catt and eCatt Restrictions: Catt and eCatt not Allowed
Go to Part 2 

No comments:

Post a Comment

Popular Posts