Wednesday, March 9, 2022

SAP Security Audit Log

Security of computer systems (cybersecurity, or IT security) is very important part of today's word. ERP systems are not excluded from it. In this case a term Enterprise information security is used. Systems are becoming so complex and complexity brings vulnerability, bugs etc that can be misused by an attacker.

In SAP NetWaver ABAP Stack/ABAP Platform based systems there are few tools available that support analyzing of security aspects. One of them is called SAP Security Audit Log (in short SecAudit). It comprises of few t-codes like SM18, SM19 and/or SM20. Purpose is to generate logs of security-related system on different events. Such as configuration changes or unsuccessful logon attempts (dialog, background (e.g. Over RFC)); changes to user master records; RFC calls to function modules; successful/unsuccessful transaction starts; changes to the audit configuration; files uploads/downloads, activation/deactivation of HTTP services; changes to ICF (Internet Connection Framework); usage of digital certificates/signatures; unsuccessful password checks; activities in Virus Scan Interface (VSI) etc. The events to be logged are defined in the Audit Log’s configuration. The recorded events provide information useful for monitoring changes to the SAP system or for tracking a series of events.

SM19 - Configuration of security audit log. Static/Dynamic configuration, Kernel Parameters - to create profiles for the Security Audit Log. With the filters in the profile, determine which events are to be recorded for which users.

SM20 / SM20N - Analysis of Security Audit Log

SM18 - Reorganize Security Audit Log, deletion of old SecAudit logs


More information:

Online docu

Support site component: BC-SEC-SAL

539404 - FAQ: Answers to questions about the Security Audit Log

2191612 - FAQ | Use of Security Audit Log as of SAP NetWeaver 7.50

2546993 - Analysis and Recommended Settings of the Security Audit Log (SM19 / SM20)

No comments: