The SAP Product Security Response Team thanks all researchers and security IT professionals that help with discovering and solving security vulnerabilities. Their findings continuously help SAP maintain the security and safety of its customers' and partners' SAP systems.

Our acknowledgements page lists those professionals we have worked with successfully in the past. We thank all security researchers for their excellent work and hope to continue the beneficial relationship between security professionals and SAP.

Security researchers who have helped SAP to improve the security and integrity of our customers' IT systems by respecting our disclosure guidelines this month are:

June 2016

Compass Security Schweiz AG, Damian Pfammatter

ERPScan, Alexander Polyakov, Nursultan Abubakirov, Vahgan Vardanyan

ERP Security, Joris Van De Vis

Konduru Jashwanth

Onapsis, Juan Perez-Etchegoyen, Sergio Abraham

Philips India ltd, Makkena Narendra

SaifAllah benMassaoud

Each Patch Day (second Tuesday of a month) the involved external researchers are listed with company name, link to their home page, and name of the person. Details about finding are not included. The order of the list is alphabetical according to company name.

For previous months' acknowledgments, visit theacknowledgments archivepage.

To view the security notes released this Patch Day, visit theSupport Portal.

SAP encourages the responsible disclosure of security vulnerabilities and therefore requests the researchers to follow the following general guidelines:

1. If you have detected a vulnerability in one of our software products – either in the latest or in a former product version –you shall inform us about the issue and follow the guidelines and processes in accordance with our Portal page “Report a Security Vulnerability to SAP”.
2. Give SAP sufficient time to develop suitable fixes.
3. Do not publicize vulnerabilities until SAP customers have had enough time to deploy fixes.
4. As a rule of thumb, we suggest respecting an implementation time of three months. We ask all security researchers to not disseminate any kind of information or tools that would help to exploit the vulnerability during that time.
5. Provide us all of your external disclosures beforehand, such as advisories or presentations with SAP product security content for a review.

We honestly appreciate your work and certainly want to show this appreciation through credits on a public Web site. Nevertheless, SAP reserves the right to change or delete credits at any time.

For further information, read theDisclosure Guidelinesfor SAP Security Advisories.

Hello,

Can someone help here. We have recently upgraded to EHP 7.

After upgrade, we see user buffer is not getting updated from the roles with large data. for eg, for the derived roles with more than one profile, the objects are available in the role, role is assigned to user, profiles looks generated with green status, user comparison looks good.

But objects does not appear in user buffer , hence user misses authorization for the objects and the role is not appeared when we check in SUIM.

Does anybody know any Authorization subnotes need to be implemented or any other solution?

Due to the profile generation problem in SUPC, We had already implemented sub note: 2220928. Is there any other linked subnotes?

Hi All,

How to restrict user type change from the users who have access to SU01 T-code. We need to restrict only for User type change, Is there any Authorization object related to user type, where in we can restrict User type change.

Thanks in advance

Narendra varma

A role has been assigned in CUA system but it did not reflect in the child system.

It did not work even after text comparison

When I check SCUL logs, I could see the below error.

So may I know

1. Why we got error even that user was not locked as the same CUA_PXX_100 user should make the new role assignment also.

2. Do we have any option to resume the role assignment step which was not done due to this error. (ensured that user is not locked)

Thanks in advance for your answers.

Regards,

Chaitanya

Hi all,

I assigned an authorization object to the profile SAP_ALL. But now i want to delete the auth. object from SAP_ALL but i can not change SAP_ALL from PFCG. How can i do this?

Regards,

hi! does anyone know how can we exclude 3 transactions from the role SAP all. I need this to exclude the transactions VKM* (release credit blocked documents) from the role for FI SAP all, which will be assigned to the chief accountant; thanks!

SAP has released the monthly critical patch update for June 2016. This patch update closes 21 vulnerabilities in SAP products including 15  SAP Security Patch Day Notes and 6 Support Package Notes. 8 of all Notes were released after the second Tuesday of the previous month and before the second Tuesday of this month. 3 of all notes are updates to previous Security Notes.

3 of all closed SAP Securtiy Notes have a high priority rating and 1 has a Hot News rating. The highest CVSS score of the vulnerabilities is 9.1.

Most of the discovered vulnerabilities belong to the SAP NetWevwer  ABAP platform, the oldest and the most widespread one. It is a backend platform for most of the common business applications such as ERP, CRM, SRM, and PLM.

The most common vulnerability types are Cross-site scripting and Missing authorization check.

This month, 4 critical vulnerabilities identified by ERPScan’s researchers Nursultan Abubakirov, Alexander Polyakov, and Vahagn Vardanyan were closed.

How long does it take a vendor to patch an issue?

Third-party researchers discover numerous security issues in various products on a daily basis. A responsible vendor usually tries to fix an issue in a timely fashion. As a rule, it takes a vendor approximately 1-3 months to release a patch. However, some of vulnerabilities are not easy to close (especially architectural ones). As long as SAP is concerned, the required time to patch a security issue is 3 months, according to rough estimations.

This month, SAP fixed a vulnerability detected by ERPScan researcher Alexander Polyakov 3 years ago. The identified cybersecurity issue is an Information Disclosure vulnerability in BI Reporting and Planning of the Business Warehouse (BW) component. The product can transform and consolidate business information from virtually any source system.

The issue was reported about on the 20th of April, 2013. It means that it took SAP more than 3 years to fix the issue. Moreover, not all companies implement a patch after the release date. As the Invoker Servlet case shows, sometimes SAP systems stay unpatched even for 5 years after the Security Note release. Taking into account that vulnerability impact is rather severe (CVSS v3 Base Score: 5.3/10), as it allows an attacker to discover information useful for further attacks, the unpatched vulnerability put companies at serious risks.

Issues that were patched with the help of ERPScan

Below are the details of the SAP vulnerabilities  that were found by ERPScan researchers.

• A Cross-site scripting vulnerability in SAP ecattping (CVSS Base Score: 6.1). Update is available in SAP Security Note 2256178. An attacker can use Cross-site scripting vulnerability to inject a malicious script into a page.
• An Information disclosure vulnerability in SAP BI Reporting and Planning (CVSS Base Score: 5.3). Update is available in SAP Security Note 2197262. An attacker can use an Information disclosure vulnerability to reveal additional information (system data, debugging information, etc) which will help an attacker to learn about a system and to plan further attacks.
• A Denial of service vulnerability in SAP Sybase SQL Anywhere MobiLink Synchronization Server (CVSS Base Score: 4.9). Update is available in SAP Security Note 2308778. An attacker can use a Denial of service vulnerability to terminate a process of a vulnerable component. For this period of time, nobody can use this service, this fact negatively affects business processes, system downtime, and, as a result, business reputation.
• A Directory traversal vulnerability in SAP Data Services (CVSS Base Score: 2.7). Update is available in SAP Security Note 2300346. An attacker can use a Directory traversal to access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.

Other critical issues closed by SAP Security Notes June 2016

Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Audit, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:

• 2306709: SAP Documentation and Translation Tools has a Code injection vulnerability (CVSS Base Score: 9.1 ). Depending on the code, attacker can inject and run their own code, obtain additional information that should not be displayed, modify data, delete data, modify the system output, create new users with higher privileges, control the behavior of the system, or potentially escalate privileges by executing malicious code or even to perform a DoS attack. Install this SAP Security Note to prevent the risks.
• 2222731: SAP DesignStudio SFIN has a Cross-site scripting vulnerability (CVSS Base Score: 8.8 ). An attacker can use Cross-site scripting vulnerability to inject a malicious script into a page. Install this SAP Security Note to prevent risks.
• 2308217: SAP Web-Survey has an XML external entity vulnerability (CVSS Base Score: 7.5 ). An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests which will be processed by XML parser. An attacker can use an XML external entity vulnerability to get unauthorised access to OS filesystem. Install this SAP Security Note to prevent risks.

It is highly recommended that SAP customers patch all those SAP vulnerabilities to prevent business risks affecting SAP systems.

SAP has traditionally thanked the security researchers from ERPScan for found vulnerabilities on its acknowledgment page.

Currently having authentication issue between our SCC and backend ABAP system

Steps done so far:

- created a PK12 Cert and loaded it in SCC (CA Cert and System Cert)

- loaded the same Cert in STRUST of ABAP backend system

- created cert from Principal Propagation to use in CERTRULE in backend ABAP system

The current issue of the SAPinsider journal highlights a selection of security topics, with articles running the gamut from risk mitigation to enterprise security.

In the executive Q&A, SAP's Chief Security Officer Justin Somaini talks about protecting the enterprise in phases of digital transformation and changing threat landscapes.

In "Gain Control and Mitigate Risk", Bruce McCuaig explains the three lines of defense for a holistic security framework.

"Integrated Security Solutions to Mitigate Risks on All Fronts" by Thomas Frénéhard goes into more detail to show how SAP's governance, risk, and compliance (GRC) and security solutions protect companies in the digital age.

Ralph Salomon, VP of Secure Operations at SAP, describes how "SAP Runs SAP Secure" in his article about SAP's own security infrastructure and strategy on the basis of three pillars: Prevention, detection, and reaction.

And finally, "An Integrated Approach to Identifying Security Risks" by Martin Plummer gives on overview of the SAP Enterprise Threat Detection solution, which enables companies to set up an integrated security analysis across their IT landscape.

Happy reading!

SAPinsider Journal: Focus on SAP Security

The current issue of the SAPinsider professional journal puts a strong focus on security in the SAP world, highlighting different aspects such as risk mitigation, cyber security, and the internal “SAP runs SAP secure” approach. Read more in Regine Schimmer’s blog highlighting each article. June 16, 2016

Join our new Customer Engagement Initiative (CEI) Projects

The new projects of the CEI are now open for registration until June 10th, 2016. Join us for the new CEIs on "Enterprise Threat Detection (ETD)", "Identity and Access Provisioning for Cloud Applications", and "Extending SAP Identity Management Connectivity". Find out more. June 1, 2016

SAP Enterprise Threat Detection Integrated into Hewlett Packard Enterprise ArcSight

Read Daniel Magin’s blog and learn how you can use SAP Enterprise Threat Detection integrated with Hewlett Packard Enterprise (HPE) ArcSight to provide holistic monitoring capabilities for the complete IT landscape of your organization. June 1, 2016

Hi all,

We are trying to configure SNC in our system , we completed the till setting profile parameters.

When restarting the server after adding parameters in Instance profile the "Gateway stopped and then dispatcher also stop "

we check the added all parameters, snc/enable parameter has the problem , when # the parameter server starts fine.

We set snc/enable= 1...

Can you please help me to find what is the problem...

Thanks and Regards,

Sajmal

Hello Experts,

I have a situation wherein I need to restrict the users to only viewing Utility accounts on FPL9, not the Property Tax account. However when I checked the Auth Objects for FPL9, I do not find any option to restrict Property tax account on FPL9.

Please suggest

Regards

Piyush

Hello Friends, We have come across a situation where transport gets overwritten by some other transport and we lose the changes done in the roles. For Example :- Suppose if Role1 has been changed and transport have been generated Say TR1 and the same role has been changed after some time and TR 2 has been generated. Now During production transport, TR2 has moved first and then TR1 goes. Now changes are overwritten. What can be the possible solutions to overcome this? One solution we came across is:- Checking SE03 Transport Organizer for the same role. If there are two transport then we would need confirmation from the change owner that when will his transport go and then we can transport the latter changes. Please let me know if there is any other solution as well

Message was edited by: Mili Airen

Hello Experts,

I have some questions regarding customizing authorizations. And I kindly ask for your opiinion:

1. To grant a Person with duties to customize e.g. module SD I´ve marked node SD in SPRO and then created a role with all necessary Transactions, tables --> SPRO, SM30, relevant tables, AND all the S_ALR* Transactions which are associated to this node

Questoin: How can I identify all the S_ALR*Transactions which lead to Badi activities?

2. If I turn this customizing role to Display only, idea is to assign ACTVT=3 only. Do you agree with this Approach? Are Badis critical in this role?

Thanks in advance!

Hi Folks,

We've a requirement of building 1000's of single roles for an implementation. Our security matrix is ready with the role names and the list of tcodes to be embedded in each of these roles. What I would like to know is if we can automate a part of the process of role building i.e the following 3 steps only.

1. Creation of the Role

2. Addition of the tcodes in the role menu

3. Save

I'm aware of Ecatt/LSMW through which we can create the roles but i'm not sure if we can add the tcodes to the menu of the roles since the number of tcodes to be populated in each role will vary.

Could anyone of you shed some light if it is possible to automate the addition of  tcodes to the role menu taking into consideration that each role will have different number of tcodes to be added to the menu and what's the best possible way to achieve this if there exists one.

Thanks in advance for your time and suggestions!

Guest...

Hi.

First I try to explain the situation.

We have interfaces with AFIP (government agency in Argentina for tax, electronic invoice...)

We don't use the standard scenario for this (that in the SAP Note 1537823 - RG2904 Argentina E-invoice Webservice for Domestic Scenario).

We create the key certificate and all necessary step for upload the Key in SAP PI.

Also we see this key and use it in the channel for this. And works ok.

For a specific interface we need to create a request that contains a xml transform it to cms and this to base64...

To do this we take the java package from the SAP Note and use the java package (wsaaClass.jar/wsaaClass.class)

And create a class con the method we need that is

   public static String create_cms(String loginTicketRequestXML, String keyStorageView, String keyStorageEntry, AbstractTrace trace)

In the program we assign the parameters (XML and put the "Key view" and the "Key entry" with the same name we use in the channel that work ok) But in runtime the message canceled with the following error

Runtime exception when processing target-field mapping ........ ; root message: Exception:[java.lang.SecurityException: Error while accessing keystore Entry: java.security.KeyStoreException: No key found with alias...]

My cuestion is about that maybe this method use and old location (for PI 7.0 or dual stack) when lookup the key...?

Thank for the ideas and help

Regards

Martin

This document was generated from the following discussion: Recommended Settings for the Security Audit Log (SM19 / SM20)

This blog had started to give recommendations about settings for the Security Audit Log, but in the meantime it had evolved to show tips & tricks in general.

Another sound source for information are the FAQ notes 539404 "FAQ: Answers to questions about the Security Audit Log" and 2191612 "FAQ | Use of Security Audit Log as of NetWeaver 7.50".

Contents

Recommended Settings for the Security Audit Log (SM19 / SM20)

Profile Parameters / Kernel Parameters

rsau/enable = 1

rsau/selection_slots = 10 (or higher if available)

rsau/user_selection = 1

DIR_AUDIT and FN_AUDIT define the path and the file name pattern for the log files.

As of release SAP_BASIS 7.40 you can use the so-called "Kernel Parameters" instead of the listed Profile Parameters. You find them on a new tab in transaction SM19. See chapter Preparing the Security Audit Log in the Online Documentation. You can set them dynamically and once set they overwrite the values of the profile parameters. Take care to inspect these Kernel Parameters after an upgrade to SAP_BASIS 7.40 or higher.>

Filter settings in SM19

Depending on the release you can set 10, 15 (as of SAP_BASIS 7.40 SP 8) or 90 (as of SAP_BASIS 7.50 SP 2) filters. See FAQ Note 539404 item [4].

1. Filter: Activate everything which is critical for all users '*' in all clients  '*'.

• You may deactivate the messages of class “User master record change (32)” because you get change documents for users in transaction SUIM anyway.
• Consider to add messages AUO, AUZ, BU5, BU6, BU7, BU9, BUA, BUB BUC, BUH, AUP, AUQ
• If you maintain logical file names using transaction FILE (see note 1497003) than add messages CUQ, CUR, CUS, CUT, DU5
• If you maintain an Access Control List for RFC callback (see note 2128095) than add messages DUI, DUJ, DUK

2. Filter: Activate everything for special user SAP* in all clients '*'

You cannot use a filter 'SAP*' because this would include the virtual user SAPSYS because of profile parameter rsau/user_selection = 1. This virtual user SAPSYS performs many house-keeping activities triggered by the system itself. You do not want to log these events.

However, you can use the special filter value 'SAP#*' instead.

You can use this special filter value 'SAP#*'in transaction SM20 or report RSAU_SELECT_EVENTS as well to show log entries in for user SAP* only.

If you can defines filters for user groups (see note 2285879) then you can create filters for user groups like SUPER instead. This has the additional advantage that the built-in user SAPSYS does not produce any logs.

3+4. Filter: Activate everything for other support and emergency users, e.g. 'SAPSUPPORT*' (SAP Support users) respective 'FF*' (FireFighter) in all clients '*'.

If you can defines filters for user groups then you can create filters for corresponding user groups instead.

5. Filter: Activate all events for the dialog activities 'logon' and 'transaction' for user 'DDIC' in all clients '*'. This user should not be used in dialog mode. It's only required for specific activities while applying support packages or while importing transports (however in this case you can use another background user as well).

6. Filter: Activate everything for client '066'. This client is not used anymore and can be deleted (see  http://scn.sap.com/community/security/blog/2013/06/06/how-to-remove-unused-clients-including-client-001-and-066 ).

7. Filter: Activate RFC events (AUL, AUK, AU6, AU5) for a short time for selected users to identity RFC connection problems easily (see http://scn.sap.com/community/security/blog/2010/12/05/how-to-get-rfc-call-traces-to-build-authorizations-for-srfc-for-free ).

8. and following Filter: free for other project specific purpose

The client field accepts either single values like 000 or a * to catch all clients.

The user field accepts pattern characters as well (see note 574914):

* any sequence of characters (only the first * within the filter string is interpreted as a pattern character)

+ one character

# disable following pattern character

The user group field accepts exacts values only.

Using the print function (command PRINT) in transaction SM19 or using report RSAU_INFO_SYAG you can show an overview about the current settings.

List of events

If you miss some of the events described in this document then search for notes of application component BC-SEC-SAL.

Using note 1970644 you can get report RSAU_INFO_SYAG which shows all events of the Security Audit Log including a summarized status about the activation of the events. The detail view allows you to create an HTML-based event definition print list including the full documentation.

Within transaction SM19 you can use the system function =PRINT (respective the printer icon in the top icon row) to document the definition of static profiles as well as the current definition of the dynamic configuration. This list shows the details about all filter slots.

Events ordered by selected topics and security optimization projects:

Note 2073809 shows special documentation/changes about the messages

• BUY (which is replaced by message CUL),
• CUY (which is related to debugger messages BUZ, CUL, CU_M, CUN, CUO, CUP), and
• CUZ (which is related to message DU9).

List of events from table TSL1D respective report RSAU_INFO_SYAG.

This list is a snapshot - check it in your system - with a comparison between release 702 and 740. Some of the new messages may be added with 731 or with downports already.

File format

Warning: The file format is defined SAP internally - it's not an official definition which can be used freely. Use the information with care as storage and format can change with newer releases.

As of release 7.50 you can choose if log events are stored in the files as described in this section or in the database table RSAU_BUF_DATA or at both locations (see note 2191612).

Use report RSAU_SELECT_EVENTSto analyze the file format.

The audit files have a structured but variable record layout in unicode text format.

The administrative information is fixed, however, there exist 2 record formats depending on the existence of the additional field SLGLTRM2.

The data part, field SLGDATA, containing 64 characters has a variable sub-structure containing several parameter values. Often these values are separated by '&' matching to the message variables &A, &B, etc. of the message definition. If you don't find an '&' than you will have fixed length parameter values matching to the message variables &n (n is a number describing the count of characters) within the message definition.

Relevant DDIC structures:

RSLGENTR SysLog entry

RSAUENTR2 Security Audit Log Entry Version 2 with Long Terminal Names

Example of an entry in a .aud file:

2AU520130409010803000505200009D9a234ba.pDOKUSTAR                        SAPMSSY1                              0201R&0                                                            h020co.pt.com     

This leads to the following file format:

You see,

• the format of the variable message data
• the message class (logon, transaction start, report start, RFC logon, user master record change, RFC start, miscellaneous, and system)
• the severity (critical, important, non-critical)
• and the monitoring alert settings (with, without)

are not visible within the file, but only in the message definition in table TSL1D (the key fields are AREA and SUBID).

Terminal ID versus IP Address

The Security Audit Log normally logs the terminal id if it's available; otherwise the IP address is logged. You can set the (undocumented) profile parameter rsau/ip_only to the value 1 to log the IP address instead (if available). See note 1497445 for details.

Use the following options to get the terminal id and the IP address of active users:

• Transaction SM04 shows the IP address of the GUI client as well if you change the layout. (Limited to currently active users.)
• Table USR41 containing the last logon date shows both terminal id and the IP address in field TERMINAL. Maybe it's possible to activate table logging using SE13 to get the history, too. Than you could merge this data with the log entries.
• Maybe you can try to use user exit SUSR0001 to log IP address (from function TH_USER_INFO and/or table USR41) in a custom table or via creating additional Security Audit Log entries for message AU1 (sucessful logon) for which you e.g. set the parameter &A or a new parameter &B with the IP address. See function RSAU_WRITE_TRAC_AUDIT_LOG to understand how to create such entries. (Limited to dialog logon only.)

There exist strong limitations of logging terminal ID and IP address in ABAP. A malicious user could spoof the terminal ID easily. The IP address can be problematic, too. For example if a reverse proxy (e.g. web dispatcher) for HTTP access is used, then all users will have the same IP address.

(German) Data Protection

Would the German Data protection authorities have an issue with activating this level of logging?

From a general point of view I would start with following assumptions:

1. Filter: Activate everything which is critical for all users '*' in all clients  '*'.

➙ mostly ok, details should be confirmed

2. Filter: Activate everything for users 'SAP*' in all clients '*'

➙ ok

3. Filter: Activate everything for other support and emergency users, e.g. 'FF*' (FireFighter) in all clients '*'

➙ ok (assuming that you already have agreed on using GRC Super User Management)

4. Filter: Activate all events for the dialog activities 'logon' and 'transaction' for user 'DDIC' in all clients.

➙ ok

5. Filter: Activate everything for client '066'. This client is not used anymore and can be deleted.

➙ ok

6. Filter: Activate RFC events (AUL, AUK, AU6, AU5) for a short time for selected users to identity RFC connection problems easily

➙ you have to confirm this

7.-10. Filter: free for other project specific purpose

➙ you have to confirm this

Keep in mind that you have to discuss (among others) log creation, consolidation, archiving as well as retention periods and deletion.

Example from a German project (2010/2011) which was cleared through German, Austrian, French & Belgian data controllers:

Logging everything was OK as there is are legitimate reasons for it.  The following additional controls were required:

• Access to logs limited to Basis & Security team
• Acceptable use (of logs) policy circulated to everyone with access
• Data had to be summarized before use (e.g. could not be easily attributable to an individual.  Obviously difficult to achieve if someone is in a team of 1...)
• Distribution of data outside security team had to be approved by local data controller (local to the people who's data it was).
• Detailed records existing outside the system had to be deleted after the summation work had been completed

Exceptions to these included:

• legitimate use of data in event of security breach (agreed by local counsel and data controllers)
• use of data with written approval of user (we used this a lot when redesigning access based on patterns of 'model' users).

I just found an additional recommendation about the protection of the files in a recent note:

In general, files of the Security Audit Log must not be accessed by other ABAP programs than the Security Audit Log application itself. Protect the files by assigning the appropriate S_DATASET authorizations to your users and by using S_PATH protection as described in note 177702. For this purpose, use an own dedicated folder for Security Audit Log files. Enter this directory into the SPTH table and enable the flags FS_NOWRITE and FS_NOREAD, thus disabling any read or write access from ABAP to this directory. Configure the Security Audit Log (parameter DIR_AUDIT) to use this directory.

GRC Fire Fighter logging

The application GRC Access Control Super User Management (aka FireFighter) consolidates logs from various sources:

• Transaction Log: Captures transaction execution from transaction STAD
• Change Log: Captures change log from change document objects (tables CDPOS and CDHDR)
• System Log: Captures Debug & Replace information from transaction SM21
• Security Audit Log: Captures Security Audit Log from transaction SM20
• OS Command Log: Captures changes to OS commands from transaction SM49

Because of this we recommend to define a filter in the Security Audit Log which records all events for fire fighter users.

Performance

Q: Is there a significant performance impact (or any impact at all) if we enable the security audit log with the recommended settings? We've had resistance from some clients as they were worried that it will impact on the end user experience / slow down the system.

Unfortunately the FAQ note 539404 does not talk much about performance.

Well, the general rule is simple: There is no performance impact, not in time nor in space, if you log unsuccessful (=critical) events as these events happens rarely.

As soon as you start logging successful events you might look to space - the growing size of the audit files - but still not to time, as the Security Audit Log is optimized for speed.

Ertunga Arsal has written some noteworthy blogs about performance analysis of the Security Audit Log:

• SAP Security Audit Logs: Which event types should I enable? There are 90 of them! And how much disk space do I need?
• SAP Security Audit Logs: Auditor wants me to switch ALL on!!! Here is what I told him

Conclusion: you do not need to care about time, and space is only important if you log specific successful events:

RFC function called (AUK which take >70% of the space), Sucessful RFC logon (AU5 which take >15%), Successful Web Service Call (CUV which take >10% if the system utilises web services extensively), Report started (AUW which take >5%).

How to create customer-specific events

Using notes 1941526 and 1941568 you can utilize the custom messages DUX, DUY and DUZ in SAP_BASIS release as of 7.30. Call function RSAU_WRITE_CUSTOMER_EVTS to create these messages.

You can "reuse" other codes, i.e. CUY if you ensure that you still will be able to distinguish the messages. Nevertheless, you should interpret it as a (logical) modification of the SAP Standard.

in addition there exist other options to log custom specific events:

- Application Log in ABAP

- CCMS Alerts

- Alerts send to the SAP Solution Manager

How to read the long texts of events

You can view the long text of Security Audit Log event messages using transaction SE92 (or in transaction SE61 if you choose the document class SL (Syslog).

Using note 1970644 you can get report RSAU_INFO_SYAG which shows all events of the Security Audit Log including the current status of activation. The detail view allows you to create an HTML-based event definition print list including the full documentation.

How to log critical debugger events

Using the debugger in general might already be seen as critical but using debug-replace is considered as very critical by all auditors. The corresponding Security Audit Log messages for changing field content and for jumping within the code

• Other Events, Critical, CUL Field content changed: &A
• Other Events, Critical, CU_M Jump to ABAP Debugger: &A

are already covered by the 1st filter "Activate everything which is critical for all users in all clients" as proposed above.

These both messages are extended by another message to add more details describing the event:

• Other Events, Critical, BUZ> in program &A, line &B, event &C

The messages CUK, CUN, CUO, and CUP are related to the debugger as well.

How to track changes on the settings

Dynamic settings

The effective (dynamic) settings get logged in the Security Audit Log itself.

If you create - as recommended - a filter for "all clients, all users, all audit classes with severity 'critical'" than you already get the corresponding events of audit class "System":

Static settings

The static settings are stored in table RSAUPROF. The system create table logs for any changes which you can view, i.e using report RSTBHIST.

The name of the active profile which is used while starting an application server is stored in field CURRPROF of the entry with PROFNAME = $CURPROF.

You can transport static profiles using a workbench transport which get transport entries for R3TR TABU RSAUPROF with table key PROFNAME=<profile name> SLOTNO=*. (You can transport the entry for $CURPROF as well, but I recommend to choose the active profile in the target system manually.)

As of SAP_BASIS 7.40 you can use transaction SM19 to add static filter definitions to a transport. See FAQ Note 539404 item [8].

The filters are stored in the entries having field SLOTNO> 0.

Field STATUS shows if a filter is active.

Field CLASSES shows the active audit classes. This is a bit-field summing up the values for the different audit classes (see include RSAUCONSTANTS):

CONSTANTS: RSAU_CLASS_OTHER(4)    TYPE x VALUE 1,
          RSAU_CLASS_LOGIN(4)    TYPE x VALUE 2,
          RSAU_CLASS_TASTART(4)  TYPE x VALUE 4,
          RSAU_CLASS_REPORT(4)  TYPE x VALUE 8,
          RSAU_CLASS_RFCLOGIN(4) TYPE x VALUE 16,
          RSAU_CLASS_USER(4)    TYPE x VALUE 32,
          rsau_class_system(4)  type x value 64,
          RSAU_CLASS_RFCCALL(4)  TYPE x VALUE 128.

The audit class "System" is implicitly active and is not added, therefore you get the value CLASSES = 191 = 128 + 32+16+8+4+2+1 if you activate all audit classes.

Field SEVERITY shows the severity (see include RSAUCONSTANTS):

CONSTANTS: RSAU_SEVE_LOW      TYPE I VALUE 2,
          RSAU_SEVE_MED      TYPE I VALUE 5,
          RSAU_SEVE_HIGH    TYPE I VALUE 9.

If you have selected the detail settings, then field SELVAR contains the constant 01 (and field CLASSES = 0 and SEVERITY = 0). Field MSGVECT defines active events. (In this case you can deactivate "System" events.)

Active events are identified using individual bits at specific positions within field MSGVECT. The position is calculated using the alphanumerical order 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ  according to the SUBID of the events. The event area (AU,  BU,  CU, DU, EU) defines the bit which is added to the value on that position: AU = 80 (hex), BU = 40 (hex), CU = 20 (hex), DU = 10 (hex), EU = 08 (hex).

Only the first 36 positions of field MSGVECT are used. Every position holds two bytes therefore you see two hexadecimal characters per position.

Example showing active system events only (AUEAUFAUGAUHAUIAUJ):

MSGVECT  000000000000000000000000000080808080808000000000000000000000000000000000...

SUBID     0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Position -1-2-3-4-5-6-7-8-9--11--13--15--17--19--21--23--25--27--29--31--33--35--...

Change Reporting in the SAP Solution Manager

In addition to the local table logs of table RSAUPROF you can use the applications Change Reporting and Configuration Validation in the SAP Solution Manager to analyse changed settings. Use the configuration store AUDIT_CONFIGURATION. Be aware that the extractor gets a snapshot of the dynamic settings daily - that means it shows the effective settings according to profile parameters respective the overriding kernel parameters. Changes between two executions of the extractor are not cached. The configuration store does not show the user account who triggered the change. Therefore I recommend to use Change Reporting or Configuration Validation as a trigger for deeper analysis of the local table logs.

see: Configuration Validation Home

http://wiki.scn.sap.com/wiki/display/TechOps/ConfVal_Home

➙ Content of CCDB for a Technical System of type ABAP ➙…

http://wiki.scn.sap.com/wiki/display/TechOps/ConfVal_ABAP_Content#ConfVal_ABAP_Content-AUDIT_CONFIGURATION

What is the meaning of message BU4?

Question: I our productive environment am getting many times the message BU4 "Dynamic ABAP Coding: Event &A Event Type: &B Checksum: &C" but according to your post (and my old screen capture) the BU4 message should be for "Transport Request &A Contains Security-Critical Source Objects".

I searched but could not find anything about this issue...what do you recommend beside good luck :-)?

Answer: The definition of the message BU4in transaction SE92 might be still wrong depending on the release of the system. According to note 539404 recording the events to transport security-relevant objects (BU3, BU4) is not yet implemented.

The Kernel creates message BU4"Dynamic ABAP Coding: Event &A Event Type: &B Checksum: &C" to flag usage of

• 'I' for INSERT REPORT
• 'G' for GENERATE SUBROUTINE POOL
• 'D' for DELETE REPORT

if setting in SM19 at 'Other entries' for 'Audit of generated dynamic ABAP' is active.

(In addition entries in the db tables DYNABAPHDR and DYNABAPSRC are written if profile parameter abap/dyn_abap_log is set to the value "on".)

How can I read events using BAPIs?

The security alerts are also available to external programs using BAPIs (Business Application Programming Interfaces). The report RSAU_READ_AUDITLOG_EXTERNAL is a sample SAP program that you can use as a template for accessing the security alerts using BAPIs.

How to get a cross-reference about the creation of messages?

If you want to know which program triggers which message you can use the cross-reference feature of the development environment. Well, messages are no repository objects, therefore you cannot use it directly. However, many but not all messages are triggered by specific functions of methods per scenario. You can use the cross-reference for these triggers.

Have a look to method GET_TRIGGER_FOR_MSG of class CL_INFO_SYAG to view the list of triggers which are used to create audit messages. Then go for the cross-reference in transaction SE80 or SE84 for these functions and methods.

How to avoid logging for Auto-ABAP (SAPSYS) processing

If you do not want to log Security Audit Log events for Auto-ABAP processing (aka "SAPSYS processing") even if you log all events for user pattern SAP* you can assign a different username to this type of processing by setting following profile parameters:

rdisp/autoabapuser

rdisp/bgrfc_watchdog_user

To define the value for these profile parameters you enter the client, a comma and the user.

Example: 000,ZSAPSYS

This user has to exist in the choosen client with sufficient authorizations!

Create this user with user type B=system, no password and a role which contains at least following authorizations (you may start with full authorizations and use transaction STAUTHTRACE for a while to get the list of required authorizations):

Authorization object S_ADMI_FCD

with field S_ADMI_FCD = PADM, ST0R

Authorization object S_BTCH_ADM

with field BTCADMIN = Y

Authorization object S_DATASET

with fields

ACTVT = 33

FILENAME = *

PROGRAM = RSCORE00, SSFALRTEXP

Authorization object S_RZL_ADM

with field ACTVT = 01, 03

This tip was developed by a customer based on information within note 2288530. The customer has an even stronger requirement as mentioned above because they want to log everything in all clients for all users with just the exception to omit logging for Auto-ABAP processing. This customer use a special variation of the trick:

Auto-ABAP processing is executed by user SAPSYS______ (12 characters).

No other user name is longer than 11 characters.

The filter im transaction SM19 for the user name is defined as +++++++++++ (11 characters).

Dear Experts,

We have upgraded to BW 7.4 system from 7.31. Post upgrade i am finding the below issues and not able to identify the correct resolution. Please guide me on how to analyze further.

1. Post upgrade while checking few AA's in RSECADMIN, none of the Characteristics are reflecting, meaning the AA's are blank. Tried executing the step RSECADMIN -> Extras -> Migrations -> Migration: Release 7.0 -> Release 7.3 and the values did not reflect in RSECADMIN.

2. Table RSECVAL_STRING is not populated with all the values as in RSECVAL. I hope the program RSD_XPRA_REPAIR_0TCTIOBJVL_740 which runs automatically during XPRA phase should have updated it, but in our case it has not. How to get RSECVAL_STRING updated post upgrade. Can the program RSD_XPRA_REPAIR_0TCTIOBJVL_740 be run manually, should any pre/post step be executed/verified.

3. When new AA's are created and Activated, the Characteristics and Values are getting updated in RSECVAL_STRING but the version gets updated as "M" and not as "A" as seen in RSECADMIN. Are any pre-requisite steps missed while upgrade due to which the correct Version is not reflecting in RSECVAL_STRING.

Best Regards,

Arun.

Hi All,

In BI, we have tables to check log for value, hierarchy , text and user assignment for Analysis Authorization.

Let me know to find the creation date of Analsysis Authorization.

below are the tables in which I tried to find the creation date of AA.

RSECHIE_CL

RSECHIE_CL_VIEW

RSECLOG_CL

RSECLOPDLOG_CL

RSECLOWDATE_CL

RSECSESSION_CL

RSECTXT_CL

RSECTXT_CL_VIEW

RSECUSERAUTH_CL

RSECVAL_CL

RSECVAL_CL_VIEW

regards,

sanjeeva

Hello.

I was asked by the customer to delete unnecessary authorisations assigned to a specific role. I know generally how to find required authorisations(su53) but no idea about the deletion.

I tested it in Tx: SUIM -> Transactions -> Executable for for Role -> Type a role and execute.

In some transactions especially standard ones, I could see the result of related authorisation objects and values. However, on the other hand, there are a lot of transactions show empty especially Z* t-codes.

Should I redesign the role from the scratch? Is there any other way to shorten the time?

P.S. I've also considered to control the accessible t-codes in S_TCODE but someone already put the value 'ALL' in there so it's not easy to review entire transactions maintained in there as well.

Best regards,

Seong Do Lee