sap, security, technology

SAP Security Audit Log (SAL)

In the last article, we’ve discussed how to log/trace the critical table changes in a SAP system to meet one of the „business audit“ requirements.

Let’s talk about one aspect of „security audit“ today.

There are many checkpoints security auditors have on their checklists … Security Audit Log is probably the most important and less famous point. Why? You can log „everything“ using SAL, but it takes time to configure it properly and much more time to analyse it 🙂

SAL is the tool providing revision-compliant logging and verification of „important“ system events. Which events are „important“? Ask your auditors! 🙂 … as I’ve never got the answer, I’ll suggest you later some so called „event filter“ as a starting point.

Security Audit Log Configuration

For releases lower than 7.40, SAL could be activated by setting the following profile parameters;

  • rsau/enable=1
  • rsau/user_selection=1
  • rsau/selection_slots=10 (or higher)
  • rsau/integrity=1 (if available)

Some additional rsau/* parameters can be used for fine tuning 🙂

Use transaction SM19 (for older releases) or RSAU_CONFIG (for 7.52 or newer releases) for configuration.

Note: To perform SAL configuration you need a role with S_SAL authorization object. Don’t give this authorization to everyone!

SAL configuration means tell the system which events for which users should be logged. You achieve it by defining SAL profiles as a set of event filters.

Every filter consist of:

  • system client(s)
  • user(s)
  • audit class(es) / list of event IDs
SAL filter

The general suggestions regarding „important“ events

Which events should be logged?

In case of security breach you would be happy having log of all possible events, but … due to data protection law and limited (?) system resources we should pick up only the most important events.

So start with following filters and adapt it to your landscape/situation:

  • Activate „only critical“ events for all users (*) in all clients (see screenshot above)
  • Activate „all“ events for the user SAP* (use SAP#* as a mask) in all clients (*)
  • Activate „all“ events for SAPSUPPORT* and for all similar users in all clients (*)
  • Activate „all“ events for „emergency“ and other privileged users (like DDIC) in all clients (*)
  • Activate DU1-DU8, DUI, DUJ, DUK (RFC Call) for all users (*) in all clients (*)
  • Activate AUO, AUZ, BU5, BU6, BU7, BU9, BUA, BUB BUC, BUH, AUP, AUQ for all users (*) in all clients (*)

Hint: Using sap note 1970644 you can get report RSAU_INFO_SYAG, which shows all events of the Security Audit Log.

Read / Analyze Security Audit Log

To read and more important to analyse the log entries use transaction RSAU_READ_LOG or SM20 in older releases.

Conclusion

Security auditors will definitely check if SAL properly configured. So be prepared!

If you have any suggestions, improvements or comments, please share them with everyone!

God bless you and your SAP systems 🙂