The SAP system has some in built reports that are invaluable for SAP system auditors.

By providing simple or complex combination of selection criteria, you can generate reports that make your audit job easy. These reports come with the RSUSR prefix followed by three digit codes. Reports that fall under this category are RSUSR003, RSUSR005, RSUSR007, RSUSR008, RSUSR009, RSUSR100, RSUSR101 and RSUSR102. In order to objectively analyze these reports, it is important to understand the company policies. Policy areas that need familiarization and understanding includes the following but not limited to segregation of duties, delegation of authority, password policies and user access and management procedures. The work method to generate these reports is to provide details of the selection criteria in transaction SE 38 (ABAP Editor) or SA 38 (ABAP Execute Program). RSUSR003: The SAP system comes with a number of standard users that are used to perform specific administrative tasks. These users include SAP*, DDIC, SAPCPIC and Earlywatch . These users are created with default passwords. It is expected that their user password be changed to a non trivial password after installation to guide against misuse and enforce control in the SAP system. Report RSUSR 003 allows you to know from a glance whether these accounts have been appropriately maintained or not. Security Administrator should at least quarterly check Report RSUSR003 for the status of SAP Standard user ids and remediate incase of any discrepancies. The following Authorization will be needed by Security Administrator to execute this RSUSR003 report. Authorization object S_USER_ADM with the value CHKSTDPWD for the field S_ADM_AREA. If the administrator does not own this authorization the following authorizations are checked instead which require strong change authorizations (see notes 717123 and 704307 for details): S_TABU_DIS Activity 02 and Authorization Group SS S_TABU_CLI X Client Maintenance Allowed S_USER_GRP Activity 02 and User Group SUPER

Checking Profile Parameters For any operating company Business and Audit requirement determines the values of the profile parameters. Below are the list and brief description of the various profile parameters that impact SAP Security and Audit and the best practices value that they might have to satisfy security and Audit requirement.

Profile parameter login/min_password_lng login/min_password_digits login/min_password_letters login/min_password_specials login/min_password_diff login/password_expiration_time

Description Minimum length of password that user need to Input Minimum number of digits that password should contain Minimum number of letters that password should contain Minimum number of special character that password should contain Min. number of chars which differ between old and new password >0 Number of days after which password expires and should be changed Available as of SAP NetWeaver 700 Number of old passwords that the system stores so that user cannot repeat old passwords Available as of SAP NetWeaver 700 Number of days till which password used by user remain valid and after which that same password cannot be used for login Available as of SAP NetWeaver 700 Maximum number of days for which initial password remains valid Disable multiple SAP logons for same user id Number of invalid login attempts until session end Number of invalid login attempts until user lock Control automatic login using SAP* with default password in the case when user master record of SAP* has been deleted Maximum time in seconds after which GUI session will automatically logout Prevents disabling of Authorization objects by transaction AUTH_SWITCH_OBJECTS

Expected Value 8 1 1 1

90

login/password_history_size

login/password_max_idle_product ive

60

login/password_max_idle_initial login/disable_multi_gui_login login/fails_to_session_end login/fails_to_user_lock

7 1 3 5

login/no_automatic_user_sapstar rdisp/gui_auto_logout auth/object_disabling_active

1 3600 N ALL which means table logging activated in All clients

rec/client

Activate or Deactivate Table logging in a client

RSUSR005: This report displays users with critical authorizations in the SAP system . Some transactions are considered critical in the SAP system and it is expected that their assignment to users should be tightly controlled. Critical authorization does not only apply to technical or basis individual, it also applies to functional users. This report allows an auditor to review users that have critical authorizations. RSUSR006: User management in SAP can be quite challenging especially in a large organization. Typically, the system can be configured in such a way that a user gets locked after entering a wrong password on a defined number of times. Furthermore, via system parameter setting login/fails_user_lock , it is possible to define how the user gets unlockedeither automatically at midnight or explicitly by the system administrator. Report RSUSR006 provides a list of all users that have been locked as a result of entering incorrect password in the system. RSUSR007: When users are created in the SAP system, their details including address are entered into the system. For some reasons or the other, it is possible to have users that have incomplete address data. Report RSUSR007 is used to generate a list of such users . These users can be reviewed and their address data completed appropriately. It is good practice to have complete address for all users. It helps user organization and management. RSUSR008: It is not impossible to have users with complex combination of authorization or transactions in the SAP system especially where duties are not appropriately segregated. Also this might be the case where a matrix of incompatible transaction does not exist. The implication therefore is concentration of powerful roles with some individuals that can perform activities that are not properly controlled or conflicts with the rule of segregation of duties. It is important to review report RSUSR007 in such situation. The report RSUSR008 lists users that have incompatible combination of critical authorizations and/or transaction. RSUSR009: This report is similar to what is obtained with RSUSR005 aforementioned, however, it offers more flexibility. The report RSUSR009 displays users who posses critical authorization and it allows you to explicitly specify the critical authorization in the selection criteria.

RSUSR100: This report is generated when you need to review change documents for users. It shows modifications to the users security. RSUSR101: This report is generated when you need to review change document for profiles. it shows modifications made to profile security. RSUSR102: This report is generated when you need to review change documents for authorization. It shows modifications made to authorization security.

The Security Audit Log

As of Release 4.0, you can use the Security Audit Log to record security-related system information such as changes to user master records or unsuccessful logon attempts. This log is a tool designed for auditors who need to take a detailed look at what occurs in the SAP System. By activating the audit log, you keep a record of those activities that you specify for your audit. You can then access this information for evaluation in the form of an audit analysis report. The Security Audit Log provides for long-term data access. The audit files are retained until you explicitly delete them. Currently, the Security Audit Log does not support the automatic archiving of the log files; however, you can manually archive them at any time. You can record the following information in the Security Audit Log: Successful and unsuccessful dialog logon attempts Successful and unsuccessful RFC logon attempts RFC calls to function modules Changes to user master records Successful and unsuccessful transaction starts

Changes to the audit configuration The audit files are located on the individual application servers. You specify the location of the files and their maximum size in the following profile parameters: Profile Parameters for the Security Audit Log Profile Parameter rsau/enable rsau/local/file Definition Activates the audit log on an application server. Specifies the location of the audit log on the application server. Specifies the maximum length of the audit log. Specifies the number of selection slots for the audit. Standard or Default Value 0 (audit log is not activated) 1 (audit log activate) /usr/sap/<SID>/<instno>/log/ audit_<SAP_instance_number> 1,000,000 bytes 2

rsau/max_diskspace_local rsau/selection_slots

You specify the activities that you want to log in filters using the transaction SM19. You can read the log using the transaction SM20. You can delete old logs with the transaction SM18. There are certain parameters that have to be enabled for configuring Security Audit log. rsau/enable Should have value 1 rsau/max_diskspace/per_day or rsau/max_diskspace/per_file : Either one should be set rsau/Selection_slots: Should be set to the value equal to the number of Filters needed. Filters should be appropriately configured and is dependent on the level of Security you need and the amount of log that your system may store. This is how I will configure it: Filter 1: Will have Client as * and User as * and for Event Class I will have all the Critical event class. Filter 2: I use filter 2 to log details about successful and not successful RFC function calls to get information how to set up authorizations concerning the authorization object S_RFC. This filter is only active as required. Filter 3-n: Also I will have transaction and report started by critical users, like SAP* or the support users as I like to see the transactions or reports executed by these users. It is important to note that if your Security team has access to SM19 and SM20, you should refrain from giving them SM18. SM18 should only be with Basis team. SM20 gives very useful information like from what terminal, what kind of transaction or report was executed, using what user id, and at what time.