SAP provides a number of reporting tools and ABAP/4 programs that provide detailed analysis and monitoring of SAP security at the client and system levels. The monitoring reports can be accessed in two ways, by running the actual program using SE38, SA38 or SUIM (Repository Information System) transactions. As part of the SAP audit compliance process, the company needs to monitor these SAP security parameters frequently.
Goal: To ensure that invalid login attempts are properly examined to identify malicious attempts on the system
Report: RSUSR006 Frequency: Daily
The report lists for each client within the system, all users with invalid login attempts and users locked out by security administrators or by too many bad password attempts. Review the report to identify any inconsistencies or patterns and see if there are any users attempting to hack into the system.
Goal: Ensure that password changes are properly approved before making the new password available to users.
Report: SUIM Change logs Frequency: weekly
Review password change documents for key users, including SAP*, EARLYWATCH, DDIC, SAPCPIC, Basis and Security Administrator. These users usually have excessive privileges on the system. If the hacker gets inside the system he will try to change the password for one of these users. The ability to reset passwords should be limited to Basic and Security administrators and Help Desk users.
Objective: To ensure that SAP system profile parameters are configured correctly according to the companies standard operating procedures.
Report: RSPARAM Frequency: biweekly
Objective: To ensure that user level changes are properly approved by the supervisor.
Reports: RSUSR100 RSUSR101 RSUSR102 Bi-weekly frequency
For selected key users, including basic and security administrators, run the report and review the change history. Check the date of the changes and who made them. Changes should be limited to other Basic or Security administrators. If you see that the changes were made by someone outside the sysadmin base and group, this will indicate a serious security breach.
Objective: To ensure that SAP*, EARLYWATCH, DDIC and SAPCPIC are adequately protected.
Report: RSUSR003 Frequency: Monthly
Examine the report and verify that the passwords for SAP*, EARLYWATCH, DDIC and SAPCPIC have changed for all clients. The report shows all clients defined in the system. SAP*, EARLYWATCH, DDIC, and SAPCPIC passwords must be maintained consistently across all clients. Since these passwords are known, the hacker could easily compromise the user and gain full control over the sap system.
Objective: To ensure that master addresses are populated according to standard operating procedures.
Report: RSUSR007 Frequency: Monthly
Run the ABAP/4 program and select the address fields: name, name 1 field, building name, street, city, location, department, telephone, extension and country key (not currently on the login form but can be managed by each user). Review user master records to ensure that all users have the required address information correctly formatted. This activity should be completed for each system; the report analyzes all clients within a system.