topic Re: security audit log in Application Development and Automation Discussions

security audit log

Former Member — Tue, 30 Mar 2021 12:23:14 GMT

Hi,

We are monitoring security audit log and receiving the events "In program (event id:BUZ) " and "field content changed (event id:CUL)". Please provide the details about these events

Re: security audit log

jmodaal — Tue, 30 Mar 2021 16:11:34 GMT

Hello,

looks to me that someone changed a value in a debugging session. As this is critical from security point of view it is usually logged in the Security Audit Log.

Re: security audit log

Peter — Mon, 12 Apr 2021 19:39:50 GMT

I agree with your conclusion.

Refer to SAP Note 539404 for details.

Re: security audit log

tom_wan — Tue, 13 Apr 2021 01:12:53 GMT

With Audit Log(SM19/SM20) or System Log(SM21), "critical" activities of debugger will be recorded. This is explained in notes:

1559742 - Insufficient Logging of Debugger Activities

1411741 - Evaluating debugger events in audit log

Re: security audit log

Former Member — Wed, 28 Apr 2021 05:43:32 GMT

ho can i access these notes?

Re: security audit log

tom_wan — Wed, 28 Apr 2021 06:07:07 GMT

https://launchpad.support.sap.com/#/notes/1559742

https://launchpad.support.sap.com/#/notes/1411741

You need a S-USER to check notes

Re: security audit log

Former Member — Fri, 30 Apr 2021 11:25:49 GMT

Hi,

why these events are critical?

what is " In program (event id:BUZ)" ? Is it indicates the execution?

I have not get the correct idea about these events

Re: security audit log

jmodaal — Fri, 30 Apr 2021 13:54:34 GMT

Hello,

changing a field value in a debugging session can be used, for example, to bypass authorization checks.

Changing the value of SY-SUBRC to 0 after an AUTHORITY-CHECK statement would allow the program to continue even if the necessary authorization is not given. Self-assignment of SAP_ALL would also be possible. Therefore it is critical and to be logged in the Security Audit Log.