security audit log

Former Member · ‎2021 Mar 30

Hi,

We are monitoring security audit log and receiving the events "In program (event id:BUZ) " and "field content changed (event id:CUL)". Please provide the details about these events

jmodaal · ‎2021 Mar 30

Hello,

looks to me that someone changed a value in a debugging session. As this is critical from security point of view it is usually logged in the Security Audit Log.

Peter · ‎2021 Apr 12

I agree with your conclusion.

Refer to SAP Note 539404 for details.

Former Member · ‎2021 Apr 30

Hi,

why these events are critical?

what is " In program (event id:BUZ)" ? Is it indicates the execution?

I have not get the correct idea about these events

jmodaal · ‎2021 Apr 30

Hello,

changing a field value in a debugging session can be used, for example, to bypass authorization checks.

Changing the value of SY-SUBRC to 0 after an AUTHORITY-CHECK statement would allow the program to continue even if the necessary authorization is not given. Self-assignment of SAP_ALL would also be possible. Therefore it is critical and to be logged in the Security Audit Log.

tom_wan · ‎2021 Apr 13

With Audit Log(SM19/SM20) or System Log(SM21), "critical" activities of debugger will be recorded. This is explained in notes:

1559742 - Insufficient Logging of Debugger Activities

1411741 - Evaluating debugger events in audit log

Former Member · ‎2021 Apr 28

ho can i access these notes?

tom_wan · ‎2021 Apr 28

https://launchpad.support.sap.com/#/notes/1559742

https://launchpad.support.sap.com/#/notes/1411741

You need a S-USER to check notes

By Category

Related Content

Activity Groups

Industry Groups

Influence and Feedback Groups

Interest Groups

Location Groups

Customer Only Groups

Forums

Related Resources

Products

Learning and Support

About

My Account

My Account

security audit log