So, suddenly your security team or audit department wants you to log everything but you are not very comfortable making this change. What do you tell them?
Common perception about switching on SAP security audit logs (also referred as SM19 or SM20 logs) is as follows:
1. On a reasonably-sized ERP system they will fill up a lot of disk space.
Here is the summary of what we recently discovered after analyzing a PROD ERP system which has over 10.000 users. Keep in mind, that's not a small system! (The detailed statistics can be found at: SAP Security Audit Logs: Which event types should I enable? There are 90 of them! And how much disk ...).
2. Switching on SAP security audit logs will introduce performance issues.
SAP security audit logs are optimized in the kernel and written to the file system directly. They are not stored in the database. So, even for the extreme event of writing couple of gigabytes of logs in 24 hours, that’s nothing. Your 5-year-old laptop can write 3GB in less than a minute.
3. They are useless. No one reviews those logs.
If you don’t have the tools and processes for evaluating them close to real time, their value is pretty low. Remember, the real value of security is stopping incidents from happening or neutralizing them as they happen.
For this purpose SAP has its solution ETD (http://scn.sap.com/docs/DOC-58501).
I'm the founder of a company which has another solution, Enterprise Threat Monitor, which sends out notifications in real time, when incidents are detected.
There are also other solutions and methodologies available utilizing SIEM or similar infrastructures.
Switching on all SM19 audit classes for all clients and all users causes fewer problems than typically assumed and it is a very important step in security. For almost all cases its benefits far outweigh its costs. I strongly recommend it!
I hope this blog post helps change the answer “We’ll do our best within our operational capacity to comply with this audit finding” (meaning: "No") to a nice and clean "Yes" for some of the readers.
Problems around SAP security monitoring is a topic of the past. It can be easily overcome using the latest tools and technologies.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
3 | |
3 | |
2 | |
2 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 |