Firefighter role built from SAP_ALL - proof of fra...

Former Member · ‎01-16-2012

SAP colleagues - if a firefighter role, built manually from SAP_ALL, allows all access EXCEPT SAP security related authorizations (including global auth check switch) can a user during firefighting activities:

- delete security / transaction logs to hide fraudulent acts?

Would the database tables or any other system tables retain proofs of some or any of the fraudulent changes. Would there be any other proofs of what was done?

Any other worst case scenarios and explanations in this case would be greatly appreciated.

Thank You!

jurjen_heeck · ‎01-17-2012

This is a very difficult question to answer as risks may vary from company to company. I suggest you log on to a sandbox system, switch on ana uthorization trace and perform all activities marked as 'fraudulent' one at a time.

After this you should be left with an idea of what to remove from SAP_ALL. Once that's done you wil probabely have broken it so with some retesting and fixing you may end up with the disired role. My suggestion is to focus on blocking user and role management as well as restricting acces to the operating system through SAP.

Former Member · ‎01-17-2012

Thank Jurjen! User and role mgmnt is blocked. I will also have most other system admin related authorizations removed, including external commands to OS. However, external auditors want proof that we can account for any deleted change / security logs and thus hidden actions.

Is it true that SAP does not allow deletion of security / audit logs less then 3 days old? Also, if someone deletes logs (what are the diffierent ways to do it?) would tables on the db side record some of these actions that could be used as a proof of tempering? Thanks!!

jurjen_heeck · ‎01-17-2012

I think you can better try the forum for that question.

Former Member · ‎01-17-2012

Jurjen, thank you, I will give GRC forum a try, too.

Firefighter role built from SAP_ALL - proof of fraudulent changes