cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Firefighter role built from SAP_ALL - proof of fraudulent changes

Go to solution
Former Member

on ‎01-17-2012 3:00 PM

0 Kudos

SAP colleagues - if a firefighter role, built manually from SAP_ALL, allows all access EXCEPT SAP security related authorizations (including global auth check switch) can a user during firefighting activities:

- delete security / transaction logs to hide fraudulent acts?

Would the database tables or any other system tables retain proofs of some or any of the fraudulent changes. Would there be any other proofs of what was done?

Is it true that SAP does not allow deletion of security / audit logs less then 3 days old? Also, if someone deletes logs (what are the diffierent ways to do it?) would tables on the db side record some of these actions that could be used as a proof of tempering?

Thank You!

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

simon_persin4
Contributor
‎01-17-2012 4:39 PM
0 Kudos

Hi Ivan,

I hope that you are asking this from a control perspective and not trying to find out how to cover your tracks??!!!!

The Firefighter Log reports are based on a defined set of criteria; namely the STAD / STAT transaction logs and the change document logs held within CDHDR.

In version 10.0 this is enhanced significantly with the inclusion of the OS Command logs, Audit logs and System logs but still table logs are not included.

If the Firefighter ID has the authorisations to go in and delete the source data which runs these logs and the firefighter User knows how to do it then, of course, there is a risk that the logs can be deleted.

it is good practice to ensure that the authorisations provided to Firefighter IDs is carefully considered to minimise this risk and that if they do indeed have this ability, that the Controllers and Owners fully understand the risks involved with assigning it and take appropriate controlling actions.

Simon

Show replies
Show replies
Former Member
‎01-17-2012 4:56 PM
0 Kudos

Thanks Simon! Yes, trying to control, not breach. I understand that the exposure is there with Firecall role built from SAP_ALL with sec auths inactive or display... My primary concern is around change logs and security logs (STAT, CDHDR, CDPOS), etc... If they can be deleted without a trace then it is problem. I am just curious what different traces we have at our disposal and whether the DB / OS side retains any of this...

Many companies use wide encompassing roles for Firefighter purposes, typically built from SAP_ALL, and if "emergency" changes can be hidden/void what is the purpose of any reviews thereafter? How can be certain that traces exist?

Former Member
‎01-17-2012 9:14 PM
0 Kudos

Hello Ivan

This point has been discussed in the security forum

I think that SAP_ALL Firefighters is a bad idea. Only one SAP_ALL user should be used. This is the "admin" user (replace the use of DDIC and SAP*). I think that this admin user shouldn't be a firefighter user. What if there's a problem with the firefighter module and you cannot log-on via firefighter?...then I think you should have a admin user in production system and grant access to this user in specific circumstances. There should be well defined a procedure to enable this user.

Cheers,

Diego.

Answers (0)

Ask a Question