SAP Enterprise Threat Detection (SAP ETD) is a solution that analyzes IT security risks in real time in a given SAP environment. By assessing the log files of the systems at hand – including network components, databases, and applications from both SAP and other providers – SAP ETD can quickly and reliably detect attacks from internal and external sources, enabling you to take corresponding measures as fast as possible. Combined in one unified log in SAP ETD and enriched with the semantic attributes it brings the most powerful analysis capabilities of incidents.
BY DENIS BORMOTOV, VIRTUAL FORGE
As a security analyst you can be interested in the information that can be hidden or distributed across many logs. With SAP ETD now you have a single point to analyze this data. This first blog series will cover SAP NetWeaver ABAP log files – it will help you to configure ABAP logs and logs provision to SAP ETD.
SAP ETD is able to process 8 different ABAP logs. Each of them records and stores information that can help to investigate any suspicious activities in a SAP system. The following table gives an overview of the ABAP logs:
In Part 1 of my blog post, I will cover the first three log files:
- Security Audit Log
- System Log
- User Change Log
Security Audit Log
To enable provision of SAL and all other ABAP log files to SAP ETD, you will first need to activate them in customizing table SECM_LOGS with transaction SM30.
Now, transaction SM19 is used to configure SAL. The configuration includes maintaining the filters for the events you want to record. The general guideline for SAL is to enable all the selection criteria and classes for all events for further analysis in SAP ETD. However, if the amount of data generated should be limited, it is recommended to set at least three filters:
- All critical events are logged for all users (*) in all clients
- All events are logged for user SAP* in all clients (*)
- All login and transaction events are logged for user DDIC in all clients (*).
Information stored in SAP and recorded by SAL contains personal data. In situations where personal data protection is required, compliance mechanisms need to be in place in order to protect it. SAP ETD provides an anonymization mechanism that assigns each user a pseudonym, therefore allows the analysis.
Examples of use cases where SAL can help you to determine suspicious activity are: Occurrence of a SAP* user unlock in production environment or Who has actually accessed a table with restricted access and downloaded its content?
One should pay attention to the fact that even if SAP ETD provides the semantic interpretation for many events, some of the SAL events are still missing. To be able to access all the data in SAP ETD, run your analysis in Forensic Lab based on event codes.
Additional to SAL information, the System Log provides tracking events in SAP Systems. Information logged include system related errors like database errors and rollbacks.
System Logs are maintained on each application server separately and can be centrally maintained on UNIX systems. The System Log is activated by default and can be evaluated with transaction SM21.
SAP ETD reads the System Log using the SAP Start Service user who must be configured to get access to this log file. SIDadm could be used for this purposes but the recommended way is to create a separate OS user with read access to the log file and add that user to service/admin_users profile parameter’s value. For more information see SAP Note 927637.
Since the System Log records such events like “debugging in production environment” you will get detailed information on critical events which should be thoroughly investigated in SAP ETD.
User Change Log
A role based policy on accessing business data is the core function of any business application. Changes made to users like role assignment or logon data must be always recorded and stored for analysis purposes.
Critical authorizations assigned to a user (intentionally or by mistake) can result in severe consequences or be at least a signal of an ongoing attack. User Change Log records all events made to user’s authorizations and user master data changes in case these changes have been performed from the SAP user management transactions or API’s.
Configuration of User Change Log additionally to SECM_LOGS requires maintenance of customizing table SECM_UCL_CLIENTS. To enable the extraction from other clients of the SAP system, dedicated RFC connections and users in target clients must be created and declared in the field USER of the customizing table SECM_UCL_CLIENTS.
This log allows to monitor and alert activities like: Who has enabled the Firefighter user? When? For what period of time? Was the user locked again after performing necessary activities?
Information about communication running through the SAP Gateway can be obtained in the Gateway log. Gateway serves an interface between the application server and other SAP systems or programs. SAP Gateway can be configured to ensure that undesirable external programs cannot be run. Monitoring changes in SAP Gateway configuration can help to prevent attacks on SAP systems from outside.
To enable Gateway logging and applying filters to events, you can configure the profile parameter gw/logging or use the SMGW transaction for dynamic configuration.
Gateway log also requires SAP Start Service user configuration.
A special file name pattern is applied to the Gateway Log in order to be read and transferred to SAP ETD. You can maintain it in the mentioned profile parameter with the value LOGFILE=dev_gw_log-%y-%m-%d.
Http Server ans Client Log
The Http Server and Client Log is used in order to get information about access events from Http Servers in the Internet and Intranet zone. It can record HTTP, ICM and SAP Message Server requests and can help you to detect the source and the requesting service.
Http Server and Client Log can be activated with the profile parameter: icm/HTTP/logging_<xx>.
Configuration requires a special file name prefix. Activating the Http Server and Client Log parameter must contain PREFIX=/, LOGFILE=dev_http_log-%d values.
Same as the System Log or Gateway Log, the Http Server and Client Log requires SAP Start Service configuration to access files from file system.
Change Document Log
This log file allows you to track changes made in business data objects. With Change Document Log you can define change documents as database tables representing the objects in the system.
Configuration for change document log is made in SCDO transaction and must be activated for every object in SE11 transaction.
The object for Change Document Logging is activated in the configuration table SECM_CDLOG_FILT where you manually enter all the objects which you want to be transferred to SAP ETD.
A typical attack scenario to detect via Change Document logging is a manipulation of user roles made in PFCG transaction, i.e. enhancing and assigning the roles with extensive authorizations.
Business Transaction Log
This log file represents the information about “who (USERID) called which transaction, RFC, Program, Function Module”, etc. The “collector” on each of the Application Servers gathers the information about the workload analysis. Business Transaction Log is enabled by default.
Activating this log transfer to SAP ETD should be made with the regard of the SAP HANA server hardware configuration as this Business Transaction Log produces the largest amount of events data among other logs.
The transaction to display Business Transactional Log is STAD.
The information logged also include debugging processes in the system but without detailed information about the processes.
Read Access Log
Data stored and processed in SAP systems very often fall under legal regulations or compliance standards, for example private or healthcare information. Access to that data must monitored and logged. Read Access Logging (RAL) allows to obtain information about “who and when has accessed the selected data”.
Transaction SRALMANAGER is used to configure RAL. Prior to the configuration you must determine what data and which channels to be logged. Additional configuration in table SECM_RAL_CFG lets SAP ETD process Read Access Logs for selected software components in the RAL configuration.
RAL also requires SAP Start Service user configuration.
One of the examples where RAL could be used for is to find out “who performed a search in a patient database and has accessed medical history data”.
The log files which I have described in this blog post series are not all of the available SAP ABAP logs but the most important ones. With these log files properly configured to provide relevant information, SAP ETD provides great value in investigating any activities in the SAP environment and gives you meaningful insights about critical security events. A wisely chosen configuration based on the events that are critical to your organization can help to avoid an extensive amount of data while still tracking any relevant event. I hope this blog post series helps you in finding the right logging approach for your organization’s needs and that you get the most out of the powerful solution which SAP ETD represents.