Re: security audit log

former_member732818 · ‎03-30-2021

Hi,

We are monitoring security audit log and receiving the events "In program (event id:BUZ) " and "field content changed (event id:CUL)". Please provide the details about these events

jmodaal · ‎03-30-2021

Hello,

looks to me that someone changed a value in a debugging session. As this is critical from security point of view it is usually logged in the Security Audit Log.

Peter · ‎04-12-2021

I agree with your conclusion.

Refer to SAP Note 539404 for details.

former_member732818 · ‎04-30-2021

Hi,

why these events are critical?

what is " In program (event id:BUZ)" ? Is it indicates the execution?

I have not get the correct idea about these events

jmodaal · ‎04-30-2021

Hello,

changing a field value in a debugging session can be used, for example, to bypass authorization checks.

Changing the value of SY-SUBRC to 0 after an AUTHORITY-CHECK statement would allow the program to continue even if the necessary authorization is not given. Self-assignment of SAP_ALL would also be possible. Therefore it is critical and to be logged in the Security Audit Log.

tom_wan · ‎04-13-2021

With Audit Log(SM19/SM20) or System Log(SM21), "critical" activities of debugger will be recorded. This is explained in notes:

1559742 - Insufficient Logging of Debugger Activities

1411741 - Evaluating debugger events in audit log

former_member732818 · ‎04-28-2021

ho can i access these notes?

tom_wan · ‎04-28-2021

https://launchpad.support.sap.com/#/notes/1559742

https://launchpad.support.sap.com/#/notes/1411741

You need a S-USER to check notes