SAP Audit Program

I. General

1. Obtain a company organizational chart.

2. Obtain a copy of all security policies and procedures.
3. Obtain a diagram of the SAP application architecture.
4. Obtain a copy of “problem tracking” or “incident report” for the application being audited.
5. Obtain a copy of all system enhancements that are queued up for implementation.
6. Obtain a copy of the application’s documentation.
7. Obtain a copy of the development methodology used to complete the system.(Business and
Design Requirements Processes)
8. Obtain a copy of any service level agreements established for the application.
9. Obtain a copy of the contingency/backup plan for the application
10. Obtain a copy of the Corporate Disaster Plan
11. Determine which release of SAP is installed
12. Identify the modules installed.
13. Determine the interfaces to the production system
14. Determine the number of client systems running.
15. Determine which geographical locations are running SAP
16. Determine what level of custom programming in on-going
• ABAP/4 programs
• Data entry screens
17. Evaluate the overall SAP security architecture
18. Determine the operating systems and database management systems running within the
environment
19. Obtain a listing of all SAP clients
• Table T000 has the SAP clients
• Path: SYSTEM - SERVICES - TABLE MAINTENANCE
• SE16 or SE17
• Table T001 has the companies
• Path: TOOLS - ABAP/4 WORKBENCH - OVERVIEW - DATA
BROWSER - TABLE CONTENTS
20. Obtain a listing of all group companies

• List table T042G

21. Obtain a listing of all business areas

• List table TGSB and TGSBT

22. Obtain a listing of all credit control areas

• List table T014 and T014T

23. Obtain a list of all charts of accounts

• List table T004 and T004T

24. Obtain a listing of all plants

• List tables T001W and TVKWZ

25. Obtain a listing of storage locations

• List table T001L

26. Obtain a listing of all purchasing organizations

• List table T024W

27. Obtain a listing of all purchasing groups

• List table T024

28. Obtain a listing of all sales organizations

• List table TVKO and TVKOT

29. Obtain a listing of distribution channels

• List table TVTW, TVTWT, and TVKOV

30. Obtain a listing of all divisions

• List tables TSPA, TSPAT, and TVKOS

31. Obtain a listing of sales areas

• List table TVTA

32. Obtain a listing of sales offices

• List tables TVBUR, TVKBT, and TVKBZ

33. Obtain a listing of sales groups

• List tables TVKGR, TVBVK, and TVGRT

II. Design And Implementation

1. Determine if proper planning has been formalized

• Has a clearly established functional or geographical approach been established?
• Has a structure methodology been adopted?
• Has a top-down plan been developed to address system integration issues?
• Have SAP release dates been taken into consideration as part of the plan?
• Does the plan consider the time to perform a post-implementation review?
2. Determine if the proper organization and staffing for the team has been completed.
• Has a Steering Committee been organized to include all functional business areas?
• Have enterprise-wide standards been established?
• Are users assigned to key project management positions?
• Has an integration team been established with members from all functional areas?
• Has a technical team been established separate from the functional team to share
technical responsibility and to ensure standard techniques are employed?
• Is the staff size appropriate for the scope of the implementation?
• 5-7 members for each core module.
3. Determine if adequate training is conducted.
• Review the training program to ensure that it is adequate and addresses all functional
areas.
• Ensure that the training approach is integrated into the project methodology.
• Ensure that adequate time for all levels of training is scheduled.
4. Determine if the project is properly controlled through budget, quality, and schedule.
• Are standard project control tools and documentation formats used across teams to
ensure consistent communication and minimize impact of team turnover?
• Are weekly or even daily cross-team progress meetings held along with monthly
steering committee meetings to communicate status and resolve issues?
• Are issues logs used to resolve project delays?
• Ensure that a consistent implementation methodology across all teams is being
employed.
• Is the project measured by workplan tasks and deliverables rather than hours spent?
• Are support systems such as Lotus Notes or e-mail established at the beginning of the
project.
5. Determine to what extent re-engineering is being employed.
• If the project team is going through a large re-engineering effort, ensure that it is
completed prior to the beginning the SAP implementation process. Otherwise, the
changes can be incorporated during the analysis and design phases.
• Ensure that all re-engineering processes are formally signed-off.

6. Determine if a adequate global design is completed.

• Have practices and processes globally been harmonized along with SAP functionality?
 • Have worldwide representatives on the project been present during the prototyping
and Join Application Develop (JAD) sessions to ensure that system decisions are
properly conducted.
• Are key system checkpoints mapped to the global design to ensure the system meets
the needs of each region?
• Are the use of prototyping and playbacks used to validate the design?
• Have key data items such as material number, customer number, chart of accounts,
and company codes been standardized?
7. Determine if proper integration has been designed into the system.
• Determine if an overall integration plan has been developed and reviewed by the
integration team?
• Has the integration team been involved throughout the project?
• Are the integration points tested throughout the project?
8. Determine if the SAP software is properly configured.
• Has the organizational hierarchy been properly established within SAP as an initial
step?
• Have any modifications to the SAP supplied software been completed? If so,
determine the risk impact of such modifications.
• Are cross-checks conducted periodically for table configurations with all team
members?
• Are checks conducted to ensure that table and file structures are consistent across all
locations?
9. Determine if matrixes are used to define job functions and proper separation of duties.
10. Determine if data ownership responsibilities are defined for the SAP objects (fields).
III. Workstation Security

1. Obtain access to the application’s interface (GUI) test environment.

2. Obtain a configuration listing of a typical end user workstation.
3. Determine if the user is required to signon to the workstation.
4. Evaluate the GUI (according to requirements and design documentation ) to determine if the
edits on the system are adequate.
5. Evaluate the middleware connection to the file servers and the mainframe processor from a
security and control perspective.
• Open Data-Link Interface (ODI) drivers
• NET.CFG file
• Link Support Layer file LSL.COM
• Protocol Stacks IPXODI.COM
• NetWare Shell
• SAPs
• DDE
• OLE
6. Determine that any modification to startup files are properly recorded to prevent the key
stroke
capture programs from executing.
7. Determine that the workstation is properly protected from Trojan GUIs from running.
IV. Application Support

1. Determine the existence of a qualified group (or individual) designated to support the
application.
2. Review the job functions statement and interview users of the service to determine the scope
and effectiveness of the position.
3. Determine if remote workstation processing locations are provided with “hot line”
consultation
on problems relating to workstation hardware and software.
4. Determine if all incidents and resolutions are properly recorded.
V. Review The Security And Control Over The Unix Operating System.

1. Determine who has access to execute program SAPMSOS0. This program has access to the
UNIX command prompt. This program is run by Transaction SM52.

2. Obtain a listing of the users that can sign onto the UNIX operating system directly:

• $ cat etc/passwd

3. Obtain a listing of the groups and the users who belong to these groups:

• $ cat etc/group

4. Obtain a listing of the SAP directories and determine who has read and write authorities to
these
directories and files:

• /usr/sap
• Many of the files and sub-directories hold pertinent information:
• /usr/sap/trans/buffer - information on which transports are to be
imported
• /usr/sap/trans/cofiles - information on transport requests
• /usr/sap/trans/sapnames - information for users on transport request
status
• /usr/sap/trans/tmp - temporary data
• /usr/sap/trans/log - local system log
• /usr/sap/trans/work - runtime data

5. Obtain a copy of the initialization file and be sure that a sum command (hash total) is run on
the
file daily to identify any changes.

• /etc/inittab

6. List the trusted environment within UNIX to ensure that any trust relationships are also
properly
protected.

• etc/hosts.equiv
• .rhost

7. List the exported file system to determine if any SAP file is exported over the network.

• etc/exports

8. Review the batch job submission file within UNIX to ensure that it is properly protected.

• /usr/spool/cron/crontabs/root
• RDDIMPDP migrates to production queued up jobs (every 5 minutes)
9. Review the list of services to ensure that no unsecured service is running.

• /etc/services
• /etc/inetd.conf

10. If any users other than the system administrator (root or uid = 0) have command line
authority,
then evaluate why they need this level of authority on the SAP production machine.

11. Perform a find command to identify all suid and sgid programs that are owned by root. Using
this output sum the result to compare from one day to the next to track differences. The diff
command can be used to identify any changes that have occurred.

• # find / -name root -perm -4000 -print

• # find / -name root -perm -2000 -print
• # find / -name root -perm -4000 | sum > today
VI. Review The Security And Control Over The NT Operating System.

1. Obtain a list of all the Administrators and determine that each user with this capability needs
list
level of authority.

2. Obtain a list of all users and groups and ensure that each member is a valid entry.

3. Determine that default account rules are set to ensure that all users must properly log-on to the
system.

4. Determine that the default password rules are set to industry standards.

5. Determine if domains or workgroups are being used. If they are, map each user or group to a
domain and ensure that each user requires this level of access.

6. Determine which common user groups have been established and review the groups capability
to ensure that all users need to have this level of access.

7. Determine what personal groups have been established for each user and ensure that the user
needs this level of access to perform their job function.

8. Map all the startup applications for each user to ensure that only authorized applications are
accessed.

9. Review all system services to ensure that users are restricted to authorized functions only

10. Obtain a listing of all directories sub-directories, and files.

11. Review the permission levels of who owns the directories, sub-directories, and files.

12. Review all user and group privileges to critical or sensitive directories, sub-directories, or
files.

13. Obtain a list of all of the user’s rights and determine if the user needs this level of authority.

14. Review the Power User group and ensure that only authorized individuals are members of this
group.

15. Review the User group and ensure that only authorized individuals are members of this
group.

16. Review the Guest group and ensure that this group’s authorities are restricted.

17. Review the user’s Log-on Script to ensure that it is set up properly from a security
perspective.
18. Review the system’s configuration files and ensure that the parameters are properly set.

19. Determine if screen saver security is properly set.

20. Review all devices and the security settings protecting access to these devices.

21. Determine what alerts are established to notify the security administrator of any security
violations.

22. Determine if any directory replication has been established and ensure that sensitive or critical
data is properly protected on the remote platform.

23. Review the event auditing for the system and determine if it is adequate.

24. Review the backup procedures for contingency planning to ensure that they are adequate.

25. Review the organizational structure to ensure that there is a proper separation of duties.
VII. Review The Security And Control Over The Oracle DBMS

1. Determine that proper segregation of duties are in place for DataBase Administration
2. Obtain a listing of the Data Structure Diagram for the application.
3. Obtain the Database initialization file INIT.ORA.
4. Obtain major Data Dictionary Views
• DBA_OBJECTS
• DBA_TAB_COLUMNS
• DBA_USERS
• DBA_VIEWS
5. Review all user profiles to ensure that only authorized users have access to the application
files.
6. Determine the users that have physical access to the application files and ensure that this
privilege is necessary to support their job function.
7. Determine that all default userids and passwords have been changed.
• SYS
• SYSTEM
• SCOTT
• SAPr3
8. Ensure that all users are required to enter a password along with their userid to authenticate to
the application.
9. Determine that the passwords are required to be changed on a periodic bases.
10. List off all Roles within the database.
11. List off all users that have Resource or DBA privileges.
• SAPDBA
12. Obtain a listing of all the application objects such as tables and views.
13. Review the objects rights to ensure that only authorized users are allowed to operate against
these objects.
• DBA_TAB_GRANTS
• DBA_COL_GRANTS Direct table access and stored procedure access should be
investigated to ensure that only authorized users or programs have access to the
application files.
14. Ensure that the WITH GRANT OPTION is only assigned to appropriate users for appropriate
objects.
15. Determine what level of auditing has been turned on by reviewing the INIT.ORA file to see if
AUDIT_TRAIL is set to TRUE and the DBA_SYS_AUDIT_OPTS &
DBA_TAB_AUDIT_OPTS.
16. Determine that the audit trail is reviewed on a regularly bases.
17. Determine who has been assigned import and export capability.
18. Review all operating system roles OSOPER for assignment to valid users
19. Ensure that any assignment to the user “Public” is highly restricted.
VIII. Review The Interface Security And Control Mechanisms

1. Identify all system interfaces

2. Review reconciliation procedures in effect to ensure that they are adequate.

• Record counts
• Total number of customer/vendors processed
• Total credits
• Total debits
• Total amounts
• Total volume

3. Identify the mode of submission and the authentication practice employed to ensure that a
proper audit trail is in force.

4. Review the use of standard SAP utilities to transform interfaced data into a SAP format. This
data is received into BTCI database. SAP uses the contents of BTCI as an on-line transaction
and process it accordingly. All validation errors will be marked in BTCI and users may correct
the data if their profile has a “BI” in the SYS authorization object. These changes are not
logged and thereby should have dual control over any changes.

5. Identify any critical or sensitive data that is redundant to ensure that changes are made to both
systems in a timely fashion.
IX. Review The Disaster Recovery/Contingency Plan(s)

1. Obtain a copy of the disaster recovery/contingency plan.

2. Review the plan for adequacy.

3. Evaluate that the plan has been recently tested

4. Ensure that backup copies of critical or sensitive data is properly protected.

5. Determine is one of the following is implement to ensure system reliability:

• Mirroring
• Duplexing
• Fault tolerance machines
• On-Line vaulting
X. Review The BASIS Module

1. Determine that proper segregation of duties are in place for profile, authorization-object
generation
2. Determine that proper segregation of duties are in place for program development
3. Determine that proper segregation of duties are in place for System Administration
4. Determine that proper segregation of duties are in place for table maintenance
5. Obtain a copy of the system control parameters to ensure that proper access control
parameters are established. These are in Table RS38M. Path: SYSTEM - SERVICES -
REPORTING - Enter RSPARAM - Scroll down to each parameter.
login/password_expiration_time
• Changing of password after a certain number of days (default = 0)
login/min_password_ing
• Sets the minimum password length (default = 3)
login/fails_to_session_end
• Number of attempts before SAP stops the session (default = 3)
login/fails_to_user_lock
• Number of attempts before SAP locks the User Master record (default =
12)
rdisp/gui_auto_logout
• Inactivity parameter (default = 0, parameter not active)
6. Determine if additional password checks for specific password have been implemented
Path: SYSTEM - SERVICES - TABLE MAINTENANCE - USR40 - DISPLAY
7. Ensure that all default passwords have been changed for all clients (000, 001, and 066)
SAP* - (default password = 06071992)
DDIC - (default password = 19920706)
SAPCPIC - (default password = admin)
EarlyWatch - (default password = support)
Sys - (default password = Change_On_Install )
System - (default password = Manager )
SAPr3 - (default password = SAPr3 )
8. Obtain a listing of the following:
SAP users - Table USR01
SAP activity codes - Table TACT
SAP profiles (both SAP supplied and user defined) - USR04
SAP authorization-objects - Table TOBJ
SAP transactions - Table TSTC
• Path: SYSTEM - SERVICES - TABLE MAINTENANCE - Enter TSTC -
Select - DISPLAY
• Also Transaction SM31, SE16, SE17
• Custom Transaction (User defined start with a ‘X’, ‘Y’, or ‘Z’
9. Determine which transactions or programs allow a user to exit SAP and obtain an operating
system prompt. Ensure that any user with this capability requires this for their job
responsibilities
10. Determine who on the system has the following authorizations objects and profiles:
S_TABU_ANZ
• Display tables in all classes
S_TABU_ALL
• Standard table maintenance all authorizations
S_TABU_CLI
• Maintain client-independent tables
• Create/Change access to tables - client independent tables
S_TABU_DIS
• Create/Change access to object - Table Maintenance all tables
S_USER_ALL
• Permits complete authorizations to maintain users
SAP_ALL
• Permits all access privileges, except of the users of the “SUPER” user group.
S_TOOL_EX_A
• Access to the performance monitor
SAP_NEW
• Delivers all changes for authorization objects
S_BTCH_ADM
• Permits administration for managing background jobs
S_BDC_ALL
• All batch input activities
S_BTCH_ALL
• All batch processing authorizations
S_DDIC_ALL
• DDIC: All authorizations
S_DDIC_SU
• Data Dictionary: All authorizations
S_NUMBER
• Number range maintenance: All authorizations
FIELDS VALUE

NROBJ Any Number range object name (for example,

KREDITOR for vendors
ACTVT 02 Change number range intervals
03 Display number range intervals
11 Change the last-used number in a number
range interval
13 Initialize the last-used number when
transporting ranges between clients
17 Maintain number range objects
S_SCDO_ALL
• Change documents: All authorizations
• Activity Codes
• 02 - Maintain and display change documents
• 06 - Delete change documents
• 08 - Display change documents
• 12 - Maintain change documents

S_SCRP_ALL
• All SAPscripts texts, styles, layout sets maintenance
 S_SYST_ALL
• All system authorizations
SAP_ANWEND
• All SAP R/3 (excluding system) application authorizations
Z_ANWEND
• All user authorizations (excluding BC system)
S_ABAP_ALL
• All ABAP/4 authorizations
S_ADMI_ALL
• All System administrative functions
S_A.SYSTEM
• Unlimited access to all users, profiles and authorizations (as offered by
S_USER_ALL)
S_A.ADMIN
• Authorization for SAP system administration: This includes all
authorizations except for:
• Maintenance of users in user group SUPER
• Maintenance of profiles and authorizations with names beginning
“S_S.”
S_A.CUSTOMIZ
• Authorizations for use in the SAP Customizing system
S_A.DEVELOP
• Authorizations for use in the SAP Development environment (excludes any
user or profile authorizations
S_A.USER
• Basis system authorizations for end-users (e.g. S_PROGRAM )

11. Determine who has data dictionary access by reviewing who has the following transaction
capability
SE11
• ABAP/4 Data Dictionary Maintenance
SE12
• ABAP/4 Data Dictionary Display
SE13
• Maintain Technical Settings (Tables)
SE14
• Utilities for Dictionary Tables
SE15
• ABAP/4 Repository Information System
SE16
• Data Browser

12. Determine who on the system has the following authorization-objects for Security
Administration
S_USER_AUT
• User Master Maintenance: Authorizations
 • Transaction SU03 - Maintenance of Authorizations
• Transaction SU02 - Allocate Authorizations to a profile
S_USER_GRP
• User Master Maintenance: User Groups
• Transaction SU01 - Maintain Users
• Transaction SU10 - Delete or Add a Profile for all Users
• Transaction SU12 - Delete all Users
S_USER_PRO
• User Master Maintenance: Authorization Profile
• Transaction SU01 - Maintain Users
• Transaction SU02 -
• Transaction SU10 - Delete or Add a Profile for all Users
S_BDC_MONI
• Batch input authorization
• FIELDS VALUES

BDCGROUPID Any Name of batch sessions for

which the user is authorized
(e.g. FRANK)
BDCAKTI ABTC Submit sessions for execution
AONL Run sessions in interactive
mode
ANAL Analyze sessions, log and
queue
FREE Release sessions
LOCK Lock/Unlock sessions
DELE Delete sessions
• Path: TOOLS - ADMINISTRATION - MAINTAIN USERS - AUTHORIZATIONS
- INFORMATION - OVERVIEW - AUTHORIZATIONS - CHOOSE OBJECT -
select ‘Basis: Administration’ - Scroll to the appropriate object - Enter * in
Authorization Field - LIST - Choose WHERE-USED LIST (To determine profiles) -
Select profile and Choose WHERE-USED LIST (To determine users who has this
profile).

13. Determine who on the system has the following powerful authorization-objects
S_ADMI_FCD
• Provides system administration functions including the following:
• TRAC - ABAP/4 trace authorization
• STOP - ABAP/4 program debugging mode
 • REPL - Altering values in debugging mode
• KERN - Examine the system kernel from within the ABAP/4
debugger
• CUAD - SE41 GUI Interface maintenance
• DDIC - Data Dictionary maintenance
• TCOD - Transaction code maintenance
• SE01 - Transport system transaction SE01
• FONT - SAPscripts font maintenance
• STOM - Changing system TRACE switches
• STOR - Evaluating traces
• SM21 - Evaluating system logs
• NADM - Network Administration
• Transactions:
• SM54
• SM55
• SM59
• UADM - Update Administration
• Transactions:
• SM13
• T000 - Create a new client
• TLCK - Lock/Unlock Transactions
• SPAD - Authorization for spool administration in all clients
• SPAR - Authorization for client-dependent spool administration
• SP01 - Authorization for administration of spool requests in spool
output control (all users and clients)
• SP0R - Authorization for administration of spool requests (all
users) in spool output control. Access is limited to spool
requests in the current client of the user.
• BTCH - Test environment, batch
• UNIX - Execute UNIX commands from the SAP system with
program SAPMSOS0
• RSET - Reset/Delete data without archiving
• SYNC - Reset buffers

S_BTCH_ADM
• Provides all authorizations for managing background jobs
• Path: TOOLS - ADMINISTRATION - MAINTAIN USERS -
PROFILES - Enter S_BTCH_ADM - LIST - Select profiles and choose
WHERE-USED LIST.
S_PROGRAM
• Part of the object class ‘Basis: Development Environment’
• ABAP/4: Program Run Checks
• Values for field P_GROUP
• Any Any program group or for example (TEST)
• Values for field P_ACTION
 • SUBMIT - start programs
• EDIT - maintain program attributes, copy programs,
delete programs
• VARIANT - Maintain program attributes and texts
• BTCSUBMIT - Submit program for background execution
S_TRANSPRT
• Part of the object class ‘Basis: Development Environment’
• Correction and Transport System and Request Management
• Permits access to ABAP/4 development workbench, customizing
system, and Correction and Transport System
S_EDITOR
• Part of the object class ‘Basis: Development Environment’
• Permits editor checks for maintaining tables (release 2.)
S_QUERY
• Part of the object class ‘Basis: Development Environment’
• Authorization for ABAP/4 Query
• Permits you to run or maintain queries
S_DEVELOP
• Part of the object class ‘Basis: Development Environment’
• Permits access to ABAP/4 development tools and dictionary/data modeler,
screen and menu painters, and object browser.
• Path: TOOLS - ADMINISTRATION - MAINTAIN USERS - AUTHORIZATION -
INFORMATION - OVERVIEW - AUTHORIZATIONS - CHOOSE OBJECT -
Select ‘Basis: Development Environment’ - Choose one of the objects - Enter * in
Authorization Field - LIST - Choose WHERE-USED LIST to obtain profiles - Select
profile and choose WHERE-USED LIST to obtain users.
14. Determine all users with the standard user profile S_SPOOL_ALL . This profile would
provide the user with all authorities to bypass any restrictions on spool access.
15. Determine that all users on the system belong to a group
16. Determine what audit trails exist and who reviews them on a regular bases
17. Ensure that SAP_NEW is not used in the production environment
• Allows for the automatic release updates of new authorizations to this user.
18. Determine who is defined to the “Super” user master record
19. Ensure that the SAP* userid is protected by setting
login/no_automatic_user_sap*
20. Determine who has what access rights into the system by using the following methodology
TOOLS-ADMINISTRATION-MAINTAIN USERS-INFORMATION-OVERVIEW-
AUTHORIZATION
CHOOSE OBJECT- (example Financial Accounting)
Then (example Company Code) *
Activity 02 (or any other activity code)
LIST
Where Used (gives you Authorization-objects)
Where Used (gives you Profiles)
Where Used (gives you Users)
Using this methodology you can view any critical object for any module to determine
which users have what access rights.
21. Review procedures to ensure that additions, changes, and deletions of user’s access privileges
are properly maintained.
22. Determine the procedures followed in the event emergency access privileges are required.
23. Determine who review the following log files:
• SAP System Log
• Operating System Logs for SAP messages (optional)
• Change Documents
• Dictionary Logs
• Path: Development - ABAP/4 DICTIONARY - INFORMATION
SYSTEM
• Log of Security Changes
• Path: TOOLS - ADMINISTRATION - MAINTAIN USERS - [ USERS,
PROFILES, AUTHORIZATIONS] - INFORMATION - CHANGE
DOCUMENTS
• Changes to a user’s authorizations
• Changes to password, user type, user group, validity and account
ID for a user
• Changes to profiles (activation)
• Changes to authorizations (activation)
• Activity Log
• Path: TOOLS - ADMINISTRATION - MONITORING - SYSTEM LOG
• on [USER, DATE, TERMINAL, TYPE OF MESSAGE]
• CTS logs
• Path: SE10
XI. Review The Audit, Security, And Control Of The Core Modules

1. Review or document the workflow of the application.

2. Identify key exposures within the workflow.
3. Determine if adequate controls exist to mitigate the identified exposures.
4. Access Control
• Review all users that have access to the application and ensure that they require this
level of access.
• Signon Access
• Menu Level Access
• File Level Access
• Review User ID associated with the data file to ensure that only authorized users
are allowed access to the data.
• Test the invalid attempts for userid and password
• Obtain a copy of the corporate security standards. Determine if a user can log on
directly to NT, Unix, Oracle or DB2 without going through the initial logon process.
• Review all default users to ensure that proper security and control is maintained.
Review the security administration of:
• adding users
• deleting users
• updating user information
• password construction
• Determine who is the system administrator for the application and how many of
these administrators are assigned to the application.
5. Integrity Checking
• Evaluate sensitive or critical on-line transactions to ensure that they perform
according to the established integrity standards.
• Evaluate sensitive or critical batch jobs to ensure that they perform according to the
established integrity standards.
6. Evaluate any sensitive or critical derived data to ensure that it is created according to the
established integrity standards.
• Review the final edit process to ensure the integrity of the process
• Review all system interfaces to determine that data integrity is properly
maintained.
7. Evaluate the outputs of the system to ensure that sensitive or critical output is properly
handled.
8. Evaluate any recent application failures to ensure that an adequate contingency plan exist.
9. Evaluate several recent application changes to ensure that proper procedures were
followed.
10. Evaluate the level of system documentation to ensure that it is adequate.
11. Interview the user to ensure that they are satisfied with the current system and that it
meets the organization’s business needs.
12. Review the management reports to see if additional reports are needed:

13. Determine if any back doors exist in the system

• Unix
• Oracle
• Informix
• DB2
• NT
• SAP
XII. Review The Change Management Process

1. Determine that proper segregation of duties are in place for the migration of test to production
2. Determine and evaluate change control procedures for
Emergency fixes
Master Data
Configuration elements
ABAPs
Custom Programming
SAP code
3. Determine who has the authority to migrate modified customer-defined objects to production
SE01 - old, replaced by Workbench Organizer
SE06 - Used to set up and maintain the Workbench Organizer (Dictionary Access)
SE09 - Enables the ABAP/4 Development Workbench
SE10 - Customizing

4. Sample some recent changes for your audit area and review the procedures followed.
5. Identify the architecture of the change environment
• Development
• Integration
• Consolidation
• Production
6. Determine if repairs are properly made.
7. Determine if all ABAP programs check for proper authorization prior to production
implementation. (Authority-Check). These programs should be extensively tested.
XIII. Network Audit, Security, And Control

1. Determine that all authentication processes within the application architecture are secured
as they go across the network.
2. Determine that all authentication processes within the Client/Server architecture are
secured as they go across the network.
• Bridges
• Routers
• Hubs
3. Determine that the administrative rights to the gateway are properly assigned.
4. Determine that the authentication mechanism to signon to the gateway is secured.
5. Determine if the configuration parameters for the gateway are properly set.
6. Determine if sensitive data travels across the network in clear text.
7. Ensure that network diagnostic tools are properly assigned and locked up when not in use.
8. Determine if the SNMP agent is enabled within the network components.
9. Ensure that only authorized users can access the SNMP’s capabilities.
XIV. Security, Audit, and Control of Remote Communications

1. Obtain a listing of all remote connections attached to the SAP environment.

2. Determine that all remote connections enter through a secured point of entry.
3. Validate the signon requirements for remote authentication.
4. Ensure that direct access to Personal Computers or File Servers is restricted without first
going through the authentication server.
5. Ensure that the authentication process does not go across the network in clear text.
6. Determine that a log file records all connections.
7. Ensure that any hacking activity is properly controlled by good authentication controls.
Tables

DD02T Information on all tables

DD09L Tables and log field to log changes to configuration tables
T003 Defines for each document type the account type that can be accessed
TOBJ Objects
TACT Activity Codes
TSTC Transactions
TRDIR ABAP programs and authorization groups in field SECU
TDDAT Authorization groups
FC31 Maintaining accounting periods
USR01 User master record
USR02 User id and password
USR03 User address information
USR04 Contains link between user-id and attached profiles
USR05 Field defaults
UST10C Establish the link between one composite profile and its subordinate components
UST10S Attaches objects and authorities to single profiles
UST12 Lists possible authorities with their field values per authorization object
USOBT Objects required by a transaction are referenced in this table
Transactions
AL01 SAP alert monitor
AL02 Database alert monitor
AL03 Operating system alert monitor
AL04 Monitor call distribution
AL05 Monitor current workload
AL06 Performance: Upload/Download
AL07 EarlyWatch Report
AL08 Users logged on
AL09 Data for database expertise
AL10 Download to Early Watch
AL11 Display SAP Directories
AL12 Display table buffer (Exp. Session)
AL13 Display shared memory (Expert mode)
AL15 Customize SAPOSCOL destination
AL16 Local alert monitor for operating system
AL17 Remote alert monitor for operating system
AL19 Remote file system monitor
AL20 EarlyWatch data collector list
DB01 Analyze exclusive lockwaits
DB02 Analyze tables and indexes
DB03 Parameter changes in database
DB12 Overview of backup logs
DB14 Show SAPDBA action logs
OS01 LAN check with ping
OS02 Operating system configuration
OS03 O/S parameter changes
OS04 Local system configuration
OS05 Remote system configuration
OS06 Local operating system activity
OS07 Remote operating system activity
RZ01 Job Scheduling Monitor
RZ02 Network graphics for SAP instances
RZ03 Presentation, Control SAP instances
RZ04 Maintain SAP instance
RZ08 SAP Alert Monitor
SDBE Matchcode objects (test)
SE12 ABAP/4 Dictionary Display
SE15 ABAP/4 Repository Information System
SE30 ABAP/4 Runtime Analysis
SE38 ABAP/4 Editor
SM02 System Messages
SM04 User Overview
SM12 Display and delete locks
SM13 Display update records
SM21 System log
SM28 Installation check
SM37 Background job overview
SM39 Job analysis
SM50 Work Process Overview
SM51 List of SAP servers
SM52 Unix command line
SM56 Number Range Buffer
SM58 Asynchronous RFC Error log
SM59 RFC Destinations (Display/Maintain)
SM65 Background processing analysis tool
SM66 Systemwide work process overview
SMGW Gateway monitor
SMLG Maintain logon group
SP01 Output controller
ST01 System Trace In file /usr/sap/<SID>/<Instance>/log/Trace000
Contains a list including all authorization objects
that were checked and their required values, for
each entered transaction code.
ST02 Setups/Tune Buffers
ST03 Performance, SAP statistics, workload
ST04 Select activity of the databases
ST05 SQL Trace
ST06 Operating System Monitor
ST07 Application Monitor
ST08 Network Monitor
ST09 Network Alert Monitor
ST10 Table call statistics
ST11 Display developer traces
ST12 Application monitor
ST14 Application analysis
ST22 ABAP/4 Runtime Error Analysis
STAT Local transaction statistics
STUN Menu performance monitor
SU50 Maintain user defaults
TKOF Turn off oracle trace
TKON Turn off oracle trace
TKPR Display trace file
TU01 Call statistics
TU02 Parameter changes
SU01 Maintain users
SU02 Allocate authorizations to a profile
SU03 Maintenance of Authorizations
SU10 Delete/add a profile for all users
SU12 Delete all users
SU53 Authorization Trace
ABAPs

SAPMSOS0 Allows access to the operating system

FIKOR002
FIKOR003 These allow the removal of all general ledger accounts
Reports

RSCLASDU Provides an overview of client independent tables

Objects

S_TCODE Access control by transaction code

Profile Generator

When the profile generator is used, the relevant authorization objects are selected automatically,
based on the selected functions from the company menu (business transactions) by the
administrator, and group together in a new authorization profile.
Session Manager

Defines corporate menu and user specific menus can be generated for each user. This user menu
only allows the user to use the business transactions available in the menu.
SAP Access to client 066

1. Echo sessions and observe activity

2. Enable table logging of data changes on key tables
3. New audit log available in 4.0B records a user and the transactions they performed and
whether they were successful/failed at the transaction
4. Statistics analysis log (STAT) records user and transactions (volatile, deletes at midnight)

• If SAP has ABAP/4 access in 066 they can effectively “jump” across clients
• Even ABAP/4 Workbench – Display “03” access to SE38 and object S_DEVELOP
provides the ability to EXECUTE programs
• Challenge SAP “why” they are asking for more access.
• Disable the connection when SAP not logging on
• Effective use of the SAPRouter to prevent unauthorized access from other sources.
Tools

CaRD America, Inc. DCM 415-340-9973

ARIS Toolset
ACL