So, suddenly your security team or audit department wants you to log everything but you are not very comfortable making this change. What do you tell them?
First: Isn’t switching on all SM19 logs for all users, all clients, all events a very bad idea?
Common perception about switching on SAP security audit logs (also referred as SM19 or SM20 logs) is the following:
- On a reasonable sized ERP system they will fill up a lot of disk space.
- They will introduce performance issues.
- They are useless. No one reviews them.
Stop! Wrong! Here is why:
1. On a reasonable sized ERP system they will fill up a lot of disk space.
No, they won't
Here is the summary of what we recently found out after analyzing a PROD ERP system which has over 10.000 users (I’ll write the detailed statistics on another blog post). Keep in mind, that's not a small system!
- Security audit log volume of this system on a peak day is around 2GB in total (for all users in all clients and for all SM19 event types/classes).
- The SM19 logs can be compressed very well. Even with the traditional zip format, the file size can be reduced ~96-98%. Bzip or rar boosts this to more than 99%. That’s a huge reduction!
- In our case, auditors and legal wanted 18 months of data retention. For sizing requirements that means around 1-1.5 TB of uncompressed data for 18 months, 20-30GB if everything is compressed. That’s peanuts for a system this important.
2. Switching on SAP security audit logs will introduce performance issues.
No, they won't
SAP security audit logs are optimized in the kernel and written to the file system directly. They are not stored in the database. So, even for the extreme event of writing couple of gigabytes of logs in 24 hours, that’s nothing. Your 5 year old laptop can write 3GB in less than a minute.
3. They are useless. No one reviews those logs.
That’s a valid point.
If you don’t have the tools and processes for evaluating them close to real-time, their value is pretty low. Remember, the real value of security is stopping incidents from happening or neutralizing them as they happen.
For this purpose SAP has its solution ETD (http://scn.sap.com/docs/DOC-58501).
I'm the founder of a company which has another solution, Enterprise Threat Monitor (http://www.enterprise-threat-monitor.com), which sends out notifications in real-time, when incidents are detected.
There are also other solutions/methodologies available utilizing SIEM or similar infrastructures.
Switching on all SM19 audit classes for all clients and all users has much less impact than thought and it is a very important step in security. For almost all cases its benefits far outweigh its costs.
I hope this blog post helps changing the answer “We’ll do our best within our operational capacity to comply with this audit finding” (meaning: "No") to a nice and clean "Yes" for some of the readers.
Problems around SAP security monitoring is a topic of the past. It can be easily overcome using the latest tools and technologies.