Best Practice 7.4 – Implement logging and reporting for user access and authorization changes and events
User access and authorization events in your SAP systems should be logged, analyzed, and audited regularly. Consolidate and correlate security events from your SAP applications and database with other components of your architecture. This can allow for end-to-end tracing in the event of a critical security problem or breach. Automate analysis of events in a central Security Information and Event Management (SIEM) system. This can allow your operations team to understand if any unexpected or suspicious activity occurs outside of the bounds of normal system controls. They can then remediate as needed.
Suggestion 7.4.1 – Log AWS Identity and Access Management (IAM) events
Consider keeping a historical log of AWS IAM events. This can be used in detection or audit of user and authorization changes within AWS accounts. Determine your log retention period and types of events to log based on your organizations required security policies.
Enable your operations team to answer audit questions at the infrastructure level for your SAP system:
-
When and by whom was the new AWS console/CLI user created?
-
When and by whom was the AWS IAM role modified?
-
When did the AWS user last successfully sign in?
-
Is there a suspicious number of failed sign-in attempts to the AWS account?
For further information, consider the following:
-
AWS Documentation: IAM Best Practices: Monitor activity in your AWS account
-
AWS Documentation: Logging IAM and AWS STS API calls with AWS CloudTrail
-
AWS Well-Architected Framework [Security]: Detection
-
AWS Security Blog: Visualizing Amazon GuardDuty findings
-
AWS Security Blog:Amazon GuardDuty Enhances Detection of EC2 Instance Credential Exfiltration
Suggestion 7.4.2 – Log user and authorization changes in your operating system
Consider keeping a historical log of operating system (OS) user and authorization events such that they can be used in detection or audit. Determine your log retention period and types of events to log based on your organizations required security policies.
Enable your operations team to answer audit questions at the operating system level for your SAP system such as:
-
When and by whom was the new superuser OS account created?
-
When and by whom was the OS account permissions modified?
-
When did the OS user last successfully sign in?
-
Is there a suspicious number of failed sign-in attempts for the OS account?
-
When did your OS user last use elevated permissions?
For further information on auditing at the operating system consider:
Operating System | Guidance |
---|---|
SUSE Linux Enterprise Server |
Setting Up the Linux Audit Framework | Security Guide |
Red Hat Enterprise Linux |
Chapter 14. Auditing the system Red Hat Enterprise Linux 8 | Security
Guide |
Microsoft Windows |
Windows Audit Policy Recommendations |
Oracle Enterprise Linux |
Oracle Linux 8 Enhancing System Security - Using System Auditing and Monitoring |
Suggestion 7.4.3 – Log SAP application and database user and authorization events
Consider keeping a historical log of SAP user and authorization events such that they can be used in detection or audit. Consider both the application stack (for example, ABAP authorizations) and your database (for example, SAP HANA). Determine your log retention period and types of events to log based on your organizations required security policies.
Enable your operations team to answer audit questions at the SAP application and database level for events such as:
-
When and by whom was the new SAP or database account created?
-
When and by whom was the SAP or database account permissions modified?
-
When did the SAP or database user last successfully sign in?
-
Is there a suspicious number of failed sign-in attempts for the account?
-
What sensitive transaction codes or tools did the account last use?
For further information consider the following:
-
SAP Documentation: SAP Access Control and Governance | User Access
-
SAP Documentation: SAP NetWeaver ABAP: The Security Audit Log
-
SAP Documentation: SAP NetWeaver JAVA: The Security Audit Log
-
SAP Documentation: SAP HANA: Auditing Activity in SAP HANA
Suggestion 7.4.4 – Consolidate user and authorization events in a Security Information and Event Management (SIEM) system for analysis
Consider sending all your user and authorization events from across your SAP workload components into a central SIEM tool to allow correlation and analysis. Use tools like SAP Enterprise Threat Detection, third-party add-ons or directly ship your SAP audit logs from your application and database servers to an ingestion and analysis tool.
Establish baseline behaviors for your workload and monitor for abnormalities to improve detection of security incidents.
Consider AWS Marketplace
SIEM solutions
For further information, consider the following resources:
-
AWS Marketplace: SIEM Solutions
-
AWS Documentation: AWS Security Hub
-
SAP Documentation: SAP Enterprise Threat Detection
-
Well-Architected Framework [Security]: Security Incident Response
-
AWS Documentation: AWS Security Incident Response - Technical Whitepaper