Audit Question - Access to SU01
I have a question in regards to access to SU01. We currently have a team to setup users and assign roles. We are SOx regulated and have been questioned about having individual having this access.
Does it make sense to have one user setting up the ID without any authorizations assigned and then another person add the roles? We have compliance calibrator installed and no issues from that, but I am aware sometimes it is a business process decision from our auditors.
To me this does not make sense to me at all. Not sure if this would be the same for all our other applications either at this point including BW, IPC, XI, network access etc. etc. etc.
Chris,
This causes a lot of confusion and consternation across the industry. Having been on both sides of the fence from an audit perspective, I tend to take a pragmatic approach.
The key issue is about being able to amend roles and assign to users. Wherever possible, this should be avoided. It is up to you how you manage that but if you have a situation whereby a single person can create a role / profile and assign it to a user they control, then you have a potential audit issue.
You can split it in any way you like but you are basically trying to stop that SoD.
Some choose to have a dedicated team who are able to create users but not create or assign authorisations, a separate team who can assign authorisations and not create users or roles and a third team who can only create roles but not create or assign to users.
While that is ideal, it is not always practical so it is often somewhere in the middle.
As long as your central team cannot amend the roles and authorisations that they are assigning (or assign super user access like SAP_ALL) without appropriate controls in place, then you can generally have a fairly reasonable discussion with your auditors.
Simon
Similar Messages
-
Auditing failed access to files and folders in Windows Storage Server 2008 R2
Hello,
I've been trying to figure out why I cannot audit the failed access to files and folders on my server. I'm trying to replace a unix-based NAS with a Windows Storage Server 2008 R2 solution so I can use my current audit tools (the 'nix NAS
has basically none). I'm looking for a solution for a small remote office with 5-10 users and am looking at Windows Storage Server 2008 R2 (no props yet, but on a Buffalo appliance). I specifically need to audit the failure of a user to access
folders and files they are not supposed to view, but on this appliance it never shows. I have:
Enabled audit Object access for File system, File share and Detailed file share
Set the security of the top-level share to everyone full control
Used NTFS file permissions to set who can/cannot see particular folders
On those folders (and letting those permissions flow down) I've set the auditing tab to "Fail - Everyone - Full Control - This folder, subfolders and files"
On the audit log I only see "Audit Success" messages for items like "A network share object was checked to see whether client can be granted desired access (Event 5145) - but never a failure audit (because this user was not allowed access by NTFS permissions).
I've done this successfully with Windows Server 2008 R2 x64 w/SP1 and am wondering if anybody has tried this with the Windows Storage Server version (with success of course). My customer wants an inexpensive "appliance" and I thought this new
variant of 2008 was the ticket, but I can't if it won't provide this audit.
Any thoughts? Any of you have luck with this? I am (due to the fact I bought this appliance out of my own pocket) using the WSS "Workgroup" flavor and am wondering if this feature has been stripped from the workgroup edition of WSS.
TIA,
--JeffreyHi Jeffrey,
The steps to setup Audit on a WSS system should be the same as a standard version of Windows Server. So please redo the steps listed below to see if issue still exists:
Enabling file auditing is a 2-step process.
[1] Configure "audit object access" in AD Group Policy or on the server's local GPO. This setting is located under Computer Configuration-->Windows Settings-->Security Settings-->Local Policies-->Audit Policies. Enable success/failure auditing
for "Audit object access."
[2] Configure an audit entry on the specific folder(s) that you wish to audit. Right-click on the folder-->Properties-->Advanced. From the Auditing tab, click Add, then enter the users/groups whom you wish to audit and what actions you wish to audit
- auditing Full Control will create an audit entry every time anyone opens/changes/closes/deletes a file, or you can just audit for Delete operations.
A similar thread:
http://social.technet.microsoft.com/Forums/en-US/winserverfiles/thread/da689e43-d51d-4005-bc48-26d3c387e859
TechNet Subscriber Support in forum |If you have any feedback on our support, please contact [email protected] -
Simple auditing question...
Hello,
We are running 11.2.0.2 on AIX 7.1.
I'm trying to understand why our auditing is not behaving the way I think it should.
First, we have the default auditing turned on as part of 11GR2.
It seems to be capturing some things, but not always everything.
In some cases, it captures the creation of a table by a user, but in other cases, it may not.
Even though the same user created a table, or dropped a table.
Today, trying to figure this out, I created a test user and logged in as that test user (in SQL*Plus) and created a simple table, then inserted a record into it and did a commit. I then logged out.
But when I check the audit views, I don't see the audit actions, or even the session logon information.
I've checked using both Toad and by selecting from the dba_audit_objects and dba_audit_session views in SQL*Plus.
What am I missing?
That last DDL statement I see that was captured in the audit records was on July 20th.
In this case, it captured the drop and creation of a public synonym, but not of the underlying table that was also dropped.
I don't believe anyone has changed any of the audit settings.
First, let's confirm everything:
sho parameter audit
NAME TYPE VALUE
audit_file_dest string /u01/app/oracle/admin/xxxxxxxx
/adump
audit_sys_operations boolean FALSE
audit_syslog_level string
audit_trail string DB
SQL> SELECT privilege from dba_priv_audit_opts where user_name is NULL;
PRIVILEGE
ALTER SYSTEM
AUDIT SYSTEM
CREATE SESSION
CREATE USER
ALTER USER
DROP USER
CREATE ANY TABLE
ALTER ANY TABLE
DROP ANY TABLE
CREATE PUBLIC DATABASE LINK
GRANT ANY ROLE
ALTER DATABASE
CREATE ANY PROCEDURE
ALTER ANY PROCEDURE
DROP ANY PROCEDURE
ALTER PROFILE
DROP PROFILE
GRANT ANY PRIVILEGE
CREATE ANY LIBRARY
EXEMPT ACCESS POLICY
GRANT ANY OBJECT PRIVILEGE
CREATE ANY JOB
CREATE EXTERNAL JOB
23 rows selected.
SQL> select object_name, object_type, owner, created from dba_objects where object_name = 'EXPENDABLE_USE';
OBJECT_NAME OBJECT_TYPE OWNER CREATED
EXPENDABLE_USE SYNONYM PUBLIC 20-JUL-11
EXPENDABLE_USE TABLE SISI 20-JUL-11
2 rows selected.
Now, view the dba_audit_objects view:
1 select os_username, username, timestamp, action_name from dba_audit_object where timestamp > sysdate-9
2* order by timestamp desc
SQL> /
OS_USERNAME USERNAME TIMESTAMP ACTION_NAME
scmsrvacct SISI 20-JUL-2011 11:44 CREATE PUBLIC SYNONYM
scmsrvacct SISI 19-JUL-2011 19:40 DROP PUBLIC SYNONYM
scmsrvacct SISI 19-JUL-2011 19:40 DROP PUBLIC SYNONYM
3 rows selected.Notice that the table created on 20-JUL-2011 is not included above.
why not?
Any why isn't my test user shown, or the creation of the simple table created by the test user?Well, I can't exactly do what you asked because 'privilege' is not a column.
But I'm guessing this is what you are asking for:
1* select * from dba_stmt_audit_opts where user_name is NULL
SQL> /
USER_NAME PROXY_NAME AUDIT_OPTION SUCCESS FAILURE
ALTER ANY TABLE BY ACCESS BY ACCESS
SYSTEM GRANT BY ACCESS BY ACCESS
DROP ANY TABLE BY ACCESS BY ACCESS
CREATE ANY PROCEDURE BY ACCESS BY ACCESS
DROP ANY PROCEDURE BY ACCESS BY ACCESS
ALTER ANY PROCEDURE BY ACCESS BY ACCESS
GRANT ANY PRIVILEGE BY ACCESS BY ACCESS
GRANT ANY OBJECT PRIVILEGE BY ACCESS BY ACCESS
GRANT ANY ROLE BY ACCESS BY ACCESS
SYSTEM AUDIT BY ACCESS BY ACCESS
CREATE EXTERNAL JOB BY ACCESS BY ACCESS
CREATE ANY JOB BY ACCESS BY ACCESS
CREATE ANY LIBRARY BY ACCESS BY ACCESS
CREATE PUBLIC DATABASE LINK BY ACCESS BY ACCESS
EXEMPT ACCESS POLICY BY ACCESS BY ACCESS
ALTER USER BY ACCESS BY ACCESS
CREATE USER BY ACCESS BY ACCESS
ROLE BY ACCESS BY ACCESS
CREATE SESSION BY ACCESS BY ACCESS
DROP USER BY ACCESS BY ACCESS
ALTER DATABASE BY ACCESS BY ACCESS
ALTER SYSTEM BY ACCESS BY ACCESS
ALTER PROFILE BY ACCESS BY ACCESS
DROP PROFILE BY ACCESS BY ACCESS
DATABASE LINK BY ACCESS BY ACCESS
PROFILE BY ACCESS BY ACCESS
PUBLIC SYNONYM BY ACCESS BY ACCESS
CREATE ANY TABLE BY ACCESS BY ACCESS
28 rows selected.also
SQL> select distinct(user_name) from dba_stmt_audit_opts;
USER_NAME
1 row selected. -
EHS- Audit question and findings table?
Hi Gurus
I wanted to know what is the table for Audit questions and findings and also wanted to know where do these corresponding texts are getting stored in SAP.
Thanks
MuraliHello Murali,
please check the following tables
PLMM_AUDIT - for Audit results
For questions:
PLMM_QUEST_H
PLMM_QUEST_I
PLMM_QUEST_RES
for text
CGPL_TEXT
CGPL _ PROJECT
Regards
gajesh -
kindly guide me how to upload audit questions in sap system my query is sap also provide one temple in that templet what is contents to be filled i cont understood any body work that temple kindly guide me in that templet we have filed like that external id description ext position hierarchy level task level assessm entsug desc
Please check the sap note: 597982. You can find the SAP supplied XL template as a zip atatchment in the note and step by step guidance on how to upload audit questions using import/export functionality of audit management.
Thanks,
Ram -
Read attachment details of Audit Question (PLMD_AUDIT)
Hi Experts,
Kindly request you to assist me on the below.
I'm trying to build a solution using ABAP for a requirement, where the logic has to find the attachment details of an audit question or action on the audit transaction (PLMD_AUDIT).
For example, please see the attached:
Screen shot 1.--> I'm not able to build the solution to check whether an audit question/action is having an attachment.
Screen shot 2.--> If the attachment exists, then how to get the attachment and send an email.
Appreciate your valuable inputs.
Thank you
MahendraHi Experts,
Kindly request you to assist me on the below.
I'm trying to build a solution using ABAP for a requirement, where the logic has to find the attachment details of an audit question or action on the audit transaction (PLMD_AUDIT).
For example, please see the attached:
Screen shot 1.--> I'm not able to build the solution to check whether an audit question/action is having an attachment.
Screen shot 2.--> If the attachment exists, then how to get the attachment and send an email.
Appreciate your valuable inputs.
Thank you
Mahendra -
Access to SU01 with no authorization to the transaction
Hello,
I hava a user that was able to execute transaction SU01 even though he has no authorization to it, at least not directly, I do not know how he did it, this are the entries from sm20:
01.06.2011 16:10:36 UserX userxlaptop SU01 SAPLSMTR_NAVIGATION Start of transaction SU01 failed (Reason=6)
01.06.2011 16:10:42 UserX userxlaptop SE37 SAPLSMTR_NAVIGATION Transaction SE37 Started
01.06.2011 16:10:42 UserX userxlaptop SE37 RSFUNCTIONBUILDER Report RSFUNCTIONBUILDER Started
01.06.2011 16:10:47 UserX userxlaptop SE37 RS_TESTFRAME_CALL Report RS_TESTFRAME_CALL Started
01.06.2011 16:10:53 UserX userxlaptop SU01 RS_TESTFRAME_CALL Transaction SU01 Started
I executed program RS_TESTFRAME_CALL but was not able to go to SU01 from there, does anybody know how was the access to SU01 possible?
Regards,
AyaxThere are many other ways to break into initial txn screen. Developer play these magic and some times they assign themselves profile (not to mention the name). However for these if your developer does not have access to objects like S_USER* so they won't be able to do any further activity there.
But if he is too smart then may be there are other ways to break that as well (like change RC in runtime). That may have solution in terms of authorization restriction or some SNOTE implementation (lots of bug). And specifically in old systems.
Regards,
Arpan Paik -
Hello, I am trying to understand "Audit object access", I have it turned on and I am capturing all Success and Failures of every file share I have on our File Server.
However, that is my issue. I am capturing everything. Is there a way to only capture certain file shares. I noticed that under the auditing tab, its has "include inheritable auditing........"
Example:
In this example, I want to capture successes and failures for all users who access Events and Images folders.
\\Server1\Share1\Data1\Common\Reports\Events
\\Server1\Share1\Data1\Common\Apps
\\Server1\Share1\Data1\Images
Thank you for your help. .Simply disable the current auditing on the root of your folders. Once done, enable it only on the folders you would like to audit.
Reading such logs is usually a difficult task and time consuming. For that, it is recommended to use a third party tool with a UI for auditing. The one I usually recommend is Lepide Auditor for File Server: http://www.lepide.com/file-server-audit/
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
ABS quirks / auditing question / kernel request
My original post is below but it's wrong. All I'm asking now is if someone can enable CONFIG_AUDIT in the kernel or tell me a program that lets you spy on files just as well as auditd.
Today when I was making packages, something I haven't done in awhile and badly needed to do again, I noticed exclamation marks appearing beside the filenames in the medit tabs. Those exclamation marks mean that since I last saved the text file in medit, another process edited the file on the disk. Subsequent saving required me to click "yes I'm sure I want to overwrite" in this popup window. This was responsive to my saves. Every time I saved something (a PKGBUILD, a patch, anyting under the /var/abs tree) it was changed half a second later.
I tried to find out what was going on. Inotify-tools told me when the PKGBUILD was being modified but not by what process. Lsof and Glsof had no hope because they don't watch a specific file in real time, they only tell you things that are currently open so I'd need inhuman reflexes to get useful information out of them.
One thing that looks perfect for me is auditd. This page http://www.cyberciti.biz/tips/linux-aud … -file.html says how you can use it to see what process edited what file. I spent a couple hours fine tuning the PKGBUILD of it only to hit the error where auditd says "Connection refused." Every other poster reporting this did so because his or her kernel did not have audit support and sure enough in the kernel26 package, CONFIG_AUDIT is not set.
So I need to ask three things:
1. Does anyone know why my files are being accessed this way in /var/abs?
2. Does anyone know a program compatible with the default kernel26 that could help me investigate?
3. If it's not too much trouble, would the kernel26 maintainers consider adding CONFIG_AUDIT so I don't have to start using a custom kernel over this one triviality?
Thanks alot.
Last edited by ConnorBehan (2008-12-27 00:13:11)ConnorBehan wrote:
Oh thanks monster, Thunar was open for me too. And it happened again today in /home so it's nothing to do with ABS. I guess my question now is:
Could someone enable CONFIG_AUDIT in kernel26 or tell me a way to audit with the kernel I have out of curiosity?
No problem, I'm glad I could help. I was a little unsure of what was going on myself until I stumbled on to the connection. If you figure out what is going on could you try and pass that along? I am curious to know the answer but not knowledgeable enough to dig into kernel audits to figure it out -
How to audit database access by IP address?
Hello,
In SQL 2008 R2 Enterprise is there a built-in mechanism to be able to audit and log the SQL loginname along with their IP addresses when they access a particular database? Most of the logins only have the role for db_datareader so I need to audit basically
everyone that is connecting to the database and whether they are running select statements or not.
Thank you.Dear Forum and All,
I have working with Audit in SQL Server 2008. But my result cannot have HOST_NAME and IPADDRESS of Client.
This is my code:
Create Audit
USE [master]
GO
CREATE
SERVER AUDIT [Audit-20141206-090946_ControlEven]
TO
FILE
FILEPATH = N'C:\Audit'
,MAXSIZE = 0 MB
,MAX_ROLLOVER_FILES
= 2147483647
,RESERVE_DISK_SPACE
= OFF
WITH
QUEUE_DELAY = 1000
,ON_FAILURE =
CONTINUE
GO
Create Database Audit Specification
USE [TESTAUDIT]
GO
CREATE
DATABASE AUDIT SPECIFICATION [DatabaseAuditSpecification-20141222-082141_Control]
FOR SERVER AUDIT [Audit-20141206-090946_ControlEven]
ADD (SELECT
ON OBJECT::[dbo].[tblTesting]
BY [public])
GO
This my result
Event_Time|Session_ID|Server_Principal_Name|Statement|.......|.........
But I need column HOST_NAME and IPADDRESS of Client in my result.
Thank you for your cooperation and support.
Best Regards,
Mr. Pann Matak -
Our VOIP enviroment raised some flags on the latest audit scan and I am trying to resolve the items:
A few items have me confused:
The following showed up on 3 of the devices:
remote network time service has denial of service (123/udp)...Upgrade to NTP 4.2.4p8 or later.
1 callmanager had this and it running the latest revision 7.1.3.32900-4 and is supposed to be resolved. (Another CCM running the same version didn't have the vulernability).
Our 2 UCCX servers running Cisco Application Administration - 7.0(1)_Build168 had the same vulerability. From what I can tell Cisco has fixed for most products but not the UCCX platform. I know this is going to a linux based version soon but is there a patch or ugrade that can reslove this?
Also Weak Ciphers appear on almost all of the Linux based servers...is there a way to disable this?
Thanks,
JoeDear Laxmi
You can upload the questions through excel , XML template. The template and details is available in the SAP note 597982
Regards
Gajesh -
Re: Auditing Document Access?
Hi guys,
I know you can subscribe to a document to see who has checked out and checked in a document but is there a way to see who has read the document?
Is there an audit trail for user access or other similar events?
I have a requirement from a client to do the above for their procedures to make sure it is being read.
Thanks in advance.Content Tracker component does track user access as well as many other types of information.
Thanks sapan. -
I want to audit file and folder access auditing on a windows 2008 server. I need to enable audit log all file activity by user such as read, copy, create, rename, deleted .
Is there a way to see if an user access a specific file ?
ThanksHey please have a look at these link for the reference.
http://social.technet.microsoft.com/Forums/windowsserver/en-US/b18ca99b-db07-4e2e-8f13-67d58a4d1c63/windows-2008-server-files-access-real-time-monitoring
Moreover, you can start from the several links from here also
http://technet.microsoft.com/en-us/library/dd408940%28v...
http://technet.microsoft.com/en-us/sysinternals/bb89664...
http://technet.microsoft.com/en-us/library/cc721946.asp...
And the other option is you can opt for a third party tool such as Lepide Auditor For File Server. A file Server monitoring tool that would help you in case for a real time monitoring.Test the tool from the given link below.
http://www.lepide.com/file-server-audit/
Thanks. -
Oracle Auditing question.
Hi All,
I have a application schema called SPRE. I want to audit insert/update/delete/alter on any SPRE objects by any database user but I dont want to audit any action performed by "SPRE" user itself.
I know how to setup this.....like run below as system
audit inser,update,delete on SPRE.table1;
audit inser,update,delete on SPRE.table2;
audit inser,update,delete on SPRE.table3;
but questions I have is...
1. How to audit if sys user perform any insert,update,delete?
2. How to stop audit entry if SPRE user performed insert,update,delete
Thanks,
Anujsys.aud$, dba_audit_trail
OR
SELECT view_name FROM dba_views WHERE view_name LIKE 'DBA%AUDIT%' ORDER BY view_name;
SELECT view_name
FROM dba_views
WHERE view_name LIKE 'DBA%AUDIT%'
ORDER BY view_name;
VIEW_NAME
DBA_AUDIT_EXISTS
DBA_AUDIT_OBJECT
DBA_AUDIT_POLICIES
DBA_AUDIT_POLICY_COLUMNS
DBA_AUDIT_SESSION
DBA_AUDIT_STATEMENT
DBA_AUDIT_TRAIL
DBA_COMMON_AUDIT_TRAIL
DBA_FGA_AUDIT_TRAIL
DBA_OBJ_AUDIT_OPTS
DBA_PRIV_AUDIT_OPTS
DBA_REPAUDIT_ATTRIBUTE
DBA_REPAUDIT_COLUMN
DBA_STMT_AUDIT_OPTSHTH
-Anantha
Edited by: Anantha R on Mar 29, 2010 3:23 PM -
Hello, people!
I have question about auditing in Oracle Internet Directory.
1. I turn audit on in my OID.
2. Restart OID.
3. Searching for Audit Log Entries by Using ldapsearch. The DN for the audit log container is cn=auditlog. To search for audit log entries, perform a subtree or one-level search, with the container object cn=auditlog as the base of the search. Work fine.
4. But when i add some user to some group, i get record like:
orclSequence=348,cn=auditlog
objectclass=top
objectclass=orclauditoc
orcluserdn=cn=orcladmin
orcleventtype=Modify
orclauditmessage=Modifying entry cn=XMLP_ADMIN,cn=Groups,dc=rd,dc=local
orclsequence=348
orclopresult=Success
orcleventtime=20091125141137z
Did any one knows, how determine what changes done?
Thanks,
Jeff.it will be good if you are adding HR as OU , in case if you have IT or someother Organization Unit it will can be easily added and identified.
Once you add it as OU autimatically all required class will be added automatically , further if you have any custom attribute you can add your own custom class
Maybe you are looking for
-
How do you uninstall a program from mountain lion osx
Hi first time on mac forum my question is being new to imacs how do you uninstal a program from an imac running osx mountain lion. And of course get rid of the icon for that program from launchpad thanks
-
Multiday event should span days in month view
Hi all, I have an event that spans multiple days (begin is Dec 3 @ 12 AM, end is Dec 6 @ 12 AM), but it only appears in one day on iCal's month view. In week view, the event spans all three days. How can I ensure that an event that spans days +actual
-
Nokia N9: Restoring NBU backup
Hello good people, My Nokia N9 was experiencing strange behaviour lately, so i decided to back it up using Nokia Suite. The backup was full; contacts, meassages, documents, songs,.... Now trying to restore, the only options it's giving me is to resto
-
How to the Welcome Mail window
I'm pretty new with Apple and I have been unavailable to resolve the follow issue. Every time I sign-in in my macbook I got the message window inviting me to setup my email with apple mail app. How can I stop that window to show up every time? Do any
-
1 sales order= 1 invoice
Hi, This is the requirement. we have 1 sales order with 10 line items. All are delivery based line items. 5 are shipped and PGIed today and hence it comes in the Billing due list. The customer wants only 1 invoice per sales order. so he wants the inv