Security audit issues

Similar Messages

• Performance issue of Security Audit log

  Hello,
            My client would like to activate the Security Audit log on his system. However he will like to know whether there could be any performance issue when activating it. Since I do not have any prior experience, can you please give me your general feedback on this subject. Have any of you experience performance issue when implementing security audit log and what can be done to minimize its effect?

  Hai,
  Activating Security Audit logs will not affect the performance of your SAP system. Since SAP Systems maintain their audit logs on a daily basis. The system does not delete or overwrite audit files from previous days; it keeps them until you manually delete them. Due to the amount of information that may accumulate, you should archive these files on a regular basis and delete the originals from the application server. This is the only thing you really need to take care since they might fill up the disk space if you dont archive or delete them on regular basis. Also since the data is very sensitive you should take extra care to protect the data.
  Please follow the below links for more details.....
  http://help.sap.com/saphelp_nw04/helpdata/EN/95/d2a8e36d6611d1a5700000e835363f/frameset.htm
  http://www.saptechies.com/faq-answers-to-questions-about-the-security-audit-log/
  Regards,
  Yoganand.V

• Multiple security audit failures a second

  A client's SBS 2011 machine is experiencing multiple audit failures a second and we believe it is diminishing the performance of the machine. We can't seem to find the source or how to remedy the issue. It its happening way too fast to be a human trying
  to login. 
  Keywords Date and Time Source Event ID Task Category
  Audit Success 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4905 Audit Policy Change "An attempt was made to unregister a security event source.
  Subject
  Security ID: SYSTEM
  Account Name: SBS$
  Account Domain: <ommited from forum post>
  Logon ID: 0x3e7
  Process:
  Process ID: 0x10d4
  Process Name: C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
  Event Source:
  Source Name: ServiceModel 4.0.0.0
  Event Source ID: 0x262070f0"
  Audit Success 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4904 Audit Policy Change "An attempt was made to register a security event source.
  Subject :
  Security ID: SYSTEM
  Account Name: SBS$
  Account Domain: < ommited from forum post >
  Logon ID: 0x3e7
  Process:
  Process ID: 0x10d4
  Process Name: C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
  Event Source:
  Source Name: ServiceModel 4.0.0.0
  Event Source ID: 0x262070f0"
  Audit Failure 6/18/2014 1:50:32 PM Microsoft-Windows-Security-Auditing 4625 Logon "An account failed to log on.
  Subject:
  Security ID: SYSTEM
  Account Name: SBS$
  Account Domain: <ommited from forum post>
  Logon ID: 0x3e7
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name:
  Account Domain:
  Failure Information:
  Failure Reason: Unknown user name or bad password.
  Status: 0xc000006d
  Sub Status: 0xc0000064
  Process Information:
  Caller Process ID: 0x24c
  Caller Process Name: C:\Windows\System32\lsass.exe
  Network Information:
  Workstation Name: SBS
  Source Network Address: -
  Source Port: -
  Detailed Authentication Information:
  Logon Process: Schannel
  Authentication Package: Kerberos
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0
  Subject
  Security ID:
  SYSTEM
  Account Name:
  SBS$
  Account Domain:
  <ommited from forum post>
  Logon ID:
  0x3e7
  Process:
  Process ID:
  0x131c
  Process Name:
  C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
  Event Source:
  Source Name:
  ServiceModel 4.0.0.0
  Event Source ID:
  0x26206ef4"
  Audit Success 6/18/2014 1:50:32 PM
  Microsoft-Windows-Security-Auditing
  4904 Audit Policy Change
  "An attempt was made to register a security event source.
  Subject :
  Security ID:
  SYSTEM
  Account Name:
  SBS$
  Account Domain:
  <ommited from forum post>
  Logon ID:
  0x3e7
  Process:
  Process ID:
  0x131c
  Process Name:
  C:\Program Files\Windows Server\Bin\SharedServiceHost.exe
  Event Source:
  Source Name:
  ServiceModel 4.0.0.0
  Event Source ID:
  0x26206ef4"
  Audit Failure 6/18/2014 1:50:32 PM
  Microsoft-Windows-Security-Auditing
  4625 Logon
  "An account failed to log on.
  Subject:
  Security ID:
  SYSTEM
  Account Name:
  SBS$
  Account Domain:
  <ommited from forum post>
  Logon ID:
  0x3e7
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID:
  NULL SID
  Account Name:
  Account Domain:
  Failure Information:
  Failure Reason:
  Unknown user name or bad password.
  Status:
  0xc000006d
  Sub Status:
  0xc0000064
  Process Information:
  Caller Process ID:
  0x24c
  Caller Process Name:
  C:\Windows\System32\lsass.exe
  Network Information:
  Workstation Name:
  SBS
  Source Network Address:
  Source Port:
  Detailed Authentication Information:
  Logon Process:
  Schannel
  Authentication Package:
  Kerberos
  Transited Services:
  Package Name (NTLM only):
  Key Length:
  0
  Jerry T

  Hi Jerry,
  Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. This is usually
  related to share folders, printers, IIS and so on.
  Would you please let me confirm whether you had installed some third-party applications?
  Meanwhile, please refer to Robert’s suggestion in the following similar thread and check if can help you.
  Audit
  Failure - Event 4625
  If any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu

• MySQL Security: Logging Issues

  In performing a recent security audit, I've attempted to try and login (using mysql from the command line) using a valid MySQL user ID but a false password. As expected, this action generates an authentication failure. My aim is to now try and locate where this fact is actually logged within a reasonably standard XServer environment (obviously, such authentication checks are performed by MySQL and not by other XServer daemons).
  As best as I can work work out, a standard install does not log such errors anywhere. Looking at the default /etc/my.cnf file, there's nothing to indicate that error logging should occur. For testing purposes, adding in a line such as:
  log-error=/Library/Logs/MySQL.log
  to mycnf.conf and restarting the server does not appear to alleviate the issue. Changing the file ownership to _mysql (which strictly speaking shouldn't be needed - since syslogd/asl should be providing the logging API) doesn't solve the issue either.
  How does one go about successfully setting up logging within an XServer environment? Obviously, I'm particularly interested in logging/catching MySQL authentication failures - although it's also reasonable to be aware as to how to go about logging all DB queries etc. in observational circumstances.
  Apologies if I appear to be dense here, but there appears to be a dearth of information on this topic for OS X out there!?
  Thanks for your help,
  Carl.

  Hi Funtivity LLC,
  Since the forum regards Windows SQL Azure database, if there are some error in your MySQL database, I recommend you post the issue on the MySQL forum(
  http://forums.mysql.com/ ). It is appropriate and more experts will assist you.
  In addition, if you want to turn off the MySQL strict mode, there is instructions in the following article. You can refer to it.
  https://my.kayako.com/Knowledgebase/Article/View/472/149/how-to-turn-off-mysql-strict-mode
  Regards,
  Sofiya Li
  Sofiya Li
  TechNet Community Support

• The event logging service encountered an error while processing an incoming event published from Microsoft-Windows-Security-Auditing.

  Last night, some of our systems installed updates released on 11/13/2014.  
  KB3021674
  KB2901983
  KB3023266
  KB3014029
  KB3022777
  KB3020388
  KB890830
  Today, all of the servers running Windows Server 2008 R2 started logging the following error in the Security log over and over:
  Log Name:      Security
  Source:        Microsoft-Windows-Eventlog
  Date:          1/15/2015 11:12:39 AM
  Event ID:      1108
  Task Category: Event processing
  Level:         Error
  Keywords:      Audit Success
  User:          N/A
  Description:
  The event logging service encountered an error while processing an incoming event published from Microsoft-Windows-Security-Auditing.
  Servers running Windows Server 2008 that also installed the updates are not experiencing the problem.  It looks like one of the updates may have introduced this problem with Server 2008 R2.

  ...Did you for sure confirm that:
  https://technet.microsoft.com/library/security/MS15-001
  is the cause?
  I did.  I had a VM that was not experiencing the problem.  I took a snapshot and tested the patches one by one.  Installing only KB3023266 immediately caused the issue to occur (after reboot).  A similar process was used to confirm that
  installing KB2675611 resolved the problem.
  Note that I found the installation of KB2675611 is usually quick, but it took several hours hours to install on some of our systems.  We had installed this patch a few months ago on a couple of servers and it was always quick to install.  But,
  it seems like installing it on a symptomatic system can cause it to take a long time.

• Oracle Security Audit Advisory Q2

  Hi All,
  My boss give me the security audit check, review guidelines from Oracle.
  He wants me to validate it with our existing PROD database setup.
  Have you done this security check in your PROD databases?
  1.
  1.1.1 Ensure the following are not installed by default
  1.1.1.1 Spatial
  1.1.1.2 OLAP
  1.1.1.3 Data Mining
  1.1.1.4 Real Application Testing
  1.1.2 Do not install sample schemas
  How do I know if they were installed by defualt? And how do I deinstall them?
  2.
  1.1 Disallow remote OS authentication
  Does this mean I can allow local OS authentication?
  By the way, we have an  issue of hiding the passwords in batch job scripts.
  And I suggested to the security officer to use the OS authentication ( I mean local)
  But he disapproved it because for the reason mentioned item above.
  So, can I reason with him that he misunderstood it?
  Thanks,
  zxy

  Thanks Justin Sir, your ideas has been so sensible.
  The docs Im referring to is > ORACLE-BASE - OS Authentication
  I am sure the IT security officer is just referring the guidelines as he is not good in oracle as he is a network guy.
  One thing he insist is, the batch operator who handles running of batch scripts every night must not have access to the database? or he/she has no database login?
  What he means is in OS Aix he has only "oper01" login id, but it does not have a counterpart of "oper01" in the database. So he will run batch scripts the has connection
  to "appadmin" database user, and the the password for this db userid is hidden or encrypted. Of which I suggest to be identified externally.
  Can this setup be done for security compliance? I mean can an operator run a batch job that is connecting to the database of which he does not know what userid&password is,
  and can not be seen in the shell script even if he opens it? I know if it is a compiled perl It is possible. But using perl for batch need deep expertise.
  Can you share me how do u secure your prod database from operators that handles the batch jobs?
  Thanks a lot

• Enable Security Audit Log

  Hi All,
  If we will enable Security Audit Log, does it affect the performance of the SAP System.
  Please clarify my doubt.
  Thanks

  Hello Anil, Security audit log is creates archive log file on daily basis. No performance issues will come if you take care of some parameters
  The system does not delete or overwrite audit files from previous days, it keeps them until manually deleted. Due to the amount of information that may accumulate, we should archive these files on a regular basis and delete the originals from the application server.
  You define the name and location of the files in the profile parameter haanrsau/local/file. When an event occurs that is to be audited, the system generates a corresponding audit record, also called an audit message, and writes it to the file. The audit record contains the following information.
  We can define the maximum size of the audit file in the profile parameter rsau/maxdiskspace/local_. The default is 1000000 bytes (= 1 MB). If the maximum size is reached, then the auditing process stops.
  Hope it helps.
  Regards, Amber S | ITL

• Microsoft-Windows-Security-Auditing

  Hi,
  I having issue to isolate and identify the repeat account audit fail issue on sharepoint server.
  Any help on this is appreciated.
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          4/4/2015 3:45:59 AM
  Event ID:      4625
  Task Category: Logon
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:      SPT01
  Description:
  An account failed to log on.
  Subject:
   Security ID:  A\admin
   Account Name:  admin
   Account Domain:  A
   Logon ID:  0x176462
  Logon Type:   8
  Account For Which Logon Failed:
   Security ID:  NULL SID
   Account Name:  admin
   Account Domain:  a
  Failure Information:
   Failure Reason:  Unknown user name or bad password.
   Status:   0xc000006d
   Sub Status:  0xc000006a
  Process Information:
   Caller Process ID: 0xed4
   Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe
  Network Information:
   Workstation Name: SPT01
   Source Network Address: -
   Source Port:  -
  Detailed Authentication Information:
   Logon Process:  Advapi 
   Authentication Package: Negotiate
   Transited Services: -
   Package Name (NTLM only): -

  Hi,
  Based on the description of the fail issue, the account failed to log on the server and the fail reason was that Unknown user name or bad password.
  From the sub state is 0xc000006a, the description of the sub state is that user name is correct but the password is wrong. I recommend you to check if the password is right.
  You can also check the machine's PHS-AERO health by using:
  NLTEST /SC_VERIFY:domain-name
  And if the result is SUCCESS, you can also try NLTEST /SC_RESET:domain-name several times to see what happens. The SC_RESET command forces the machine to select a new DC to authenticate against and you should see a random switching between your DCs.
  There is a similar case:
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/ae9da10a-b4d2-4eda-ae6d-ad61b7b6ab79/audit-failure-event-id-4625?forum=winserversecurity
  The article below is about Event ID 4625, you can take a look.
  https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625
  Best regards,
  Sara Fan
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• How to schedule a batch job to generate security audit log (SM20)

  May be this is a repeat question for this forum. Apologize, if it is. Is there a way to schedule a batch job to generate security audit log (SM20) automatically and possibly send a message to SAP Inbox or generate a spool request? Release is 4.6C.
  Regards
  Nirmal

  > May be this is a repeat question for this forum. Apologize, if it is.
  You don't need to apologize. You only need to do a very simple search...
  > Total Questions:  18 (16 unresolved) 
  Perhaps 16 of those 18 questions you have not followed up on could have been spared as well?
  Please do the needfull.
  Cheers,
  Julius

• How do i deal with 'security certificate' issues on my iPad2? I'm unable to answer the security questions that pop up when Im trying to download an app because the pop up does not load properly...

  Basically my Ipad2 stopped allowing me to go to sites such as Tumblr a little while ago. It wouldn't display the page properly because of 'security certificate' issues. This in itself would not have been such a problem, but when I went to the App store to try and download the Tumblr App, a pop up appeared asking me to answer some security questions before I could successfully install the App. However, the pop up would not display correctly because of 'security certificate' issues and as a result I can't download any apps from the App Store. Can anyone help with this??

  Well, I maged to delete some stuff, download the update...
  My Mac mail is still not ok. Still only displays today, yesterday and everything is the 16th of the month previous to this?
  All a bit strange to say the least any suggestons on how to resolve this.
  I now have a second issue in all my emails at the very top of each it describes in detail the full information of
            Delivered-To:  
            Received:  
            Received:  
            Received:  
            Received:  
            X-Received:  
            Return-Path:  
            Received-Spf:
            Authentication-Results:
            Content-Type:  
            Mime-Version:  
            X-Mailer:  
            X-Cloudmark-Analysis:  
  Surely this should not be displayed rather insecure I would think. Any suggestions on how to amend

• Can we set up a forum for Security related issues?

  I know many of us think security is a Windows related issue, but from time to time there are security issues that may come up. I had a question so I looked and couldn't find a forum, so I posted in one of the OS X 10.6 sub forums.
  Thanks!

  I am a co-founder of Calendar of Updates http://www.calendarofupdates.com/updates/index.php?act=idx This is a site that is primarily a Windows based security forum (I switched about 4-5 years ago). Over the years, I've tried to grow the Mac side of our forum, but, as you may know, there is little or no interest in security within the Mac community. For many, the feel security is a Windows issue.
  It's a free site, so don't think I have a vested interest in growing the membership, I'm not an owner, either.
  I just created an *Apple OS X Security Issues* forum http://www.calendarofupdates.com/updates/index.php?showforum=209
  Right now it's an empty forum since it was created 10 minutes ago. Please feel free to join the forum and share security related issues and questions.
  I am not aware of any other forums that deal with OS X security issues
  exclusively, so this forum could be a good place to bookmark and visit from time to time.

• "logon time" between USR41 and security audit log

  Dear colleagues,
  I got a following question from customer for security audit reason.
  > 'Logon date' and 'Logon time' values stored in table  USR41 are exactly same as
  > logon history of Security Audit Log(Tr-cd:SM20)?
  Table:USR41 saves 'logon date' and 'logon time' when user logs on to SAP System from SAP GUI.
  And the Security Audit Log(Tr-cd:SM20) can save user's logon history;
  at the time when user logged on, the security audit log is recorded .
  I tried to check SAP GUI logon program:SAPMSYST several ways, however,
  I could not check it because the program is protected even for read access.
  I want to know about specification of "logon time" between USR41 and security audit log,
  or about how to look into the program:SAPMSYST and debug it.
  Thank you.
  Best Regards.

  Hi,
  If you configure Security Audit you can achieve your goals...
  1-Audit the employees how access the screens, tables, data...etc
  Answer : Option 1 & 3
  2-Audit all changes by all users to the data
  Answer : Option 1 & 3
  3-Keep the data up to one month
  Answer: No such settings, but you can define maximum log size.
  4-Log retention period can be defined.
  Answer: No !.. but you can define maximum log size.
  SM19/SM20 Options:
  1-Dialog logon
  You can check how many users logged in and at what time
  2-RFC login/call
  Same as above you can check RFC logins
  3-Transaction/report start
  You can see which report or transaction are executed and at what time
  (It will help you to analyise unauthorized data change. Transactions/report can give you an idea, what data has been changed. So you can see who changed the data)
  4-User master change
  (You can see user master changes log with this option)
  5-System/Other events
  (System error can be logged using this option)
  Hope, it clear the things...
  Regards.
  Rajesh Narkhede

• Audit Issue in QA after system restore and client copy

  Hi Experts,
  We have an audit issue and need your advise on that.
  Our QA system was audited and auditors were looking for the approval tickets on which a user was created. I found that several users that were not created in QA and do not even exist in QA have their change logs in QA showing that user was created.
  I researched it and found the steps that Basis and DBA's do when creating a new QA client.
  1. Basis export user master and authorizations using SAP_USER profile from the target QA environment.
  2. Then DBA's restore the QA Environment from the Production Backup.
  3. Basis import back the preserved User master and roles using SAP_USER profile.
  But when reading about this profile, I came to understand that change documents ( USH* ) tables are not exported and imported back. So that is why we have change logs in our QA from Production system.
  So my question is how to solve this issue, where Auditors look at the change documents in QA and ask for the documentation though in reality these change documents are coming from Production. Should we ask for DBA team to truncate USH tables or is there a client copy profile that saves the change logs that we can export and import back.

  Hi,
  as you know the USH* tables belong to delivery class L. The tables in this class are never copied during client copy but you don't do client copy. Idea of deleting records from L tables after backup restore does not sound good because you will loose all data. As a workaround you could backup content of tables with delivery class L, export users SAP_USER, restore production backup, import users and import backup for tables with delivery class L. There is around 5000 L tables in ECC. Another approach could be to restore production on different box and do proper client copy to QA system.
  Cheers

• 'Created by' column in SM37 contains inactive users - audit issue?

  Hi,
  Most of the jobs in sm37 in our systems have been created by staff who had already left. So under the 'created by' column in SM37 we can see jobs running under users who have been locked/deleted. But it's only the 'created by' column. All the 'steps' run under a system user called 'BATCHUSER', that's why the jobs run fine.
  Is it a problem to have inactive users under the 'created by' column in SM37? Is it an audit issue? I've thought that as long as the steps run as a system user then it shouldn't be an audit issue but having discussing about it in my team.
  Any comments will be very welcome!
  Thank you
  Marcia

  Yes,
  This is purely depends on your org understandness, As in system there won't be any issue as long as the jobs run.
  In SAP there is no such way to change the owner (Created by) of background job, we only can change the step owner.
  If you feel that there will be an issue, my suggestion is to copy the jobs to BATCHUSER and delete all old jobs created by inactive users.
  Regards,
  Nick Loy

• Getting the name of the program or the FM called from security audit log

  Dears,
  Is there a way to get the name of the ABAP program called through transaction SE38, or the FM called through transaction SE37, from the security audit log ?
  What is available is only : RSABAPPROGRAM for transaction SE38, and RSFUNCTIONBUILDER for transaction SE37
  Thanks.
  Reda

  I had always assumed this log to be in the SUBMIT statement, but never used it.
  If I remember correctly this is recorded it the runtime submit, so it should be there.
  Perhaps it is only in selected reports? I will check in my system.
  Please compare with sm20n and run the report from sa38. The submits are different in sa38 etc compared to se38.
  The FM will only be recorded it it has a destination extention in the source system which is mostly remote. Local fm calls are not recorded for sure.
  Cheers,
  Julius
  Edited by: Julius Bussche on Jul 26, 2011 11:32 PM