Case Study #009.01

Scenario

The Security Audit Log (SAL) has been disabled by a malicious user who infiltrated the system, using RSAU_CONFIG or the SM19 transaction code.

Impact

If the Security Audit Logs are disabled for a period of time, any activities carried out during that period cannot be tracked, creating a security vulnerability and compromising the ability to monitor system events.

DefenceMore OCA Capabilities

Defencemore OCA's K001 control provides information on whether logging is enabled in the system. Disabling the SAL requires the rsau/enable parameter to be changed. In such cases, the S007 control detects changes made to system parameters and reports the old and new values. Since this is a critical process, an alert will be sent to system administrators via email.

Related Checks

• K001 System Log Activation
• S007 System(statick) Param Change Activity