Documente Academic
Documente Profesional
Documente Cultură
Monitoring &
Profile parameter icm/HTTP/logging_0
Logging
Monitoring &
Profile parameter icm/HTTP/logging_client_0
Logging
Monitoring &
Profile parameter icm/security_log
Logging
Logon & SSO Profile parameter login/disable_cpic
Monitoring &
Profile parameter ms/HTTP/logging_0
Logging
Business data
Profile parameter rdisp/vbdelete
integrity
Monitoring &
Customizing Security Audit Log configuration
Logging
Storage
DEFAULT.PFL
DEFAULT.PFL
DEFAULT.PFL
DEFAULT.PFL
DEFAULT.PFL
DEFAULT.PFL
DEFAULT.PFL
DEFAULT.PFL
DEFAULT.PFL
DEFAULT.PFL
DEFAULT.PFL
DEFAULT.PFL
DEFAULT.PFL
DEFAULT.PFL
DEFAULT.PFL
DEFAULT.PFL
DEFAULT.PFL
DEFAULT.PFL
DEFAULT.PFL
DEFAULT.PFL
RSAU_CONFIG
Description
Behaviour of authority check during call transaction: Controls how CALL TRANSACTION
statements in all programs react regarding missing entries in SE97 / table TCDCOUPLES. If not
set to 3, authorization checks are not properly enforced.
Enables to globally switch off authorization checks for selected authorization objects
(prerequisite for transaction AUTH_SWITCH_OBJECTS). If not set to "N", a global deactivation
would be possible.
Execution option for the RFC authority check: Controls the behaviour of enforced
authentication and authorization checks when RFC function modules are called from remote. If
not set to 6, an information disclosure vulnerability exists for unauthenticated users.
Specific security-related additional functions for the RFC gateway are activated depending on
which bits are set in this bitmask. If not set to 255, not all security checks may be properly
enforced in the RFC gateway.
This setting specifies with which method an RFC server might be started on OS level from an
external endpoint. If not set to "DISABLED", attempts to utilize an improper or even insecure
OS logon method (like RSH) might be possible.
This parameter is used to set the attribute HTTPonly for ICF cookies. If not set to 0, javascript
code running in the browser may inappropriately access sensitive cookies.
An access log can be created with this parameter in which accesses from the Intranet and
Internet are logged. If not set properly, important information may be missing in logs.
An access log can be created with this parameter in which outgoing ICM calls to the Intranet
and Internet are logged. If not set properly, important information may be missing in logs.
This parameter is used to control the output of the security log from the ICM and SAP Web
Dispatcher. If not set properly, important information may be missing in logs.
If this parameter is not set to 1, incoming connections of the type CPIC are not rejected.
Incoming connections of the type RFC are not affected.
This parameter is used to control whether the system stores password hashes also in an
obsolete, outdated format for compatibility reasons. If not set to 0, outdated hashes will be
maintained that can be easily cracked by adversaries that are able to access the password hash
storage tables.
The hash value calculation can be improved with this parameter to make dictionary and brute
force attacks more difficult.
This parameter is used to control the output of the log from the message server. If not set
properly, important information may be missing in logs.
This parameter is used to activate the log from the message server. If not set properly,
important information may be missing in logs.
Automatic user logoff after inactivity time is controlled with this setting. If not set, no auto
logout will accour, making access to applications by improper personnel more likely.
The parameter specifies the duration in days, after which an update request is deleted. At the
end of this period, the update requests are deleted irrespective of their status. If the
parameter has not value 0, update requests could potentially deleted that are still required by
the business to ensure the integrity of the data.
Permit or deny execution of RFC callbacks in accordance with configured whitelist and write
corresponding entry in Security Audit Log. If not set to 3, improper RFC callback attempts are
still allowed.
Activate external (HTTP) debugging for RFC. If not set to 0, debugging is possible.
Controls whether logon with expired or initial password via RFC is allowed or not. If not set to
1, users with a non-productive password are able to remotely call RFC function modules.
Enables the inclusion of the client IP address the HTTP X-Forwarded-For header. If not set to
"TRUE", hte client IP adrress will not be added, making the determination of request routes for
applications harder and reducing useful log information.
Configures an initial setup of the Security Audit Log. If not configured, the Security Audit Log
will not record any security events.
Relevant SAP Note New recommended value
515130 3
- N
2216306 6
2776748 255
2776748 DISABLED
1277022 0
PREFIX=/,LOGFILE=http_%y_
2788140 %m.log,MAXFILES=2,MAXSIZEKB=50000,SWITCHTF=month,
LOGFORMAT=%t %a %u1 \"%r\" %s %b %Lms %{Host}i %w1 %w2
PREFIX=/,LOGFILE=http_client_%y_
2788140 %m.log,MAXFILES=2,MAXSIZEKB=50000,SWITCHTF=month,
LOGFORMAT=%t %a %u1 \"%r\" %s %b %Lms %{Host}i
LOGFILE=dev_icm_sec_%y_
2788140
%m,LEVEL=3,MAXFILES=2,MAXSIZEKB=50000,SWITCHTF=month
- 1
1023437 0
encoding=RFC2307,algorithm=iSSHA-
2140269
512,iterations=15000,saltsize=256
PREFIX=/,LOGFILE=$(DIR_LOGGING)/ms-http-%y-%m-%d.log
2794817 %o,MAXFILES=7,MAXSIZEKB=10000,SWITCHTF=day,LOGFORMAT=
%t %a %u %r %s %b %{Host}i
2794817 1
- 1H
2441606 0
2678501 3
668256 0
1591259 1
2788140 1
IF the Security Audit Log does not contain any active filters,
2838480
reommended filter settings as of SAP Note 2676384 are set up.
Impact to operations
In very rare situations, connects from 3rd party systems to the RFC
gateway may fail. This will then affect interfaces requiring the 3rd
party service.
In very rare situations, connects from 3rd party systems to the RFC
gateway may fail. This will then affect interfaces requiring the 3rd
party service.
Dialog users will be logged off after one hour of inactivitiy. This may
impact long running processes that are rnu in the foreground.
Broken update requests may pile up and slow down the system in
the end if not handled in a timely manner.
Handle CUA system first. Set the profile parameter to value 3 and
observe system behaviour in the system log, set new complex
password for affected users.