Geetings,
We run the SM20 audit log reports each month for DDIC activity when its associated with a terminal name. I understand best practice says to lock DDIC but because it is used for so many automated jobs the Basis group has not had the time to evaluate and simply pulling the plug could have downstream implications that they are affraid of. But I digress.
We run this report for all audit classes/events and all security levels. In the output I get hundreds if not thousands of audit log messages related to the RFC call audit class within the "Severe and Critical" security level:
RFC call Successful RFC Call BDL_DDIF_TABL_GET (Function Group = BDL5)
RFC call Successful RFC Call SALC_UTIL_MT_GET_TREE_LOCAL (Function Group = SALC)
RFC call Successful RFC Call /SDF/EWA_GET_PARAMETER (Function Group = /SDF/EWA)
RFC Call RFC_PING (Function Group = SRFC)
What are the security implications of these types of events? What is so Severe and Critical about these actions? I am trying to filter out as many meaningless or low security events to make the output somewhat reasonable otherwise I have thousands of records to sift through. How accurate is SAP in the assessment of these security levels? Are they being too conservative?
I appreciate whatever guidance you can offer related to this.
Thanks
Mark