Auditing in SAP HANA Cloud

In this lesson, you will configure auditing for a SAP HANA Database instance.

The security team has informed you that your SAP HANA Cloud was screened, and it was found that no auditing was activated. The security team asked you to setup the recommended SAP HANA Cloud Basic policies and an additional that logs all database connections to the SAP HANA Cloud database instance.

See the following video for an overview about Auditing database activity.

This allows you, for example, to log and monitor read access to sensitive data or who unsuccessfully tried to log-on to the database. The following database actions are typically audited:

• Access to or changing of sensitive information
• Creation or deletion of database objects
• Authentication of users
• Changes to user authorization
• Changes to system configuration

An audit policy defines the actions that are to be audited. It also outlines the conditions under which the action must occur for it to be relevant for auditing. When an action occurs, the policy is triggered and an audit event is written to the audit trail. Audit policies are specific to each database.

Audit logging is disabled by default. You can use the SAP HANA cockpit or SQL to enable auditing, configure audit trail targets, and create audit policies.

Note

The actions that are audited are limited to those that take place inside the database engine while it is running. Therefore, database restart and recovery will not be audited.

If auditing is active, certain actions are always audited and are therefore not available for inclusion in user-defined audit policies. In the audit trail, these actions are labeled with the internal audit policy name MandatoryAuditPolicy. Mandatory audit actions include the following:

• Creation, modification, or deletion of audit policies
• Enabling or disabling audit policies
• Deletion of audit entries from the audit trail

Although auditing does not directly increase the security of your database, a well designed audit can help you achieve greater security in the following ways:

• Detect security vulnerabilities if too many privileges were granted to certain users
• Reveal attempts to breach security
• Protect the system owner against accusations of security violations and data misuse
• Allow the system owner to meet security standards

Auditing provides better visibility on what actions were performed or attempted in the SAP HANA database. It is therefore recommended to create a basic set of policies.

Note

For a quick start, SAP HANA cockpit provides a Auditing Basic Setup wizard to help you apply SAP's recommended auditing policies settings.

In general, customers create audit policies for monitoring and recording activity in their database with an audit log that writes to a local database table. Use the SAP HANA cockpit or the SQL Console in SAP HANA database explorer to create and activate audit policies, read the audit trails.

Note

SAP uses auditing to monitor certain critical security events in customer systems, but does not have visibility on any business data.

To create and activate an audit policy In the SQL Console you can use the following commands:

-- The SQL statement shown here creates the same audit policy as the demonstration shown in SAP HANA cockpit.

-- Create the policy "HC200 Demo Audit Policy"
CREATE AUDIT POLICY "HC200 Demo Audit Policy" AUDITING ALL CONNECT LEVEL INFO;  

-- Activate the policy "HC200 Demo Audit Policy"
ALTER AUDIT POLICY "HC200 Demo Audit Policy" ENABLE; 

For each occurrence of an audited action, one or more audit entries are created and written to the audit trail.

Audit entries are accessible through the public system view AUDIT_LOG, as well as the union of these views ALL_AUDIT_LOG. The table below describes the layout of the full audit trail, that is ALL_AUDIT_LOG.

Note

Only SELECT operations can be performed on these views by users with the system privilege AUDIT OPERATOR, AUDIT READ, or AUDIT ADMIN. AUDIT READ also allows access to the AUDIT LOG table.