Auditing in SAP HANA Cloud

In this lesson, you'll configure auditing for an SAP HANA Database instance.

The security team has informed you that your SAP HANA Cloud was screened, and it was found that auditing was not activated. The security team asked you to setup the recommended SAP HANA Cloud Basic policies and an additional audit policy that logs all database connections to the SAP HANA Cloud database instance.

See the following video for an overview about Auditing database activity.

This allows you, for example, to log and monitor read access to sensitive data or who unsuccessfully tried to log on to the database. The following database actions are typically audited:

• Access to or changing of sensitive information
• Creation or deletion of database objects
• Authentication of users
• Changes to user authorization
• Changes to system configuration

An audit policy defines the actions that are to be audited. It also outlines the conditions under which the action must occur for it to be relevant for auditing. When an action occurs, the policy is triggered and an audit event is written to the audit trail. Audit policies are specific to each database.

Audit logging is disabled by default. You can use the SAP HANA cockpit or SQL to enable auditing, configure audit trail targets, and create audit policies.

Note

Only actions that take place inside the database engine can be audited. Only changes that are made using SQL are visible to the database engine. If the database isn't online when an action occurs, that action can't be detected and therefore can't be audited.

If auditing is active, certain actions are always audited and are therefore not available for inclusion in user-defined audit policies. In the audit trail, these actions are labeled with the internal audit policy name MandatoryAuditPolicy. Mandatory audit actions include the following:

• Creation, modification, or deletion of audit policies
• Enabling or disabling audit policies
• Deletion of audit entries from the audit trail

Although auditing doesn't directly increase the security of your database, a well-designed audit can help you achieve greater security in the following ways:

• Detect security vulnerabilities if too many privileges were granted to certain users
• Reveal attempts to breach security
• Protect the system owner against accusations of security violations and data misuse
• Allow the system owner to meet security standards

Auditing provides better visibility on what actions were performed or attempted in the SAP HANA database. It's therefore recommended to create a basic set of policies.

Note

For a quick start, SAP HANA cockpit provides an Auditing Basic Setup wizard to help you apply SAP's recommended auditing policies settings.

In general, customers create audit policies for monitoring and recording activity in their database with an audit log that, by default, writes to a local database table. Use the SAP HANA cockpit or the SQL Console in SAP HANA database explorer to create, and activate audit policies and read the audit trails.

Note

SAP uses auditing to monitor certain critical security events in customer systems, but doesn't have visibility on any business data.

To create and activate an audit policy in the SQL Console, you can use the following commands:

-- The SQL statement shown here creates the same audit policy as the demonstration shown in SAP HANA cockpit.

-- Create the policy "HC200 Demo Audit Policy"
CREATE AUDIT POLICY "HC200 Demo Audit Policy" AUDITING ALL CONNECT LEVEL INFO;  

-- Activate the policy "HC200 Demo Audit Policy"
ALTER AUDIT POLICY "HC200 Demo Audit Policy" ENABLE; 

For each occurrence of an audited action, one or more audit entries are created and written to the audit trail.

Audit entries are also accessible using the SELECT operation on the public system view AUDIT_LOG.

Note

The system privilege AUDIT OPERATOR, AUDIT READ, or AUDIT ADMIN is needed to access the view AUDIT_LOG.