The minimal_retention_period value in section 'auditing configuration' may prevent some policies from being created.

To adress this the following could be added to 1_hana_audit_policy_mandatory.sql:

-- make sure the minimal retention period does not prevent the creation of the audit policies
-- Some proposed audit policies are created with a minimal retention period of 7 days. 
-- adjust the retention period of the audit policies
-- or decrease the global minimal retention period limit
ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'system') set ('auditing configuration', 'minimal_retention_period') = '7'  with reconfigure;

A violation against the OSS Rules of Play has been detected.

Rule ID: rl-assigned_teams-1
Explanation: Does it have enough teams on GitHub? No

Find more information at: https://sap.github.io/fosstars-rating-core/oss_rules_of_play_rating.html

When creating the AUDIT POLICY "_SAPS4_Opt_06 Read Trace" in a tenant DB using the given statement, this results in a partially invalid audit policy as the schema SYS_DATABASES does only exist in the system DB.

A violation against the OSS Rules of Play has been detected.

Rule ID: rl-assigned_teams-2
Explanation: Does it have an admin team on GitHub? No

Find more information at: https://sap.github.io/fosstars-rating-core/oss_rules_of_play_rating.html

A violation against the OSS Rules of Play has been detected.

Rule ID: rl-assigned_teams-5
Explanation: Does teams have enough members on GitHub? No

Find more information at: https://sap.github.io/fosstars-rating-core/oss_rules_of_play_rating.html

Hi,

We have explored different options on tracking usage of the SQL-editor in transaction DBACOCKPIT/report RSDBA850.

In the policy "_SAPS4_01 Schema Access Log" you mention that usage of DBACOCKPIT would also be logged if this policy is set. However when we execute sql-statements in DBACOCKPIT, these are executed by the same user as we exclude in the policy.

Is it possible to define a different user that should execute the sql-statements in DBACOCKPIT or have we missunderstood what is meant by:
Access via DBACOCKPIT transaction with DBACOCKPIT -- user on HANA should also appear.

Thanks!
Leo

from my perspective it would make sense to exclude the user SAPDBCTRL from the audit policy _SAPS4_Opt_12 session connect successful. SAPDBCTRL is used by SAP Host Agent to connect to the database.

Maybe a hint could be added in the comment section, for example

-- user SAPDBCTRL used by SAP Host Agent should be excluded

The same may be relevant for all the internal users like SYS*

The comment before the SQL statement says this audit policy is required in Tenant DBs.
In my HANA express + XSA system I'm not able to find the _SYS_DI schema in the tenant DB. It is only present in the system DB.

Can someone please verify this?

The OSPO bot created this issue by mistake - It did not have enough priviledge to check the vulnerability alerts, So I am closing this issue now. Sorry for any inconvenience.

Hi there,

I was trying to create the Audit policy based on _SAPS4_02 Schema Data Definition for a S/4HANA system with HANA 2.0 Rev 64

Replaced <SAPABAP1> with SAPHANADB as schema.

I get syntax error , SAP DBTech JDBC: [257]: sql syntax error: incorrect syntax near "ON": line 32 col 3 (at pos 701)

When I tried to recreate the audit policy via HANA Cockpit Auditing functionality , it seems that ON SCHEMA <SAPABAP1> does not appear to be a valid option.

Thanks
L2R

A policy for auditing modifications to Tenant DBs should be added. This may log if a Tenant DB was started/stoped but also if additional tenants have been created or dropped.

For example:

-- optional: needed for system changelog
-- System DB
-- this policy should not cause many entries in the audit log
CREATE AUDIT POLICY "_SAPS4_Opt_13 TenantDB modifications" 
  AUDITING ALL
    ALTER DATABASE,
    CREATE DATABASE,
    DROP DATABASE,
    RENAME DATABASE,
    START DATABASE,
    STOP DATABASE
  LEVEL ALERT TRAIL TYPE TABLE RETENTION 90;
ALTER AUDIT POLICY "_SAPS4_Opt_13 TenantDB modifications" ENABLE;

A violation against the OSS Rules of Play has been detected.

Rule ID: rl-assigned_teams-3
Explanation: Does it have enough admins on GitHub? No

Find more information at: https://sap.github.io/fosstars-rating-core/oss_rules_of_play_rating.html