GithubHelp home page GithubHelp logo

sap-samples / s4hana-hana-audit-policies Goto Github PK

View Code? Open in Web Editor NEW
13.0 9.0 5.0 108 KB

Templates for SAP HANA audit policies of SAP S/4HANA systems.

Home Page: https://blogs.sap.com/2021/06/08/security-by-default-hana-audit-policies-for-s-4hana/

License: Apache License 2.0

sample templates sap-hana s4hana security audit sap-s4hana

s4hana-hana-audit-policies's Introduction

SAP HANA Audit Policy Templates for SAP S/4HANA

REUSE status

Description

This project provides HANA audit policy templates for the SAP HANA database tenant used by SAP S/4HANA. The HANA audit policy templates for S/4HANA provide a set of policies.

  1. Mandatory HANA Audit Policies (File: 1_hana_audit_policy_mandatory.sql)
    A first set of policies defined as mandatory ensure traceability of security relevant changes. These have the prefix 'SAP'. They are identical to the audit policies provided by "SAP HANA Cockpit Audit Policy Wizard" (starting with SAP HANA Cockpit 2.0 SP13). These policies are set as defaults for HANA database tenant used by S/4HANA for new installations with SAP S/4HANA 2021 and SAP BW/4HANA 2021 and later. For conversions and system copies, HANA audit policies are only enabled as defaults in case no other HANA audit policies are existing.
  2. S/4HANA Schema Access Log HANA Audit Policies (File: 2_s4hana_hana_audit_policy_recommended.sql)
    The second set of policies define "recommended" policies for S/4 systems. These have the prefix 'SAPS4'. These policies vary with the usage of the SAP HANA DB and cannot be defined identical for all systems.
  3. S/4HANA Optional HANA Audit Policies (File: 3_s4hana_hana_audit_policy_optional.sql)
    The third set called “optional” suggests policy definition for extended system changelog and monitoring. These have the prefix 'SAPS4_Opt'.
  4. S/4HANA HANA Audit Policies additional consideration (File: 4_s4hana_hana_audit_policiy_additional.sql)
    The fourth called “additional” gives examples for policy definition for specific scenarios. It is not recommended to apply the policies without careful consideration. There is no predefined naming. Adoption cannot be done out of the box. Adjustments depend on the usage of an individual HANA database.

Please refer to SAP Note 3016478 for more details and explanations.

Requirements

To use those policies you need SAP S/4HANA.

Download and Installation

Information how to list and adjust HANA audit policies can be found on SAP HANA Platform on the SAP Help Portal.

Known Issues

  • If technical users (e.g. ABAP Database user , e.g. SAPHANADB, e.g. SAPDBCTRL) are not handled as described in the SQL files, a high number of HANA audit log events might be generated.
  • If the global minimal retention period limit (INI parameter minimal_retention_period) is higher than the minimum period in a HANA audit policy, creation of the policy will fail.
  • Additional comments for every policy are provided. Take them into consideration before activating a policy

How to obtain support

Create an issue in this repository if you find a bug or have questions about the content.

For additional support, ask a question in SAP Community.

Contributing

When contributing to this repository, please first discuss the changes you wish to make through an issue, email, or any other method with the owners of this repository.

License

Copyright (c) 2021 SAP SE or an SAP affiliate company. All rights reserved. This project is licensed under the Apache Software License, version 2.0 except as noted otherwise in the LICENSE file.

s4hana-hana-audit-policies's People

Contributors

ajinkyapatil8190 avatar bjoernbrenchersap avatar btbernard avatar joegoerlich avatar saint-j avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

s4hana-hana-audit-policies's Issues

minimal_retention_period may prevent the policies from being created

The minimal_retention_period value in section 'auditing configuration' may prevent some policies from being created.

To adress this the following could be added to 1_hana_audit_policy_mandatory.sql:

-- make sure the minimal retention period does not prevent the creation of the audit policies
-- Some proposed audit policies are created with a minimal retention period of 7 days. 
-- adjust the retention period of the audit policies
-- or decrease the global minimal retention period limit
ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'system') set ('auditing configuration', 'minimal_retention_period') = '7'  with reconfigure;

"_SAPS4_Opt_06 Read Trace" not 100% accurate

When creating the AUDIT POLICY "_SAPS4_Opt_06 Read Trace" in a tenant DB using the given statement, this results in a partially invalid audit policy as the schema SYS_DATABASES does only exist in the system DB.

DBACOCKPIT

Hi,

We have explored different options on tracking usage of the SQL-editor in transaction DBACOCKPIT/report RSDBA850.

In the policy "_SAPS4_01 Schema Access Log" you mention that usage of DBACOCKPIT would also be logged if this policy is set. However when we execute sql-statements in DBACOCKPIT, these are executed by the same user as we exclude in the policy.

Is it possible to define a different user that should execute the sql-statements in DBACOCKPIT or have we missunderstood what is meant by:
Access via DBACOCKPIT transaction with DBACOCKPIT -- user on HANA should also appear.

Thanks!
Leo

session connect successful logging for user SAPDBCTRL of SAP Host Agent

from my perspective it would make sense to exclude the user SAPDBCTRL from the audit policy _SAPS4_Opt_12 session connect successful. SAPDBCTRL is used by SAP Host Agent to connect to the database.

Maybe a hint could be added in the comment section, for example

-- user SAPDBCTRL used by SAP Host Agent should be excluded

The same may be relevant for all the internal users like SYS*

"_SAPS4_Opt_08 HDI" in system database

The comment before the SQL statement says this audit policy is required in Tenant DBs.
In my HANA express + XSA system I'm not able to find the _SYS_DI schema in the tenant DB. It is only present in the system DB.

Can someone please verify this?

Syntax error on _SAPS4_02 Schema Data Definition

Hi there,

I was trying to create the Audit policy based on _SAPS4_02 Schema Data Definition for a S/4HANA system with HANA 2.0 Rev 64

Replaced <SAPABAP1> with SAPHANADB as schema.

I get syntax error , SAP DBTech JDBC: [257]: sql syntax error: incorrect syntax near "ON": line 32 col 3 (at pos 701)

When I tried to recreate the audit policy via HANA Cockpit Auditing functionality , it seems that ON SCHEMA <SAPABAP1> does not appear to be a valid option.

Thanks
L2R

Add an optional policy for modifications of a Tenant DB

A policy for auditing modifications to Tenant DBs should be added. This may log if a Tenant DB was started/stoped but also if additional tenants have been created or dropped.

For example:

-- optional: needed for system changelog
-- System DB
-- this policy should not cause many entries in the audit log
CREATE AUDIT POLICY "_SAPS4_Opt_13 TenantDB modifications" 
  AUDITING ALL
    ALTER DATABASE,
    CREATE DATABASE,
    DROP DATABASE,
    RENAME DATABASE,
    START DATABASE,
    STOP DATABASE
  LEVEL ALERT TRAIL TYPE TABLE RETENTION 90;
ALTER AUDIT POLICY "_SAPS4_Opt_13 TenantDB modifications" ENABLE;

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.