SAP Standard Operating Procedures (SOP)
SAP HANA Security Audit Log Configuration
Summary
Audit logging tracks actions performed in the database: who did what or tried to do what and
when.
SAP HANA provides audit logging for critical security events, such as changes to roles and user
privileges, and access to sensitive data. Both write and read access of database objects (such as
tables, views) can be logged, as well as the execution of procedures.
Audit logging can be configured in the SAP HANA studio or using SQL statements. Audit policies
define which actions in the database are logged (such as audit target and audited users). These
policies can be configured to the customers needs.
Activating and Configuring Auditing for an SAP HANA system:
The auditing feature of the SAP HANA database allows you to monitor and record selected
actions performed in your system. To be able to use this feature, it must first be activated for the
system. It is then possible to create and activate the required audit policies.
Prerequisites:
To be able to activate and configure auditing for an SAP HANA system, you must have the system
privilege AUDIT ADMIN.
Procedure:
1.
In the Security editor of the system to be audited, choose the Auditing tab.
2. In the System Settings for Auditing area, set the auditing status to Enabled.
Page 1 of 8 | C2: Confidential | SAP BASIS Practice
�SAP Standard Operating Procedures (SOP)
SAP HANA Security Audit Log Configuration
3. Configure the target of the audit trail, by choosing one of the following options:
Syslog (Default) : Logging system of the Linux operating system
CSV Text file : A directory on the database server file system
Database Table : Internal database table (this option will be available from
HANA SPS07 Revision.70 onwards)
Then choose the Deploy button.
Results:
Auditing is now activated in your system and you can create the required audit policies.
NOTE: The concept of audit entries can be written to the database table will be available from the
Version SPS07 Rev.70 onwards.
The user who enables the audit to a database table should have the system privilege
AUDIT OPERATOR or AUDIT ADMIN.
We can delete these audit entries from the table until a certain time and date, if we want
to avoid the audit table growth indefinitely.
Creating an Audit Policy:
Auditing is implemented through the creation and activation of audit polices. An audit policy
defines the actions to be audited, as well as the conditions under which the action must be
performed to be relevant for auditing.
Prerequisites:
Page 2 of 8 | C2: Confidential | SAP BASIS Practice
�SAP Standard Operating Procedures (SOP)
SAP HANA Security Audit Log Configuration
To be able to create an audit policy, you must have the system privilege AUDIT ADMIN.
Procedure:
1.
In the Security editor of the system to be audited, choose the Auditing tab.
2. In the Audit Policies area, choose Create New Policy.
A new line is added to the list of policies.
3. Enter the policy name
The policy name can contain only letters (Aa-Zz), numbers (0-9), and underscores (_).
4. Policy Status should be Enabled
5. Specify the Actions to be Audited as follows:
a. In the Audited Actions column, choose the ... button.
The Edit Actions Audited by <policy_name> dialog box appears.
b. Select the required actions to be audited from the list.
NOTE: Not all actions can be combined together in the same policy. When you select an action,
those actions that are not compatible with the selected action become unavailable for selection.
Selecting All Actions covers not only all other actions that can be audited individually but also
actions that cannot otherwise be audited. Such a policy is useful if you want to audit the actions
of a particularly privileged user.
c. Choose OK
Page 3 of 8 | C2: Confidential | SAP BASIS Practice
�SAP Standard Operating Procedures (SOP)
SAP HANA Security Audit Log Configuration
6. Specify the action status.
Page 4 of 8 | C2: Confidential | SAP BASIS Practice
�SAP Standard Operating Procedures (SOP)
SAP HANA Security Audit Log Configuration
7. Specify the audit level.
The audit level specifies the severity of the audit entry written to the audit trail when
the actions in the policy occur.
8. If necessary, specify the user(s) to be audited.
It is possible to specify that the actions in the policy be audited only when performed by a
particular user or users. Alternatively, you can specify that the actions in the policy be
audited when performed by all users except a particular user or users.
The actions in the policy will only be audited when performed by the specified user(s).
If you do not specify a user, the actions will be audited regardless of who performs
them.
9. If necessary, specify the target object(s) to be audited.
You must specify a target object if the actions to be audited involve data manipulation,
for example, the actions SELECT, INSERT, UPDATE, DELETE, and EXECUTE. The actions in
the policy will only be audited when they are performed on the specified object or
objects.
When specifying target objects, note the following:
You can only enter tables, views, and procedures.
The target object must be valid for all actions in the policy.
You can only enter objects that exist. However, if the object is deleted, the
audit policy remains valid. This means that if the object is recreated, that is
the same object type with the same name is created, the audit policy will
work for this object again.
10. Choose the Deploy button.
Page 5 of 8 | C2: Confidential | SAP BASIS Practice
�SAP Standard Operating Procedures (SOP)
SAP HANA Security Audit Log Configuration
Results:
The list of audit policies is saved together with the new policy. The new policy is automatically
enabled. This means that when an action in the policy now occurs under the conditions defined in
the policy, an audit entry is created in the audit trail. You can disable a policy at any time by
changing the policy status. It is also possible to delete a policy.
Note:
1.
If we select the Audit trail target as "CSV Text Fiile" then the audit trail log will reside in
the file: indexserver_<hostname>.30003.audit_trail.csv which we can find in tab
Diagnosis Files in HANA Studio.
2. If we select the Audit trail target as Database Table then we can be able to view the
entries under: <SID> Catalog Public Synonyms AUDIT_LOG in HANA Studio.
Page 6 of 8 | C2: Confidential | SAP BASIS Practice
�SAP Standard Operating Procedures (SOP)
SAP HANA Security Audit Log Configuration
References
1. SAP_HANA_Administration_Guide_SPS06 & 07
2. http://scn.sap.com/community/hana-in-memory/blog/2013/05/27/andy-silvey--sap-hanacommand-line-tools-and-sql-reference-examples-for-netweaver-basis-administrators
Page 7 of 8 | C2: Confidential | SAP BASIS Practice
�SAP Standard Operating Procedures (SOP)
SAP HANA Security Audit Log Configuration
Validity
Component
Releases
SAP HANA
SPS06 onwards
Action Log
Date (mm/dd/yyyy)
Version
Action
Performed By (ID)
04-Sept-14
1.0
Document Created
306357
05-Sept-14
1.0
Reived and Approved by
191460
Page 8 of 8 | C2: Confidential | SAP BASIS Practice
