-
Notifications
You must be signed in to change notification settings - Fork 5
/
1_hana_audit_policy_mandatory.sql
212 lines (184 loc) · 7.55 KB
/
1_hana_audit_policy_mandatory.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
-- Mandatory HANA audit policies have the prefix '_SAP_'. They are identical to the HANA audit policies recommended by
-- "SAP HANA Cockpit Audit Policy Wizard" (starting with SAP HANA Cockpit 2.0 SP13).
-- technical users where we expect high frequent access should be excluded
-- replace following users with the actual SAPABAP user
-- Database user <SAPABAP1> (e.g. SAPHANADB)
-- add to the same occurrences other technical users like
-- SAPABAP1SHD (reduced downtime user for SUM)
-- SAPDBCTRL used by SAP Host Agent
-- or any other technical user you expect to execute many operations
-- on a regular base.
-- users must be added comma separated
-- the schema defined by <SAPABAP1>.* must be replaced by the actual DB schema of S4
-- While policies for specific audit actions could also be implemented in the System DB for a Tenant DB
-- by adding "FOR <TENANTDB>" to the create audit policy statement in the System DB
-- to prevent these from changes in the Tenant DB, these
-- policies are meant to be implemented directly in Tenant DB and/or System DB.
-- enable audit in SystemDB:
ALTER SYSTEM ALTER CONFIGURATION ('nameserver.ini','SYSTEM') set ('auditing configuration','global_auditing_state' ) = 'true' with reconfigure;
-- enable audit in TenantDB:
ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'system') set ('auditing configuration', 'global_auditing_state') = 'true' with reconfigure;
-- make sure the minimal retention period does not prevent the creation of the audit policies
-- Some proposed audit policies are created with a minimal retention period of 7 days.
-- either adjust the retention period of the audit policies
-- or decrease the global minimal retention period limit
-- ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'system') set ('auditing configuration', 'minimal_retention_period') = '7' with reconfigure;
-- mandatory policy
-- many unsuccessful connect attempts may hint a brute force attack.
-- the result of the policy should be evaluated by an IDS
-- Tenant and System DB
CREATE AUDIT POLICY "_SAP_session connect"
AUDITING UNSUCCESSFUL
CONNECT
LEVEL ALERT TRAIL TYPE TABLE RETENTION 20;
ALTER AUDIT POLICY "_SAP_session connect" ENABLE;
-- mandatory policy
-- many VALIDATE attempts may hint a brute force attack.
-- the result of the policy should be evaluated by an IDS
-- Tenant and System DB
CREATE AUDIT POLICY "_SAP_session validate"
AUDITING ALL
VALIDATE USER
LEVEL ALERT TRAIL TYPE TABLE RETENTION 20;
ALTER AUDIT POLICY "_SAP_session validate" ENABLE;
-- mandatory policy
-- needed for security changelog
-- Tenant and System DB
-- in case an Identity Management system (IDM) system is used the IDM DB user should be excluded
-- otherwise the HANA and IDM systems changelogs contain redundant information
CREATE AUDIT POLICY "_SAP_authorizations"
AUDITING ALL
GRANT ANY,
REVOKE ANY
LEVEL INFO TRAIL TYPE TABLE RETENTION 180;
ALTER AUDIT POLICY "_SAP_authorizations" ENABLE;
-- mandatory policy
-- needed for security changelog
-- Tenant and System DB
-- in case of IDM system, the IDM user should be excluded
-- in case HDI is used exclude the _SYS_HDI user for the Dev and Q systems
CREATE AUDIT POLICY "_SAP_user administration"
AUDITING SUCCESSFUL
ALTER ROLE,
ALTER USER,
ALTER USERGROUP,
CREATE ROLE,
CREATE USER,
CREATE USERGROUP,
DROP ROLE,
DROP USER,
DROP USERGROUP
LEVEL INFO TRAIL TYPE TABLE RETENTION 180;
ALTER AUDIT POLICY "_SAP_user administration" ENABLE;
-- mandatory policy
-- needed for security changelog
-- Tenant and System DB
-- structured privileges are part of development process
-- hence, we expect more entries for development systems
CREATE AUDIT POLICY "_SAP_structured privileges"
AUDITING SUCCESSFUL
ALTER STRUCTURED PRIVILEGE,
CREATE STRUCTURED PRIVILEGE,
DROP STRUCTURED PRIVILEGE
LEVEL INFO TRAIL TYPE TABLE RETENTION 180;
ALTER AUDIT POLICY "_SAP_structured privileges" ENABLE;
-- mandatory policy
-- needed for security changelog
-- Tenant and System DB
-- we do not expect many entries in the audit log for this policy
CREATE AUDIT POLICY "_SAP_certificates"
AUDITING ALL
ALTER PSE,
CREATE CERTIFICATE,
CREATE PSE,
DROP CERTIFICATE,
DROP PSE
LEVEL INFO TRAIL TYPE TABLE RETENTION 180;
ALTER AUDIT POLICY "_SAP_certificates" ENABLE;
-- mandatory policy
-- needed for security changelog
-- Tenant and System DB
-- we do not expect many entries in the audit log for this policy
CREATE AUDIT POLICY "_SAP_authentication provider"
AUDITING ALL
ALTER JWT PROVIDER,
ALTER LDAP PROVIDER,
ALTER SAML PROVIDER,
CREATE JWT PROVIDER,
CREATE LDAP PROVIDER,
CREATE SAML PROVIDER,
DROP JWT PROVIDER,
DROP LDAP PROVIDER,
DROP SAML PROVIDER,
VALIDATE LDAP PROVIDER
LEVEL CRITICAL TRAIL TYPE TABLE RETENTION 180;
ALTER AUDIT POLICY "_SAP_authentication provider" ENABLE;
-- mandatory policy
-- needed for security changelog
-- Tenant and System DB
-- we do not expect many entries in the audit log for this policy
CREATE AUDIT POLICY "_SAP_clientside encryption"
AUDITING ALL
ALTER CLIENTSIDE ENCRYPTION COLUMN KEY,
ALTER CLIENTSIDE ENCRYPTION KEYPAIR,
CREATE CLIENTSIDE ENCRYPTION COLUMN KEY,
CREATE CLIENTSIDE ENCRYPTION KEYPAIR,
DROP CLIENTSIDE ENCRYPTION COLUMN KEY,
DROP CLIENTSIDE ENCRYPTION KEYPAIR
LEVEL CRITICAL TRAIL TYPE TABLE RETENTION 180;
ALTER AUDIT POLICY "_SAP_clientside encryption" ENABLE;
-- mandatory policy
-- needed for security changelog
-- Tenant and System DB
-- exclude IDM user
-- without development with HANA XSC we do not expect many entries
CREATE AUDIT POLICY "_SAP_designtime privileges"
AUDITING SUCCESSFUL
EXECUTE ON
"_SYS_REPO"."GRANT_ACTIVATED_ANALYTICAL_PRIVILEGE",
"_SYS_REPO"."GRANT_ACTIVATED_ROLE",
"_SYS_REPO"."GRANT_APPLICATION_PRIVILEGE",
"_SYS_REPO"."GRANT_PRIVILEGE_ON_ACTIVATED_CONTENT",
"_SYS_REPO"."GRANT_SCHEMA_PRIVILEGE_ON_ACTIVATED_CONTENT",
"_SYS_REPO"."REVOKE_ACTIVATED_ANALYTICAL_PRIVILEGE",
"_SYS_REPO"."REVOKE_ACTIVATED_ROLE",
"_SYS_REPO"."REVOKE_APPLICATION_PRIVILEGE",
"_SYS_REPO"."REVOKE_PRIVILEGE_ON_ACTIVATED_CONTENT",
"_SYS_REPO"."REVOKE_SCHEMA_PRIVILEGE_ON_ACTIVATED_CONTENT"
LEVEL INFO TRAIL TYPE TABLE RETENTION 180;
ALTER AUDIT POLICY "_SAP_designtime privileges" ENABLE;
-- mandatory policy
-- needed for system changelog
-- Tenant and System DB
-- this policy should not cause many entries in the audit log
CREATE AUDIT POLICY "_SAP_configuration changes"
AUDITING ALL
STOP SERVICE,
SYSTEM CONFIGURATION CHANGE
LEVEL INFO TRAIL TYPE TABLE RETENTION 180;
ALTER AUDIT POLICY "_SAP_configuration changes" ENABLE;
-- mandatory policy
-- needed for system changelog
-- Tenant and System DB
-- this policy should not cause many entries in the audit log
CREATE AUDIT POLICY "_SAP_license addition"
AUDITING ALL
SET SYSTEM LICENSE
LEVEL INFO TRAIL TYPE TABLE RETENTION 180;
ALTER AUDIT POLICY "_SAP_license addition" ENABLE;
CREATE AUDIT POLICY "_SAP_license deletion"
AUDITING ALL
UNSET SYSTEM LICENSE
LEVEL INFO TRAIL TYPE TABLE RETENTION 180;
ALTER AUDIT POLICY "_SAP_license deletion" ENABLE;
-- mandatory policy
-- needed for system changelog
-- Tenant and System DB
-- this policy should not cause many entries in the audit log
CREATE AUDIT POLICY "_SAP_recover database"
AUDITING ALL
BACKUP CATALOG DELETE,
BACKUP DATA,
RECOVER DATA
LEVEL INFO TRAIL TYPE TABLE RETENTION 180;
ALTER AUDIT POLICY "_SAP_recover database" ENABLE;