15.2    Configuring Auditing

By default, SAP HANA auditing is not enabled, nor are systems configured to capture specific events within SAP HANA. To enable and configure auditing, SAP HANA offers several interfaces. The most commonly used interfaces are within the SAP HANA cockpit and the SAP HANA Web-Based Development Workbench security manager. However, you can also use SQL statements to configure audit policies. Let’s look at each of these three approaches in more detail.

15.2.1    Enable Auditing with the SAP HANA Cockpit

The SAP HANA cockpit provides a graphical user interface (GUI) where you can manage auditing is an SAP HANA database. To access the security manager, log on to your SAP HANA cockpit and connect to the desired database. Click the Auditing tile. Within this tile, click the Auditing header to access the Auditing interface.

In the Auditing interface, you’ll see several options and links. Figure 15.1 shows an overview of the auditing interface home screen. If auditing is enabled, you’ll see existing defined audit policies. In the following sections, we’ll look at each of these options and links in detail before moving on to a discussion of auditing levels.

If auditing is not already enabled for the system, you’ll see the Enable Auditing button on the right. Click this button to enable auditing. If auditing is already enabled and you wish to disable it, the button will labeled Disable Auditing. Again, click this button to disable auditing.

Notice the Audit Policies, Configuration, and Audit Trail tabs. The Audit Policies tab is the default link selected from the homepage of the interface. Under this tab, you’ll see a list of defined audit policies. The Configuration link interface will appear differently if you’re connected to a system database versus a tenant database in a multiple database container (MDC) configuration. MDC is the default for SAP HANA 2.0 SPS 01. When connected to a system database, the Configuration tab will show options for the Overall Audit Trail Target plus options to record different alert levels to different targets. Assuming we’re connected to a system database, let’s look at the audit trail target options in more detail.

Auditing Interface Home Screen in the SAP HANA Cockpit

Figure 15.1    Auditing Interface Home Screen in the SAP HANA Cockpit

15.2.2    Audit Log Targets and Options in the SAP HANA Cockpit

Audit targets refer to the location where SAP HANA will record audit policy events. SAP HANA provides a robust set of targets and options to record audit events. Let’s look at the available targets, namely the syslog, database table, CSV file, and kernel trace, in more detail. We’ll also discuss some available options for recording audit levels to one or more audit targets.

Syslog

Operating systems that run SAP HANA have a secure central location to which events can be written, called a syslog. This location can contain audit logs and other event data from software packages running on the Linux operating system (OS). When the Syslog (Default) option is chosen, configured audit event rules will record activity within the operating system syslog. Your organization should use this option when events need to be collected in the syslog, but you must also ensure that the syslog is configured properly and is operational. SAP HANA will discard events if events can’t be written to the OS-level syslog. The syslog could also be altered without the SAP HANA system knowing. For example, the log can be cleared by an operating system with access to the syslog files.

Database Table

Events can also be written to a table hosted within the SAP HANA instance. In most cases, using the internal Database Table option for SAP HANA audit logging is best. When this option is selected, audit events are recorded to the system table SYS.AUDIT_LOG. Because the data is written to a database table, SQL SELECT statements can be crafted to analyze the data. For example, you can use the following SQL statement to query the audit log table for actions executed by a specific user within SAP HANA:

SELECT * FROM SYS.AUDIT_LOG WHERE USER_NAME = 'ADMIN_JHAUN';

This table only allows SELECT statements. For example, users cannot insert, update, or delete audit log records regardless of their privileges. To clear the audit log, a user must have the AUDIT OPERATOR system privilege and also issue a specific SQL command to delete entries within the audit log. The following example SQL command will clear the audit log of all records before the specified date:

ALTER SYSTEM CLEAR AUDIT LOG UNTIL '2016-01-01 23:59:59';

When this statement is executed, a mandatory system-generated event is recorded in the audit log, indicating the source and user account that issued the statement. This event is recorded after the log is truncated. This event must be recorded because it may be evidence that a particular user attempted to delete suspicious activity.

CSV File

Events can also be written temporarily to a CSV file. When this option is selected, the events are written to a file using the directory specified in the Directory Name field. This field is found just below the Audit Trail Target field. The specified path is local to the SAP HANA host operating system. This option should only be used temporarily for testing purposes because these CSV files are not secure. If a directory name isn’t specified, audit logs will be written to the default trace file path in SAP HANA. Users with access to the trace files will also have access to this audit log CSV file.

Kernel Trace

You can also specify that events are written to the SAP HANA database kernel trace. The kernel trace file is managed by the SAP HANA system and contains other trace information relevant to the SAP HANA database. This option should only be used at the direction of SAP Support.

Audit Level Trail Targets

When defining an audit rule, its audit level can be classified as Emergency, Critical, Alert, Warning, or Info. We’ll discuss these levels further in Section 15.3.1. However, events classified as Emergency, Critical, or Alert can be directed to one or more targets. To configure these alternative target locations, you’ll need to configure the options found in Configuration tab. Figure 15.2 shows these options, just below the Overall Audit Trail Target field for a connected system database.

For each listed alert level, you can define one or more targets using the provided checkboxes. If you choose not to define this section, alerts will be recorded based on the options configured for each audit policy or they will default to the Overall Audit Trail Target setting.

Audit Level Trail Targets Configured in Configuration Section

Figure 15.2    Audit Level Trail Targets Configured in Configuration Section

This option is particularly useful when you need to record important events to multiple target locations. For example, some organizations might want to record events to the audit table and the syslog because they use third-party software to monitor the Linux syslog. You can configure alert, emergency, and critical events for all three possible target locations. For example, you can configure emergency alerts to be written to the audit table, the syslog, and a CSV file on the operating system.

15.2.3    Viewing Audit Logs in the SAP HANA Cockpit

The Audit Trail tab will open an interface where you can view recorded audit policy events targeted the SAP HANA audit option Database Table. The interface list records events, as shown in Figure 15.3. This section will not list audit events recorded to CSV, syslog, nor the kernel trace.

Viewing Audit Events in the Audit Table Using the SAP HANA Cockpit

Figure 15.3    Viewing Audit Events in the Audit Table Using the SAP HANA Cockpit

You can also use this interface to truncate or delete recorded audit events. As shown in the top right of Figure 15.3, you’ll see a link titled Delete Audit Events. When you click this link, the Delete Audit Events window will appear. To truncate the audit table, you have three options: Use the Older than option to delete events older than the number of days entered into the provided Days field. Use the Before option to delete audit events recorded before the date entered in the provided field. Use the All Entries option to delete all audit event history. Note that a user must be granted the AUDIT OPERATOR system privilege to perform this action.

Once you’ve specified the desired options, press the Delete button to delete the audit events. Use the Cancel button to discards your changes.

Now that we’ve reviewed the options and workflows necessary to enable auditing and to define audit targets within the SAP HANA cockpit, let’s briefly review how these options can be configured in the SAP HANA Web-Based Development Workbench security manager, hosted within the SAP HANA extended application services, classic model engine (XS engine).

15.2.4    Enabling Auditing with the SAP HANA Web-Based Development Workbench

The SAP HANA Web-Based Development Workbench security manager, hosted within the XS engine, provides an interface to configure SAP HANA auditing.

You can access the SAP HANA Web-Based Development Workbench via a supported Internet browser. To use this tool, a user must have the sap.hana.xs.ide.roles::SecurityAdmin role at a minimum. The following two URLs can be customized to match the details of your environment:

In the last example, replace <sap_hana_host> with the host name of the SAP HANA system in your environment and <instance_number> with the two-digit instance number corresponding to your SAP HANA system.

For secure access, the following examples should help you construct the correct URL:

Once you have access to the SAP HANA Web-Based Development Workbench security manager, you’ll see a series of buttons located to the top-left of the GUI’s ribbon. The icon depicting a vertical key and server opens the security console; click this icon to open the Security Console tab on the right side. Click the Auditing tab to reveal audit configuration options. The options and interface are nearly identical to those found in SAP HANA Studio, with a few exceptions. Figure 15.4 shows an example of the security console with the auditing options visible.

To enable auditing, use the Auditing Status dropdown list and choose Enable. Specify the Audit Trail Target using the dropdown list. Based on our testing using SAP HANA 1.0 SPS 12 and SAP HANA 2.0 SPS 04, the Audit Level Trail Target settings aren’t working in the SAP HANA Web-Based Development Workbench; these settings will have to be maintained using the SAP HANA cockpit (Section 15.2.1).

The SAP HANA Web-Based Development Workbench has a few differences from the SAP HANA cockpit. First, the truncate database table audit trail icon (pink eraser) is in the icon bar just below the Audit Policy settings. Click the icon to open a popup window where you can specify the end date for the audit event truncation. Also, in this icon bar, note the table icon to the right of the log truncation button. When clicked, the table icon will open a new window that launches the SAP HANA Web-Based Development Workbench catalog interface and its web-based SQL console. The console will be prepopulated with an SQL statement that queries the audit log table. Note that this option, though available, was not working in SAP HANA 2.0 SPS 04 during our testing. In Section 15.3.1, we’ll also discuss how audit policies can be individually configured with a specific audit trail target. For example, you can specify that a particular audit policy should output information to a CSV file.

Managing Auditing Settings in the SAP HANA Web-Based Development Workbench

Figure 15.4    Managing Auditing Settings in the SAP HANA Web-Based Development Workbench

15.2.5    Enabling Auditing with SQL

In addition to using the GUIs, users with INIFILE ADMIN system privilege can also use ALTER SYSTEM ALTER CONFIGURATION SQL scripts to configure the auditing mechanism within SAP HANA. Using a script is helpful if you need to ensure that all SAP HANA systems within your landscape use the same settings.

To enable auditing, you’ll need to update the setting for enabling the audit configuration (global_auditing_state) in the global.ini file. Execute the following SQL code to set the value to true:

ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') 
   SET ('auditing configuration', 'global_auditing_state') = 
'TRUE' WITH RECONFIGURE ;

To specify the audit trail type, you’ll need to update setting for specifying the audit trail type (default_audit_trail_type) in the global.ini file. The setting name has three options: CSTABLE, SYSLOGPROTOCOL, and CSVTEXTFILE. To use the system database table, execute the following SQL code:

ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') 
   SET ('auditing configuration', 'default_audit_trail_type') = 
'CSTABLE' WITH RECONFIGURE ;

To write events to the Linux syslog, use the SYSLOGPROTOCOL option, and to use a CSV file as the target, use the CSVTEXTFILE option.

When using the CSV file option, you should also specify a secure path where the CSV file will be stored. To specify the path, update the path setting (default_audit_trail_path) in the global.ini file. For example, you can execute the following SQL code to specify that the audit log CSV file use the path /usr/sap/HDB/HDB00/auditlog:

ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') 
   SET ('auditing configuration', 'default_audit_trail_path') = 
'/usr/sap/HDB/HDB00/auditlog' WITH RECONFIGURE ;

You can also use SQL to define custom audit log targets based on levels. You can choose from among alert, emergency, and critical audit levels. Three specific global.ini file settings are used for the auditing configuration: emergency_audit_trail_type, critical_audit_trail_type, and alert_audit_trail_type. For example, execute the three SQL statements shown in Listing 15.1 to specify custom audit targets for the alert, emergency, and critical audit levels.

ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') 
   SET ('auditing configuration', 'emergency_audit_trail_type') = 'CSTABLE, SYSLOGPROTOCOL, CSVTEXTFILE' WITH RECONFIGURE ; 

ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') 
   SET ('auditing configuration', 'critical_audit_trail_type') = 
'CSTABLE, SYSLOGPROTOCOL' WITH RECONFIGURE ;

ALTER SYSTEM ALTER CONFIGURATION ('global.ini', 'SYSTEM') 
   SET ('auditing configuration', 'alert_audit_trail_type') = 
'CSTABLE, SYSLOGPROTOCOL' WITH RECONFIGURE ;

Listing 15.1    SQL Statements for Configuring Custom Audit Targets

Simply enabling auditing isn’t sufficient. You must also define audit policies to track specific events within the SAP HANA system. In the next section, we’ll discuss how audit policies are configured.