[系统审计]SAP HANA 中的系统审计策略管理

[系统审计]SAP HANA 中的系统审计策略管理

大家好,又见面了,我是全栈君。

基本语法:

CREATE AUDIT POLICY <policy_name> AUDITING <audit_status_clause>
                     <audit_actions> LEVEL <audit_level>
 
语法元素:
 <policy_name> ::= <identifier>

 <audit_status_clause> ::= SUCCESSFUL | UNSUCCESSFUL | ALL 

 <audit_actions> ::= ACTIONS FOR <user_name>[, <user_name>]
                    | <audit_action_list> [FOR <user_name>[, <user_name>]]
                    | <target_audit_action_list> [FOR <user_name>[, <user_name>]...]

 <user_name> ::= <simple_identifier>

 <audit_action_list> ::= <audit_action_name>[, <audit_action_name>]...

 <target_audit_action_list> ::= <target_audit_action_name>[, <target_audit_action_name] ON <object_name>[, <object_name>]

 <audit_action_name> ::= GRANT PRIVILEGE                   | REVOKE PRIVILEGE 
                        | GRANT STRUCTURED PRIVILEGE       | REVOKE STRUCTURED PRIVILEGE  
                        | GRANT APPLICATION PRIVILEGE      | REVOKE APPLICATION PRIVILEGE  
                        | GRANT ROLE                       | REVOKE ROLE 
                        | GRANT ANY                        | REVOKE ANY 
                        | CREATE USER                      | DROP USER    
                        | CREATE ROLE                      | DROP ROLE  
                        | ENABLE AUDIT POLICY              | DISABLE AUDIT POLICY
                        | CREATE STRUCTURED PRIVILEGE      | DROP STRUCTURED PRIVILEGE
                        | ALTER STRUCTURED PRIVILEGE       | CONNECT  
                        | SYSTEM CONFIGURATION CHANGE      | SET SYSTEM LICENSE
                        | UNSET SYSTEM LICENSE             | ALTER USER
                        | REPOSITORY_ACTIVATE              | DROP TABLE 

 <target_audit_action_name> ::= INSERT | UPDATE | DELETE | SELECT | EXECUTE
                               
 <audit_level> ::= EMERGENCY | ALERT | CRITICAL | WARNING | INFO

 <object_name> ::= <table_name> | <view_name> | <procedure_name>

 <table_name>       ::= [<schema_name>.]<identifier>
 <view_name>        ::= [<schema_name>.]<identifier>
 <procedure_name>   ::= [<schema_name>.]<identifier>
 <schema_name>  ::= <identifier>
 

Description

The CREATE AUDIT POLICY statement creates a new audit policy. This audit policy can then be enabled and will cause the auditing of the specified audit actions to occur. 
Only database users having the system privilege AUDIT ADMIN are allowed to create an audit policy. 
The specified audit policy name must be unique not match the name of an existing audit policy. 
An audit policy defines which audit actions will be audited. Audit policies need to be enabled for auditing to occur happen. 
One audit policy can contain one of the following:

  • non-restricted auditing for n (>=1) users
  • auditing for actions not restricted to objects
  • auditing for actions which are restricted to objects.

For the last two alternatives listed, an optional restriction for user(s) is available. 

The <audit_status_clause> defines if successful, unsuccessful or all executions of the specified audit actions are audited. 

The table below contains the available audit actions. They are grouped in several groups. Audit actions in the same group can be combined into one audit policy. Audit actions of different groups can not be combined into the same audit policy.

Audit Action Name Group Number Audit Operation Comment
GRANT PRIVILEGE 1 granting of privileges to users or roles
REVOKE PRIVILEGE 1 revoking of privileges from users or roles
GRANT STRUCTURED PRIVILEGE 1 granting of structured/analytical privileges to users or roles
REVOKE STRUCTURED PRIVILEGE 1 revoking of structured/analytical privileges from users or roles
GRANT APPLICATION PRIVILEGE 1 granting of application privileges to users or roles
REVOKE APPLICATION PRIVILEGE 1 revoking of application privileges from users or roles
GRANT ROLE 1 granting of roles to users or roles
REVOKE ROLE 1 revoking of roles from users or roles
GRANT ANY 1 granting of privileges, structured privileges or roles to users or roles
REVOKE ANY 1 revoking of privileges, structured privileges or roles from users or roles
CREATE USER 2 creation of users
DROP USER 2 dropping of users
ALTER USER 2 altering of users
CREATE ROLE 2 creation of roles
DROP ROLE 2 dropping of roles
CONNECT 3 creation of a user connection to the database
SYSTEM CONFIGURATION CHANGE 4 changes to the system configuration (e.g. INIFILE)
ENABLE AUDIT POLICY 5 activation of audit policies
DISABLE AUDIT POLICY 5 deactivation of audit policies
CREATE STRUCTURED PRIVILEGE 6 creation of structured/analytical privileges
DROP STRUCTURED PRIVILEGE 6 destruction of structured/analytical privilege
ALTER STRUCTURED PRIVILEGE 6 change of structured/analytical privilege
SET SYSTEM LICENSE 7 installation of a system license
UNSET SYSTEM LICENSE 7 deletion of licenses
DROP TABLE 7 deletion of database tables
REPOSITORY ACTIVATE 7 activation of repository design time objects
INSERT 7 use of insert/replace/upsert statements on tables and views allows specification of target objects
UPDATE 7 use of update/replace/upsert statements on tables and views allows specification of target objects
DELETE 7 deletion of rows from tables/views and truncation of tables allows specification of target objects
SELECT 7 use of select statements on tables and views allows specification of target objects
EXECUTE 7 procedure calls allows specification of target objects
ALL 7 all actions above typically used for specific users

Only objects of type table, view, and procedure can be specified in the <target_audit_action_list>. Synonyms and sequences cannot be selected as objects for audit policies. Furthermore only those <target_audit_action_name>s can be combined with an object. The following table shows an overview of auditable actions on objects.

Action Table View Procedure
DELETE YES YES
INSERT YES YES
SELECT YES YES
UPDATE YES YES
EXECUTE YES

Each audit policy is assigned to an audit level. The possible levels, in decreasing order of importance, are: EMERGENCY, ALERT, CRITICAL, WARNING, INFO. 

To make auditing occur, audit policies have to be created and enabled. Also the configuration parameter global_auditing_state (see below) has to be set to true. 

Configuration Parameter

Currently the configuration parameter for auditing are stored in global.ini, in the auditing configuration section and are the following: 

global_auditing_state ( ‘true’ / ‘false’ ) to activate / deactivate auditing globally, no matter how many audit policies are available and enabled. The default is false, meaning: no auditing will occur. 
default_audit_trail_type ( ‘SYSLOGPROTOCOL’ / ‘CSVTEXTFILE’ ) to specify, how to store the auditing results. SYSLOGPROTOCOL is the default. 
CSVTEXTFILE should be used only for testing purposes. 
default_audit_trail_path to specify where to store the audit file, in the case that CSVTEXTFILE has been selected. 

As for all configuration parameters, these parameters can be selected in view M_INIFILE_CONTENTS, if the current user has the required privilege to do so. These parameters will only be seen in case they have been explicitly set.

System and Monitoring Views

AUDIT_POLICY: shows all audit policies and their states 
M_INIFILE_CONTENTS: shows the configuration parameter concerning auditing

Only database users with system privilege CATALOG READ, DATA ADMIN or INIFILE ADMIN can view information in the M_INIFILE_CONTENTS view. For other database users this view will be empty.

Example

Your create a new audit policy named priv_audit that will audit successful granting and revoking of privileges and roles. The audit policy has the medium audit level CRITICAL. 
This policy has to be enabled explicity 
to make the auditing of the audit policy occur.


 

You create a new audit policy named object_audit that will audit the inserts into the existing table MY_SCHEMA.MY_TABLE. This policy has to be enabled explicity to make the auditing of the audit policy occur. This policy is restricted to user FRED and uses the audit level INFO. 


 
其他例子

— create audit policy
CREATE AUDIT POLICY policyAdministratePrincipals AUDITING ALL 
CREATE ROLE, DROP ROLE, CREATE USER, DROP USER LEVEL Critical;

–disable audit policy
ALTER AUDIT POLICY policyAdministratePrincipals disable;

–enable audit policy
ALTER AUDIT POLICY policyAdministratePrincipals enable;

–query audit policy
select * from “PUBLIC”.”AUDIT_POLICIES”

专注于企业信息化,最近对股票数据分析较为感兴趣,可免费分享股票个股主力资金实时变化趋势分析工具,股票交流QQ群:457394862
分类: 
SAP HANA

本文转自沧海-重庆博客园博客,原文链接:http://www.cnblogs.com/omygod/archive/2013/05/31/3111580.html,如需转载请自行联系原作者

版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。

发布者:全栈程序员-用户IM,转载请注明出处:https://javaforall.cn/108119.html原文链接:https://javaforall.cn

【正版授权,激活自己账号】: Jetbrains全家桶Ide使用,1年售后保障,每天仅需1毛

【官方授权 正版激活】: 官方授权 正版激活 支持Jetbrains家族下所有IDE 使用个人JB账号...

(0)


相关推荐

  • rc522串口调试_单闭环直流调速系统实验报告

    rc522串口调试_单闭环直流调速系统实验报告RC522寻卡,防冲撞都可以,但是选卡失败是什么原因?欢迎使用Markdown编辑器新的改变功能快捷键合理的创建标题,有助于目录的生成如何改变文本的样式插入链接与图片如何插入一段漂亮的代码片生成一个适合你的列表创建一个表格设定内容居中、居左、居右SmartyPants创建一个自定义列表如何创建一个注脚注释也是必不可少的KaTeX数学公式新的甘特图功能,丰富你的文章UML图表FLowchart流程…

  • 洗牌算法思路_随机洗牌算法

    洗牌算法思路_随机洗牌算法1.背景    笔试时,遇到一个算法题:差不多是在n个不同的数中随机取出不重复的m个数。洗牌算法是将原来的数组进行打散,使原数组的某个数在打散后的数组中的每个位置上等概率的出现,刚好可以解决该问题。2.洗牌算法    由抽牌、换牌和插牌衍生出三种洗牌算法,其中抽牌和换牌分别对应Fisher-YatesShuffle和Knuth-DurstenfeldShhuffle算法。 …

  • 自动化测试框架[Cypress结合Allure生成测试报告]

    自动化测试框架[Cypress结合Allure生成测试报告]Allure的报告样式仍旧是目前比较华丽且全面的报告,Cypress可生成Junit形式的xml结果,那自然也可以转换成Allure的样式

  • 云之遥全攻略 上「建议收藏」

    云之遥全攻略 上「建议收藏」转自dakkifox作者的和讯博客,很详尽很有用的一篇攻略。原贴地址:http://dakkifox.blog.hexun.com/45908818_d.html我是傻瓜分割线所谓傻瓜版,就是你照

  • 【转载】ASP.NET之旅–深入浅出解读IIS架构

    【转载】ASP.NET之旅–深入浅出解读IIS架构

    2021年11月21日
  • 吉他学习丨基础知识「建议收藏」

    1、吉他音高从上到下读法:米、西、扫、ruai、啦、米——mi、si、sol、re、la、mi上带点:高音不带点:中音下带点:低音 2、简谱与音程的关系音程:全音、半音 3、品琴颈上每格为1品 4、弹法左手:食指:1指;中指:2指;无名指:3指     1指弹1品;2指2品;3指3品右手:P指:4、5、6弦;  …

发表回复

您的电子邮箱地址不会被公开。

关注全栈程序员社区公众号