[系统审计]SAP HANA 中的系统审计策略管理

[系统审计]SAP HANA 中的系统审计策略管理

大家好,又见面了,我是全栈君。

基本语法:

CREATE AUDIT POLICY <policy_name> AUDITING <audit_status_clause>
                     <audit_actions> LEVEL <audit_level>
 
语法元素:
 <policy_name> ::= <identifier>

 <audit_status_clause> ::= SUCCESSFUL | UNSUCCESSFUL | ALL 

 <audit_actions> ::= ACTIONS FOR <user_name>[, <user_name>]
                    | <audit_action_list> [FOR <user_name>[, <user_name>]]
                    | <target_audit_action_list> [FOR <user_name>[, <user_name>]...]

 <user_name> ::= <simple_identifier>

 <audit_action_list> ::= <audit_action_name>[, <audit_action_name>]...

 <target_audit_action_list> ::= <target_audit_action_name>[, <target_audit_action_name] ON <object_name>[, <object_name>]

 <audit_action_name> ::= GRANT PRIVILEGE                   | REVOKE PRIVILEGE 
                        | GRANT STRUCTURED PRIVILEGE       | REVOKE STRUCTURED PRIVILEGE  
                        | GRANT APPLICATION PRIVILEGE      | REVOKE APPLICATION PRIVILEGE  
                        | GRANT ROLE                       | REVOKE ROLE 
                        | GRANT ANY                        | REVOKE ANY 
                        | CREATE USER                      | DROP USER    
                        | CREATE ROLE                      | DROP ROLE  
                        | ENABLE AUDIT POLICY              | DISABLE AUDIT POLICY
                        | CREATE STRUCTURED PRIVILEGE      | DROP STRUCTURED PRIVILEGE
                        | ALTER STRUCTURED PRIVILEGE       | CONNECT  
                        | SYSTEM CONFIGURATION CHANGE      | SET SYSTEM LICENSE
                        | UNSET SYSTEM LICENSE             | ALTER USER
                        | REPOSITORY_ACTIVATE              | DROP TABLE 

 <target_audit_action_name> ::= INSERT | UPDATE | DELETE | SELECT | EXECUTE
                               
 <audit_level> ::= EMERGENCY | ALERT | CRITICAL | WARNING | INFO

 <object_name> ::= <table_name> | <view_name> | <procedure_name>

 <table_name>       ::= [<schema_name>.]<identifier>
 <view_name>        ::= [<schema_name>.]<identifier>
 <procedure_name>   ::= [<schema_name>.]<identifier>
 <schema_name>  ::= <identifier>
 

Description

The CREATE AUDIT POLICY statement creates a new audit policy. This audit policy can then be enabled and will cause the auditing of the specified audit actions to occur. 
Only database users having the system privilege AUDIT ADMIN are allowed to create an audit policy. 
The specified audit policy name must be unique not match the name of an existing audit policy. 
An audit policy defines which audit actions will be audited. Audit policies need to be enabled for auditing to occur happen. 
One audit policy can contain one of the following:

  • non-restricted auditing for n (>=1) users
  • auditing for actions not restricted to objects
  • auditing for actions which are restricted to objects.

For the last two alternatives listed, an optional restriction for user(s) is available. 

The <audit_status_clause> defines if successful, unsuccessful or all executions of the specified audit actions are audited. 

The table below contains the available audit actions. They are grouped in several groups. Audit actions in the same group can be combined into one audit policy. Audit actions of different groups can not be combined into the same audit policy.

Audit Action Name Group Number Audit Operation Comment
GRANT PRIVILEGE 1 granting of privileges to users or roles
REVOKE PRIVILEGE 1 revoking of privileges from users or roles
GRANT STRUCTURED PRIVILEGE 1 granting of structured/analytical privileges to users or roles
REVOKE STRUCTURED PRIVILEGE 1 revoking of structured/analytical privileges from users or roles
GRANT APPLICATION PRIVILEGE 1 granting of application privileges to users or roles
REVOKE APPLICATION PRIVILEGE 1 revoking of application privileges from users or roles
GRANT ROLE 1 granting of roles to users or roles
REVOKE ROLE 1 revoking of roles from users or roles
GRANT ANY 1 granting of privileges, structured privileges or roles to users or roles
REVOKE ANY 1 revoking of privileges, structured privileges or roles from users or roles
CREATE USER 2 creation of users
DROP USER 2 dropping of users
ALTER USER 2 altering of users
CREATE ROLE 2 creation of roles
DROP ROLE 2 dropping of roles
CONNECT 3 creation of a user connection to the database
SYSTEM CONFIGURATION CHANGE 4 changes to the system configuration (e.g. INIFILE)
ENABLE AUDIT POLICY 5 activation of audit policies
DISABLE AUDIT POLICY 5 deactivation of audit policies
CREATE STRUCTURED PRIVILEGE 6 creation of structured/analytical privileges
DROP STRUCTURED PRIVILEGE 6 destruction of structured/analytical privilege
ALTER STRUCTURED PRIVILEGE 6 change of structured/analytical privilege
SET SYSTEM LICENSE 7 installation of a system license
UNSET SYSTEM LICENSE 7 deletion of licenses
DROP TABLE 7 deletion of database tables
REPOSITORY ACTIVATE 7 activation of repository design time objects
INSERT 7 use of insert/replace/upsert statements on tables and views allows specification of target objects
UPDATE 7 use of update/replace/upsert statements on tables and views allows specification of target objects
DELETE 7 deletion of rows from tables/views and truncation of tables allows specification of target objects
SELECT 7 use of select statements on tables and views allows specification of target objects
EXECUTE 7 procedure calls allows specification of target objects
ALL 7 all actions above typically used for specific users

Only objects of type table, view, and procedure can be specified in the <target_audit_action_list>. Synonyms and sequences cannot be selected as objects for audit policies. Furthermore only those <target_audit_action_name>s can be combined with an object. The following table shows an overview of auditable actions on objects.

Action Table View Procedure
DELETE YES YES
INSERT YES YES
SELECT YES YES
UPDATE YES YES
EXECUTE YES

Each audit policy is assigned to an audit level. The possible levels, in decreasing order of importance, are: EMERGENCY, ALERT, CRITICAL, WARNING, INFO. 

To make auditing occur, audit policies have to be created and enabled. Also the configuration parameter global_auditing_state (see below) has to be set to true. 

Configuration Parameter

Currently the configuration parameter for auditing are stored in global.ini, in the auditing configuration section and are the following: 

global_auditing_state ( ‘true’ / ‘false’ ) to activate / deactivate auditing globally, no matter how many audit policies are available and enabled. The default is false, meaning: no auditing will occur. 
default_audit_trail_type ( ‘SYSLOGPROTOCOL’ / ‘CSVTEXTFILE’ ) to specify, how to store the auditing results. SYSLOGPROTOCOL is the default. 
CSVTEXTFILE should be used only for testing purposes. 
default_audit_trail_path to specify where to store the audit file, in the case that CSVTEXTFILE has been selected. 

As for all configuration parameters, these parameters can be selected in view M_INIFILE_CONTENTS, if the current user has the required privilege to do so. These parameters will only be seen in case they have been explicitly set.

System and Monitoring Views

AUDIT_POLICY: shows all audit policies and their states 
M_INIFILE_CONTENTS: shows the configuration parameter concerning auditing

Only database users with system privilege CATALOG READ, DATA ADMIN or INIFILE ADMIN can view information in the M_INIFILE_CONTENTS view. For other database users this view will be empty.

Example

Your create a new audit policy named priv_audit that will audit successful granting and revoking of privileges and roles. The audit policy has the medium audit level CRITICAL. 
This policy has to be enabled explicity 
to make the auditing of the audit policy occur.

 

 

You create a new audit policy named object_audit that will audit the inserts into the existing table MY_SCHEMA.MY_TABLE. This policy has to be enabled explicity to make the auditing of the audit policy occur. This policy is restricted to user FRED and uses the audit level INFO. 

 

 
其他例子

— create audit policy
CREATE AUDIT POLICY policyAdministratePrincipals AUDITING ALL 
CREATE ROLE, DROP ROLE, CREATE USER, DROP USER LEVEL Critical;

–disable audit policy
ALTER AUDIT POLICY policyAdministratePrincipals disable;

–enable audit policy
ALTER AUDIT POLICY policyAdministratePrincipals enable;

–query audit policy
select * from “PUBLIC”.”AUDIT_POLICIES”

专注于企业信息化,最近对股票数据分析较为感兴趣,可免费分享股票个股主力资金实时变化趋势分析工具,股票交流QQ群:457394862
分类: 
SAP HANA

本文转自沧海-重庆博客园博客,原文链接:http://www.cnblogs.com/omygod/archive/2013/05/31/3111580.html,如需转载请自行联系原作者

版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。

发布者:全栈程序员-用户IM,转载请注明出处:https://javaforall.cn/108119.html原文链接:https://javaforall.cn

【正版授权,激活自己账号】: Jetbrains全家桶Ide使用,1年售后保障,每天仅需1毛

【官方授权 正版激活】: 官方授权 正版激活 支持Jetbrains家族下所有IDE 使用个人JB账号...

(0)


相关推荐

  • 世界名著100部简介百度百科_20部必读的哲学巨著

    世界名著100部简介百度百科_20部必读的哲学巨著01、傲慢与偏见      02、孤星血泪      03、雾都孤儿        04、唐·吉诃德  05、安娜·卡列尼娜      06、飘      07、简·爱       08、悲惨世界  09、茶花女      10、基督山恩仇记      11、童年         12、这里的黎明静悄悄  13、钢铁是怎样炼成的  14、战争与和平        15、西线

  • gradle下载慢的问题[通俗易懂]

    gradle下载慢的问题[通俗易懂]gradle下载慢的问题开发工具:IntelliJIDEA&AndroidStudio问题:新建项目下载gradle慢的问题最好的解决办法,翻墙。有些问题,在Google和stackoverflow上很容搜索出来(万恶的百度),还有很多项目文件Github学习到很多。推荐买一个,推荐一个我从大二就开始用的便宜稳定的,里面还有教程。获需要的可以关注公众号:Gremlin回复:v即可获取…

  • mysql 行转列 (带日期)

    mysql 行转列 (带日期)从网上找了很多行转列的。基本都是2行的行转列。不带日期分组的。借鉴了另一个哥们的文章,实现了自己想要的结果,写出来大家可以参考。以后自己遇到同样情况,也可以有个备份借鉴的地址为https://www.cnblogs.com/gisblogs/p/3966822.html处理过程:我自己有的数据,这个已经是处理后的(源数据)图1[img]http:/…

  • 显示出圆周率后一百位_搜索圆周率

    显示出圆周率后一百位_搜索圆周率这里不给发那么多字数,具体查看:https://tys.ink/?p=5221

  • 鸢尾花完整的python代码(鸢尾花分类)

    .逻辑回归逻辑回归(LogisticRegression)是用于处理因变量为分类变量的回归问题,常见的是二分类或二项分布问题,也可以处理多分类问题,它实际上是属于一种分类方法。概率p与因变量往往是非线性的,为了解决该类问题,我们引入了logit变换,使得logit(p)与自变量之间存在线性相关的关系,逻辑回归模型定义如下:1#Sigmoid曲线:2importmatplotlib.py…

  • TiKv扩容_ksg变压器

    TiKv扩容_ksg变压器TiKV节点在线扩容

发表回复

您的电子邮箱地址不会被公开。

关注全栈程序员社区公众号