cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Auditors.......not SAP related

Go to solution
Former Member

on ‎04-24-2009 7:29 AM

0 Kudos

Hi all we have the auditors here at work at the moment and they are hassling me with security logs.

We use AIX 5.3 and MAXDB 7.6

This is what they say:

Basic security logs need to be enabled like successful and failed logins etc. In addition business critical data needs to be identified and logs on those specific tables need to be enabled to ensure that any manipulation at the database level is addressed. Please bear in mind that we are only concerned with user accounts that are used by people to log directly onto the database.

So where are these logs kept, and keeping in mind that SAP has over 70 000 tables how am i going to identify the tables that need to be logged and how would i enable logging on those tables.

Can this even be done ?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

lbreddemann
Active Contributor
‎04-24-2009 7:44 AM
0 Kudos

> Hi all we have the auditors here at work at the moment and they are hassling me with security logs.

> We use AIX 5.3 and MAXDB 7.6

> So where are these logs kept, and keeping in mind that SAP has over 70 000 tables how am i going to identify the tables that need to be logged and how would i enable logging on those tables.

>

> Can this even be done ?

Hi there.

With MaxDB - no.

MaxDB does not provide auditing like e.g. Oracle does.

There are no logs containing this kind of information.

Anyhow, important for your case is the key phrase in your auditors requirements:

> Please bear in mind that we are only concerned with user accounts that are used by people to log directly onto the database.+

In SAP systems, no end-users ever logon directly to the database.

The only people that logon to the database are the DBAs.

They usually use the CONTROL and SUPERDBA user for doing so and none of these users have access to the application data.

Unfortunately when extensive SQL analysis needs to be done, then a direct sql connection to the application schema is required - and that cannot be audited automatically.

regards,

Lars

Show replies
Show replies

Answers (1)

Answers (1)

Former Member
‎04-24-2009 9:04 AM
0 Kudos

Thanks for your respopnse

What 3rd party tool can be used to monitor direct and log direct access to the database and if tables are changed directly

or

Can i use a trigger to write to a log if tables are modified

Show replies
Show replies
lbreddemann
Active Contributor
‎04-24-2009 9:15 AM
0 Kudos

> What 3rd party tool can be used to monitor direct and log direct access to the database and if tables are changed directly

> or

> Can i use a trigger to write to a log if tables are modified

Sorry to tell you, but both option are unfeasible.

There is afaik no 3rd party tool that provides this kind of information for MaxDB.

Honestly, also I do know quite a bit on MaxDBs inner workings, I don't see how a 3rd party tool should get this kind of information properly.

No, auditing has to be build into the database otherwise it's useless.

Concerning the trigger-approach think about it would be if you implemented this:

1. You'll have at least one trigger per table - that's thousands of them which might make catalog accesses a bit slow.

2. Since you want auditing, you would need to write to a log table for every change of data.

That means for every one row changed you'll have at least one row inserted to your logging table.

This will most definitively create severe performance issues.

3. Selects wouldn't be logged as Selects don't fire triggers

4. The only DB account that can access the SAP schema tables is the SAP<SID>.

Therefore everybody who would like to access those tables would logon as SAP<SID> and in your logs you'll find that SAP<SID> accessed your data.

Currently (in the current MaxDB releases) there's no way to find out the os-user that logged on to the database. This is a functionality to come in later releases.

So, sorry to tell, but with MaxDB you've to secure the access to the database in a way that no unauthorized person can access it via SQL.

regards,

Lars

Ask a Question