##########################################################
## SAP Best Practices and Recommendations for Creating Audit Policies ##
# Intrusion detection # 

# Unsuccessful connection attempts:
CREATE AUDIT POLICY "_SAP_session connect" AUDITING UNSUCCESSFUL CONNECT LEVEL ALERT TRAIL TYPE TABLE RETENTION 20;
ALTER AUDIT POLICY "_SAP_session connect" ENABLE;

# Attempts to validate user credentials:
CREATE AUDIT POLICY "_SAP_session validate" AUDITING ALL VALIDATE USER LEVEL ALERT TRAIL TYPE TABLE RETENTION 20;
ALTER AUDIT POLICY "_SAP_session validate" ENABLE;

# Security configuration #
# Changes to authorization:
CREATE AUDIT POLICY "_SAP_authorizations" AUDITING ALL GRANT ANY, REVOKE ANY LEVEL INFO TRAIL TYPE TABLE RETENTION 180;
ALTER AUDIT POLICY "_SAP_authorizations" ENABLE;

# Changes to users:
CREATE AUDIT POLICY "_SAP_user administration" AUDITING SUCCESSFUL ALTER ROLE, ALTER USER, ALTER USERGROUP, CREATE ROLE, CREATE USER, CREATE USERGROUP, DROP ROLE, DROP USER, DROP USERGROUP LEVEL INFO TRAIL TYPE TABLE RETENTION 180;
ALTER AUDIT POLICY "_SAP_user administration" ENABLE;

# Changes to structured privileges in development systems:
CREATE AUDIT POLICY "_SAP_structured privileges" AUDITING SUCCESSFUL ALTER STRUCTURED PRIVILEGE, CREATE STRUCTURED PRIVILEGE, DROP STRUCTURED PRIVILEGE LEVEL INFO TRAIL TYPE TABLE RETENTION 180;
ALTER AUDIT POLICY "_SAP_structured privileges" ENABLE;

# System configuration #
# Changes to certificates and certificate collections:
CREATE AUDIT POLICY "_SAP_certificates" AUDITING ALL ALTER PSE, CREATE CERTIFICATE, CREATE PSE, DROP CERTIFICATE, DROP PSE LEVEL INFO TRAIL TYPE TABLE RETENTION 180;
ALTER AUDIT POLICY "_SAP_certificates" ENABLE;

# Changes to authentication providers:
CREATE AUDIT POLICY "_SAP_authentication provider" AUDITING ALL ALTER JWT PROVIDER, ALTER LDAP PROVIDER, ALTER SAML PROVIDER, CREATE JWT PROVIDER, CREATE LDAP PROVIDER, CREATE SAML PROVIDER, DROP JWT PROVIDER, DROP LDAP PROVIDER, DROP SAML PROVIDER, VALIDATE LDAP PROVIDER LEVEL CRITICAL TRAIL TYPE TABLE RETENTION 180;
ALTER AUDIT POLICY "_SAP_authentication provider" ENABLE;

# Changes to client-side encryption:
CREATE AUDIT POLICY "_SAP_clientside encryption" AUDITING ALL ALTER CLIENTSIDE ENCRYPTION COLUMN KEY, ALTER CLIENTSIDE ENCRYPTION KEYPAIR, CREATE CLIENTSIDE ENCRYPTION COLUMN KEY, CREATE CLIENTSIDE ENCRYPTION KEYPAIR, DROP CLIENTSIDE ENCRYPTION COLUMN KEY, DROP CLIENTSIDE ENCRYPTION KEYPAIR LEVEL CRITICAL TRAIL TYPE TABLE RETENTION 180;
ALTER AUDIT POLICY "_SAP_clientside encryption" ENABLE;

# Changes to SAP HANA configuration files (*.ini files):
CREATE AUDIT POLICY "_SAP_configuration changes" AUDITING ALL STOP SERVICE, SYSTEM CONFIGURATION CHANGE LEVEL INFO TRAIL TYPE TABLE RETENTION 180;
ALTER AUDIT POLICY "_SAP_configuration changes" ENABLE;

# Changes to the SAP HANA license key:
CREATE AUDIT POLICY "_SAP_license addition" AUDITING ALL SET SYSTEM LICENSE LEVEL INFO TRAIL TYPE TABLE RETENTION 180;
ALTER AUDIT POLICY "_SAP_license addition" ENABLE;
CREATE AUDIT POLICY "_SAP_license deletion" AUDITING ALL UNSET SYSTEM LICENSE LEVEL INFO TRAIL TYPE TABLE RETENTION 180;
ALTER AUDIT POLICY "_SAP_license deletion" ENABLE;

# Monitoring #
# Recovery of database:
CREATE AUDIT POLICY "_SAP_recover database" AUDITING ALL BACKUP CATALOG DELETE, BACKUP DATA, RECOVER DATA LEVEL INFO TRAIL TYPE TABLE RETENTION 180;
ALTER AUDIT POLICY "_SAP_recover database" ENABLE;

##########################################################
# zeigt die Einträge im Audit Log (default begrenzt auf 1000 Treffer) # 
select * from audit_log

# zeigt die neusten Einträge im Audit Log # 
select * from audit_log order by "TIMESTAMP" desc

# Audit Log bis zu eine bestimmte Zeitpunkt leeren/löschen #
ALTER SYSTEM CLEAR AUDIT LOG UNTIL '2017-11-07 15:00:00'

# Audit Log komplett leeren/löschen #
ALTER SYSTEM CLEAR AUDIT LOG ALL

