The Importance of SAP HANA Auditing in Strengthening SAP Security

SAP HANA plays a crucial role in both cloud and on-premise SAP offerings. As a database platform, it serves as the core foundation, with S/4 HANA being a prime example. With SAP Business Suite’s and NetWeaver’s end-of-maintenance on the horizon, it is no surprise that many SAP-running organizations are transitioning to SAP HANA – a trend well underway for several years. This shift places greater emphasis on the security aspects of the HANA database, particularly audit logging. This article outlines several key technical considerations for configuring audit settings in SAP HANA. 

1. Activate HANA auditing 

Surprisingly, SAP HANA’s auditing feature is disabled by default. Much like the ABAP Security Audit Log, it’s up to each organization to enable it when deemed necessary for their security concept — as advised in the SAP HANA Security Checklists and Recommendations. 

We strongly believe that auditing should be activated on every HANA database, at least for a baseline set of actions — especially when handling sensitive or business-critical data. Whether used independently or as a runtime for an SAP application, logging is essential for detecting risks, monitoring for suspicious activities, and conducting investigations. Without audit logging, effective security and forensics are not possible. Interestingly, SAP’s Security Baseline recommends enabling audit logging, although it remains disabled by default.  

Administrator action: 

Activate HANA auditing by setting parameter ‘global_auditing_state’ to ‘true’.  

• For the SYSTEM database: set this in nameserver.ini 

• For a TENANT database: set it in global.ini 

2. What to audit?  

Once auditing is enabled, the next question is: What should be audited? 

In SAP HANA, auditing is configured using audit policies. By default, once auditing is turned on, a policy called ‘MandatoryAuditPolicy’ becomes active. This built-in policy captures only the essential events that concern audit-related configurations and policies. 

However, aside from this default policy, nothing else is logged automatically with audit policies. Organizations must define and create audit policies in the system to capture additional activities beyond those mentioned above. This process can be complex, especially when aligning with regulatory or organizational compliance requirements. 

A helpful starting point is SAP’s Best Practices and Recommendations for Creating Audit Policies. These include example policies that can be directly implemented or tailored. SAP also offers sample configurations via GitHub — links are provided at the end of this article. 

Administrator actions: 

• Use SAP’s best practice templates to create additional policies 

• Tailor audit policies to meet your organization’s specific standards 

3. Where to store audit data?  

While this may seem straightforward, storing audit data in SAP HANA 

can be more complicated than expected. The platform supports multiple priority levels and target destinations, allowing for granular control — but also introducing complexity. 

Audit Priority Levels 

There are five severity levels for audit events: 

• EMERGENCY 

• ALERT 

• CRITICAL 

• WARNING 

• INFO 

These can be defined for each audit policy. 

Audit Targets (Locations) 

SAP HANA offers four possible audit targets: 

• SYSLOGPROTOCOL: OS-level logging (e.g., /var/log/messages) 

• CSTABLE: Internal database table 

• CSVTEXTFILE and KERNELTRACE. 

Only SYSLOGPROTOCOL and CSTABLE are suitable for production environments.