Download PDF - IBM Redbooks

More documents

Recommendations

Info

8.3 Writing SQL to audit SAP tables With security auditing, you can inspect and examine the adequacy and effectiveness of security policies and procedures that can be put into place to secure sensitive data. Another enhancement to DB2 10 is the ability to monitor and record all types of access to particular DB2 tables by different users. During auditing, you can obtain information about who has accessed the data, who has read the data, and who has changed the data, such as inserting or updating records. This new policy-based auditing enables the dynamic activation of SQL statement auditing for tables that might not have the AUDIT clause set in their table definition. The default value for the AUDIT clause is set to NO. As an example, when someone wants access for reading data, they might use a password hash attack. In this type of attack, the hash value of a password is calculated outside of the SAP kernel and then compared with the hash value that is stored in the database on an SAP system. One of the reasons why this attack is possible is the ability to read certain values in DB2 tables, such as the Advanced Business Application Programming (ABAP) password hash value. Reading of a particular row can be done by using the following methods: ► Access to data from outside of the SAP system. This method can be done remotely at the database layer by using the SQL SELECT statement from various interfaces, such as SPUFI, DB2 Thin Connect, DB2 Enterprise Edition (EE), DB2 Control Center. ► Access to data using its own ABAP programs. For example, ABAP developers can use their own programs to access any tables directly within an SAP system. ► Access to data from existing tools within an SAP system. This method can be done by using the table browser (using SAP transaction codes, such as SE16 and SE17, or by navigating from transaction SE11). The currently valid passwords of users are stored in the table USR02 in a database of an SAP system. You can audit access to the data allocated in this specific table SAPR3.USR02 for SQL operations, such as READ, INSERT or UPDATE. To deter threats, such as an insider threat, run the SQL statements shown in Example 8-8 to create an audit policy that audits any SQL activity in the SAPR3.USR% table. We set the OBJECTNAME to USR%, which causes DB2 to use a LIKE predicate when determining the tables that will be audited. Example 8-8 inserts an audit policy that audits table names that begin with USR% within schema SAPR3. Example 8-8 Creating an SQL statement auditing policy INSERT INTO SYSIBM.SYSAUDITPOLICIES (AUDITPOLICYNAME, OBJECTSCHEMA, OBJECTNAME, OBJECTTYPE, EXECUTE) VALUES('AUDIT2','SAPR3','''USR%''','T','A'); Example 8-9 shows how the new audit policy, AUDIT2, is activated. Before activating this new audit policy, the system component GTF must be started in the z/OS system. Example 8-9 Starting the SQL statement auditing policy -START TRACE(AUDIT) DEST(GTF) AUDTPLCY(AUDIT2) 122 Running SAP Solutions with IBM DB2 10 for z/OS on the IBM zEnterprise System
Example 8-10 shows how to display active policies in the DB2 subsystem. Example 8-10 Displaying the SQL statement auditing policy DSNW127I -DB0T CURRENT TRACE ACTIVITY IS - TNO TYPE CLASS DEST QUAL IFCID 06 AUDIT * GTF NO *********END OF DISPLAY TRACE SUMMARY DATA********* DSNW143I -DB0T CURRENT TRACE QUALIFICATIONS ARE - DSNW152I -DB0T BEGIN TNO 06 QUALIFICATIONS: NO QUALIFICATIONS END TNO 06 QUALIFICATIONS DSNW185I -DB0T BEGIN TNO 06 AUDIT POLICIES: ACTIVE AUDIT POLICY: AUDIT2 END TNO 06 AUDIT POLICIES DSNW148I -DB0T ******END OF DISPLAY TRACE QUALIFICATION DATA****** DSN9022I -DB0T DSNWVCM1 '-DISPLAY TRACE' NORMAL COMPLETION Another example is when some users and database administrators try to access the DB2 object, SAPR3.USR02, by using such tools as SPUFI, the DB2 Control Center, and transaction SU01, within the SAP system. Example 8-11 through Example 8-14 show the audit records of all activity that was assigned to the DB2 object, USR02. Example 8-11 shows the audit record for all users that read data in the DB2 object SAPR3.USR02 in SAP. Example 8-11 Reading access to DB2 object SAPR3.USR02 within SAP SAPINST T73DIA00 DRDA 19:26:59.04 BIND PACKAGE: DB0T.SAP0907U.SYSL SAPINST 4 110801211120 TYPE: SEL-QUERY DISTSERV SERVER TEXT: SELECT * FROM "USR02" REQLOC :::172.30.9.120 ACCESS CTRL SCHEMA: N/P ENDUSER :HAGELSTROMM ACCESS CTRL OBJECT: N/P WSNAME :'BLANK' TRANSACT:'BLANK' Example 8-12 shows the audit record for all users with write access to DB2 object SAPR3.USR02 in SAP. Example 8-12 Writing access to DB2 object SAPR3.USR02 within SAP SAPINST T73DIA00 DRDA 19:26:59.83 BIND PACKAGE: DB0T.SAP0907U.SYSL SAPINST 4 110801211120 TYPE: INSERT DISTSERV SERVER TEXT: INSERT INTO "USR02" V ? , ? , ? , ? , ? , ? ? , ? , ? , ? , ? , ? ? , ? , ? , ? , ? , ? REQLOC :::172.30.9.120 DATABASE: 10041 ENDUSER :HAGELSTROMM ACCESS CTRL SCHEMA: N/P WSNAME :'BLANK' ACCESS CTRL OBJECT: N/P TRANSACT:'BLANK' Chapter 8. Security enhancements of DB2 10 for SAP solutions 123
Page 1:
ibm.com/redbooks Front cover Runnin
Page 4 and 5:
Note: Before using this information
Page 6 and 7:
2.10.2 IBM zEnterprise BladeCenter
Page 8 and 9:
System software planning. . . . . .
Page 10 and 11:
Trademarks IBM, the IBM logo, and i
Page 12 and 13:
Maxim Kukarev is a Client Technical
Page 14 and 15:
xii Running SAP Solutions with IBM
Page 16 and 17:
1.1 IBM DB2 on System z and SAP The
Page 18 and 19:
technologies, it provides advanced
Page 20 and 21:
1.2.3 SAP Industry Solutions SAP In
Page 22 and 23:
8 Running SAP Solutions with IBM DB
Page 24 and 25:
2.1 SAP NetWeaver composition 2.1.1
Page 26 and 27:
Consequently, the central instances
Page 28 and 29:
► Data layer. The database instan
Page 30 and 31:
Integration ESB / Connectors Figure
Page 32 and 33:
2.4 Rolling maintenance Within one
Page 34 and 35:
2.7 Database server Another compone
Page 36 and 37:
Metro Mirror Figure 2-7 Metro and M
Page 38 and 39:
2.10.4 zEnterprise Ensemble System
Page 40 and 41:
System p or System x AIX, Linux on
Page 42 and 43:
SAP mixed 3-tier structure The data
Page 44 and 45:
3.1 Features implicitly used by SAP
Page 46 and 47:
3.1.4 Scalability improvements for
Page 48 and 49:
Insert time per row in msec. 500,00
Page 50 and 51:
New tables are automatically create
Page 52 and 53:
3.3 SAP modifications to optimize t
Page 54 and 55:
The solution is the Hybrid DBSL, wh
Page 56 and 57:
Figure 3-5 New DBM1 display Enhance
Page 58 and 59:
- Accumulated wait time for global
Page 60 and 61:
The view shown in Figure 3-8 for th
Page 62 and 63:
3.4.1 IN-list in-memory tables DB2
Page 64 and 65:
With DB2 10, the new access type NR
Page 66 and 67:
2. Ensure that the user who is crea
Page 68 and 69:
4.1 Installing Linux on System z, S
Page 70 and 71:
Installing the server from DVD We i
Page 72 and 73:
Verifying the installation In the I
Page 74 and 75:
Registration: To access the SAP Ser
Page 76 and 77:
Figure 4-4 Support Package list Fig
Page 78 and 79:
lnxsu11:t73adm 64> telnet wtsc59oe
Page 80 and 81:
2. Configure the JCL head. From the
Page 82 and 83:
4.2.2 Considerations for migration
Page 84 and 85:
Figure 4-8 DB2_V10_CHECK report Imp
Page 86 and 87: 4.2.4 Considerations for data shari
Page 88 and 89: You must make the following changes
Page 90 and 91: lnxsu11 Figure 4-12 SAP system land
Page 92 and 93: Product Vendor Type Version SAP Net
Page 94 and 95: 5.1 Functions of Unified Resource M
Page 96 and 97: 5.2 Simplifying management tasks in
Page 98 and 99: Figure 5-6 DBA Cockpit initial pane
Page 100 and 101: Figure 5-8 Global Times panel Tip:
Page 102 and 103: Figure 5-10 Buffer Pools The Buffer
Page 104 and 105: Table 5-1 highlights the tasks or a
Page 106 and 107: Tip: To enable the capture of syspl
Page 108 and 109: Figure 5-14 AIX monitoring data Fig
Page 110 and 111: ► DB2 Network Stats ABAP report (
Page 112 and 113: 3. Enter the perfkit command to sta
Page 114 and 115: You can also access monitoring data
Page 116 and 117: Example 5-3 Linux memory utilizatio
Page 118 and 119: In addition to user resource utiliz
Page 120 and 121: In a high availability system, ever
Page 122 and 123: 7.1 Classifications of virtualizati
Page 124 and 125: 7.2 Resources to the virtual machin
Page 126 and 127: 112 Running SAP Solutions with IBM
Page 128 and 129: 8.1 Separation of duties for databa
Page 130 and 131: authority is granted to an entire D
Page 132 and 133: malicious or careless unauthorized
Page 134 and 135: After starting each audit policy, D
Page 138 and 139: Example 8-13 shows the audit record
Page 140 and 141: The client and server perform the f
Page 142 and 143: Digital certificates: Digital certi
Page 144 and 145: The following rule conditions are a
Page 146 and 147: Example 8-24 shows the assigned val
Page 148 and 149: 8.5.3 Reasons for establishing trus
Page 150 and 151: Example 8-31 shows the results of a
Page 152 and 153: From the central log of the SAP sys
Page 158 and 159: The SAP implementation process from
Page 160 and 161: Typical roles and tasks for system
Page 162 and 163: Key documentation From the IT and C
Page 164 and 165: Then you see a list of SAP Notes th
Page 166 and 167: SAP Notes The SAP Note system is us
Page 168 and 169: ► SAP on DB2 9 for z/OS: Implemen
Page 170 and 171: participate in the failover automat
Page 172 and 173: As a best practice, use the SAP as
Page 174 and 175: ��
Page 176 and 177: System software planning SAP on the
Page 178 and 179: Software product Part number Commen
Page 180 and 181: Capability Software product Part nu
Page 182 and 183: � Decide which installation optio
Page 184 and 185: c. Disable the IEFUSI exit in membe
Page 186 and 187:
3. Optional: Make the directories a
Page 188 and 189:
Additional information: For more in
Page 190 and 191:
11.After finishing the DB2 subsyste
Page 192 and 193:
ARC The archive log data sets. CI T
Page 194 and 195:
DB2 members of the same data sharin
Page 196 and 197:
Figure B-4 illustrates how SAP uses
Page 198 and 199:
OvercommitRatio Virtual Memory vers
Page 200 and 201:
► Set the following z/VM SRM para
Page 202 and 203:
► Separate the SAP private networ
Page 204 and 205:
DB2 10 ZPARMS for SAP Important: Yo
Page 206 and 207:
- SMS constructs and ACS routines -
Page 208 and 209:
Downloading and extracting the web
Page 210 and 211:
PI Process Integration PIT point-in
Page 212 and 213:
SAP Notes Registration required: To
Page 214 and 215:
200 Running SAP Solutions with IBM
Page 216 and 217:
DSNACCOX usage 45 dual-log LG1 and
Page 218 and 219:
untime environment 13 software 162
Page 220 and 221:
206 Running SAP Solutions with IBM
Page 222:
Running SAP Solutions with IBM DB2
show all

Download PDF - IBM Redbooks

Create successful ePaper yourself

Delete template?

Save as template?