OS Security Hardening for SAP HANA


Published on

SUSE Linux Enterprise Security Hardening Settings for SAP HANA
SUSE Firewall for SAP HANA
Minimal OS Package Selection

Published in: Software, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

OS Security Hardening for SAP HANA

  1. 1. Operating System Security Hardening for SAP HANA Peter Schinagl Technical Architect Global SAP Alliance peters@suse.com Markus Gürtler Architect & Technical Manager SAP Linux Lab mguertler@suse.com
  2. 2. 2 Corporate Security
  3. 3. 3 SUSE Linux Enterprise Server Security Components AppArmor for fine-grained security tuning Security Certifications like FIPS, EAL4+, etc. Security patches and updates over the whole product lifecycle SUSE Firewall2 Easy to administer OS firewall Intrusion Detection using AIDE OS Security Guide covering all security topics Linux Audit System CAPP-compliant auditing system + more
  4. 4. 4 Classification of the Hardening Guide SUSE Security Guide OS Security Hardening Guide for SAP HANA SAP HANA Security Guide Operating System genericSAP HANA specific
  5. 5. 5 Content of the Security Guides SAP HANA Security Guide OS Security Hardening Guide for HANA - Network and Communication Security - User and Role Management - Authentication and Single Sign-On - Authorization - Storage Security - etc. Application Operating System SUSE Security Guide - SUSE Security Features - Authentication - Local Security - AppArmor & SELinux - The Linux Audit Framework - etc. Operating System - OS Security Hardening Settings - Local Firewall for HANA - Minimal OS Package Selection - Update & Patch Strategies - etc.
  6. 6. 6 Customized OS Security Hardening for SAP HANA Security Hardening Settings for HANA SUSE Firewall for HANA Minimal OS package selection SUSE Security Updates
  7. 7. 7 Security Hardening Setttings Overview • Covers all relevant security topics (see next slide) • Provides for each setting ✔ Detailed description ✔ Possible impact on the system ✔ Implementation priority • Settings based on a professional Security Audit • Implemented and tested by a large pilot customer
  8. 8. 8 Security Hardening Setttings Categories • Authentication Settings → User login restrictions, password policy, etc. • System Access Settings → Local and remote access restrictions • Networking Settings → i. e. behavior of the Linux IP stack • Linux Service permissions → i. e. disallow of 'at'-jobs • File permissions → Access rights of security-critical files • Logging and Reporting → Behavior of the system logging, security reports, etc.
  9. 9. 9 Security Hardening Setttings Examples • Prohibit root login via ssh • Setup password strengthening • Adjust sysctl variables (i. e. network settings) • Adjust default umask • Change permissions of certain system files • Forwarding of syslog files to a central syslog server • Configure user login restrictions via access.conf • etc.
  10. 10. 10 Security Hardening Setttings Detailed Example: Prohibit login as root via ssh Description By default, the user “root” is allowed to remotely log in via ssh. This has two disadvantages: First, root logins are logged, but cannot be associated with a particular user. This is especially a disadvantage if more than one system administrator makes changes on the system. Second, a stolen root password allows an attacker to login directly to the system. Instead of logging in as a normal user first, then doing “su” or a “sudo,” an attacker just requires the root password. Procedure Edit /etc/ssh/sshd.conf and set parameter PermitRootLogin no Impact Root no longer can be used to login remotely, so that users are required to use “su” or “sudo” to gain root access when using ssh. Priority: high
  11. 11. 11 SUSE Firewall for SAP HANA Overview • Local firewall dedicated for SAP HANA • Predefined service definitions according to “SAP HANA Master Guide” • Automatic calculation of ports according to SAP HANA Instance Numbers • Supports multiple HANA systems & instances on one system • Dropped packages can be logged via syslog • Easy configuration → via the file /etc/sysconfig/hana_firewall • Available as RPM package
  12. 12. 12 SUSE Firewall for SAP HANA Example of a Logical Network Diagram with External Firewalls
  13. 13. 13 SUSE Firewall for SAP HANA Example of a Physical Network Diagram
  14. 14. 14 SUSE Firewall for SAP HANA Traffic Flow Example
  15. 15. 15 Minimal OS Package Selection Overview • The fewer OS packages a HANA system has installed, the less possible security holes it might have • Just enough Operating System (JeOS) approach not perfect for HANA • Approached based on middle ground → Installation patterns “Base System” + “Minimal System” + some additional packages • Amount of packages reduced to ~550 from ~1200 (SLES standard installation) • Described in SAP Note #1855805
  16. 16. 16 Minimal OS Package Selection Comparison between package selections Amount of installed packages 0 200 400 600 800 1000 1200 1400 SLES Standard Installation Base + Minimal + additional packages Base + Minimal
  17. 17. 17 SUSE Security Updates • Security vulnerabilities are found almost every day; Most of them are reported & fixed very quickly • SUSE constantly provides security updates & patches • Security updates & patches can be received via the SUSE Linux Enterprise Server update channels ➔ We generally recommend to configure update channels • Comparison between certain update & patch strategy ➔ Best update & patch strategy: Selective installation of only security updates on a regular basis + installation of remaining updates during maintenance windows
  18. 18. 18 Availability of the Hardening Guide • Download link → www.suse.com/products/sles-for-sap/resource-library/ • About the Authors → Developed by Markus Guertler (SUSE @ SAP Linux Lab) and Alexander Bergmann (SUSE Maintenance & Security Team) • Outlook Additional and improved hardening settings Improvements of the firewall (i. e. automatic detection of installed HANA systems) Further reduction of the minimal set of packages
  19. 19. Thank you. 19 For more information please look at www.suse.com
  20. 20. Unpublished Work of SUSE. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.