Operating System Security Hardening for SAP HANA Peter Schinagl Technical Architect Global SAP Alliance peters@suse.com Markus Gürtler Architect & Technical Manager SAP Linux Lab mguertler@suse.com
Corporate Security 2
SUSE Linux Enterprise Server Security Components Security patches and updates over the whole product lifecycle like FIPS, EAL4+, etc. AppArmor SUSE Firewall2 for fine-grained security tuning Easy to administer OS firewall Intrusion Detection OS Security Guide using AIDE covering all security topics Linux Audit System CAPP-compliant auditing system 3 Security Certifications + more
Classification of the Hardening Guide SAP HANA Security Guide SAP HANA specific 4 OS Security Hardening Guide for SAP HANA SUSE Security Guide Operating System generic
Content of the Security Guides SAP HANA Security Guide Application Operating System - Network and Communication Security - User and Role Management - Authentication and Single Sign-On - Authorization - Storage Security - etc. OS Security Hardening Guide for HANA - OS Security Hardening Settings - Local Firewall for HANA - Minimal OS Package Selection - Update & Patch Strategies - etc. SUSE Security Guide Operating System 5 - SUSE Security Features - Authentication - Local Security - AppArmor & SELinux - The Linux Audit Framework - etc.
Customized OS Security Hardening for SAP HANA Security Hardening Settings for HANA SUSE Firewall for HANA Minimal OS package selection SUSE Security Updates 6
Security Hardening Setttings Overview 7 Covers all relevant security topics (see next slide) Provides for each setting Detailed description Possible impact on the system Implementation priority Settings based on a professional Security Audit Implemented and tested by a large pilot customer
Security Hardening Setttings Categories Authentication Settings User login restrictions, password policy, etc. System Access Settings Local and remote access restrictions Networking Settings i. e. behavior of the Linux IP stack Linux Service permissions i. e. disallow of 'at'-jobs File permissions Access rights of security-critical files Logging and Reporting Behavior of the system logging, security reports, etc. 8
Security Hardening Setttings Examples 9 Prohibit root login via ssh Setup password strengthening Adjust sysctl variables (i. e. network settings) Adjust default umask Change permissions of certain system files Forwarding of syslog files to a central syslog server Configure user login restrictions via access.conf etc.
Security Hardening Setttings Detailed Example: Prohibit login as root via ssh Description By default, the user root is allowed to remotely log in via ssh. This has two disadvantages: First, root logins are logged, but cannot be associated with a particular user. This is especially a disadvantage if more than one system administrator makes changes on the system. Second, a stolen root password allows an attacker to login directly to the system. Instead of logging in as a normal user first, then doing su or a sudo, an attacker just requires the root password. Procedure Edit /etc/ssh/sshd.conf and set parameter PermitRootLogin no Impact Root no longer can be used to login remotely, so that users are required to use su or sudo to gain root access when using ssh. Priority: high 10
SUSE Firewall for SAP HANA Overview Local firewall dedicated for SAP HANA Predefined service definitions according to SAP HANA Master Guide Automatic calculation of ports according to SAP HANA Instance Numbers Supports multiple HANA systems & instances on one system Dropped packages can be logged via syslog Easy configuration via the file /etc/sysconfig/hana_firewall 11 Available as RPM package
SUSE Firewall for SAP HANA Example of a Logical Network Diagram with External Firewalls 12
SUSE Firewall for SAP HANA Example of a Physical Network Diagram 13
SUSE Firewall for SAP HANA Traffic Flow Example 14
Minimal OS Package Selection Overview 15 The fewer OS packages a HANA system has installed, the less possible security holes it might have Just enough Operating System (JeOS) approach not perfect for HANA Approached based on middle ground Installation patterns Base System + Minimal System + some additional packages Amount of packages reduced to ~550 from ~1200 (SLES standard installation) Described in SAP Note #1855805
Minimal OS Package Selection Comparison between package selections 1400 1200 1000 SLES Standard Installation Base + Minimal + additional packages Base + Minimal 800 600 400 200 0 Amount of installed packages 16
SUSE Security Updates Security vulnerabilities are found almost every day; Most of them are reported & fixed very quickly SUSE constantly provides security updates & patches Security updates & patches can be received via the SUSE Linux Enterprise Server update channels Comparison between certain update & patch strategy 17 We generally recommend to configure update channels Best update & patch strategy: Selective installation of only security updates on a regular basis + installation of remaining updates during maintenance windows
Availability of the Hardening Guide Download link www.suse.com/products/sles-for-sap/resource-library/ About the Authors Developed by Markus Guertler (SUSE @ SAP Linux Lab) and Alexander Bergmann (SUSE Maintenance & Security Team) Outlook Additional and improved hardening settings Improvements of the firewall (i. e. automatic detection of installed HANA systems) Further reduction of the minimal set of packages 18
For more information please look at www.suse.com Thank you. 19
Unpublished Work of SUSE. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.