SUSE Linux Enterprise Security Hardening Settings for SAP HANA SUSE Firewall for SAP HANA Minimal OS Package Selection

1. Operating System Security
Hardening for SAP HANA
Peter Schinagl
Technical Architect Global SAP Alliance
peters@suse.com
Markus Gürtler
Architect & Technical Manager SAP Linux Lab
mguertler@suse.com

2. 2
Corporate Security

3. 3
SUSE Linux Enterprise Server
Security Components
AppArmor
for fine-grained security tuning
Security Certifications
like FIPS, EAL4+, etc.
Security patches
and updates
over the whole product lifecycle
SUSE Firewall2
Easy to administer OS firewall
Intrusion Detection
using AIDE
OS Security Guide
covering all security topics
Linux Audit System
CAPP-compliant auditing system
+ more

4. 4
Classification of the Hardening Guide
SUSE
Security Guide
OS Security
Hardening Guide
for SAP HANA
SAP HANA
Security Guide
Operating System genericSAP HANA specific

5. 5
Content of the Security Guides
SAP HANA Security Guide
OS Security Hardening Guide for HANA
- Network and Communication Security
- User and Role Management
- Authentication and Single Sign-On
- Authorization
- Storage Security
- etc.
Application
Operating
System
SUSE Security Guide
- SUSE Security Features
- Authentication
- Local Security
- AppArmor & SELinux
- The Linux Audit Framework
- etc.
Operating
System
- OS Security Hardening Settings
- Local Firewall for HANA
- Minimal OS Package Selection
- Update & Patch Strategies
- etc.

6. 6
Customized OS Security Hardening for
SAP HANA
Security Hardening Settings for HANA
SUSE Firewall for HANA
Minimal OS package selection
SUSE Security Updates

7. 7
Security Hardening Setttings
Overview
• Covers all relevant security topics (see next slide)
• Provides for each setting
✔ Detailed description
✔ Possible impact on the system
✔ Implementation priority
• Settings based on a professional Security Audit
• Implemented and tested by a large pilot customer

8. 8
Security Hardening Setttings
Categories
• Authentication Settings
→ User login restrictions, password policy, etc.
• System Access Settings
→ Local and remote access restrictions
• Networking Settings
→ i. e. behavior of the Linux IP stack
• Linux Service permissions
→ i. e. disallow of 'at'-jobs
• File permissions
→ Access rights of security-critical files
• Logging and Reporting
→ Behavior of the system logging, security reports, etc.

9. 9
Security Hardening Setttings
Examples
• Prohibit root login via ssh
• Setup password strengthening
• Adjust sysctl variables (i. e. network settings)
• Adjust default umask
• Change permissions of certain system files
• Forwarding of syslog files to a central syslog server
• Configure user login restrictions via access.conf
• etc.

10. 10
Security Hardening Setttings
Detailed Example: Prohibit login as root via ssh
Description
By default, the user “root” is allowed to remotely log in via ssh. This has two
disadvantages: First, root logins are logged, but cannot be associated with a
particular user. This is especially a disadvantage if more than one system
administrator makes changes on the system. Second, a stolen root password
allows an attacker to login directly to the system. Instead of logging in as a normal
user first, then doing “su” or a “sudo,” an attacker just requires the root password.
Procedure
Edit /etc/ssh/sshd.conf and set parameter
PermitRootLogin no
Impact
Root no longer can be used to login remotely, so that users are required to use “su”
or “sudo” to gain root access when using ssh.
Priority: high

11. 11
SUSE Firewall for SAP HANA
Overview
• Local firewall dedicated for SAP HANA
• Predefined service definitions according to “SAP
HANA Master Guide”
• Automatic calculation of ports according to SAP HANA
Instance Numbers
• Supports multiple HANA systems & instances on one
system
• Dropped packages can be logged via syslog
• Easy configuration
→ via the file /etc/sysconfig/hana_firewall
• Available as RPM package

12. 12
SUSE Firewall for SAP HANA
Example of a Logical Network Diagram with External Firewalls

13. 13
SUSE Firewall for SAP HANA
Example of a Physical Network Diagram

14. 14
SUSE Firewall for SAP HANA
Traffic Flow Example

15. 15
Minimal OS Package Selection
Overview
• The fewer OS packages a HANA system has installed,
the less possible security holes it might have
• Just enough Operating System (JeOS) approach not
perfect for HANA
• Approached based on middle ground
→ Installation patterns “Base System” + “Minimal
System” + some additional packages
• Amount of packages reduced to ~550 from ~1200
(SLES standard installation)
• Described in SAP Note #1855805

16. 16
Minimal OS Package Selection
Comparison between package selections
Amount of installed packages
0
200
400
600
800
1000
1200
1400
SLES Standard
Installation
Base + Minimal +
additional packages
Base + Minimal

17. 17
SUSE Security Updates
• Security vulnerabilities are found almost every day;
Most of them are reported & fixed very quickly
• SUSE constantly provides security updates & patches
• Security updates & patches can be received via the
SUSE Linux Enterprise Server update channels
➔ We generally recommend to configure update channels
• Comparison between certain update & patch strategy
➔ Best update & patch strategy: Selective installation of only
security updates on a regular basis + installation of remaining
updates during maintenance windows

18. 18
Availability of the Hardening Guide
• Download link
→ www.suse.com/products/sles-for-sap/resource-library/
• About the Authors
→ Developed by Markus Guertler (SUSE @ SAP Linux Lab) and
Alexander Bergmann (SUSE Maintenance & Security Team)
• Outlook
Additional and improved hardening settings
Improvements of the firewall (i. e. automatic detection of
installed HANA systems)
Further reduction of the minimal set of packages

19. Thank you.
19
For more information please
look at
www.suse.com

21. Unpublished Work of SUSE. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE.
Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of
their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated,
abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making
purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document,
and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The
development, release, and timing of features or functionality described for SUSE products remains at the sole
discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at
any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in
this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All
third-party trademarks are the property of their respective owners.