Operating System Security Hardening Guide For SAP HANA For .
SUSE Best PracticesOperating System Security HardeningGuide for SAP HANA for SUSE Linux Enterprise Server 15SUSE Linux Enterprise Server for SAP Applications 15Sören Schmidt, SAP Solution Architect, SUSEMarkus Gürtler, Senior Manager SAP Technology Team, SUSEAlexander Bergmann, Security Engineer, SUSE1Operating System Security Hardening Guide for SAP HANA for SUSE Linux Enterprise Server 15
This document guides through various hardening methods for SUSE LinuxEnterprise Server for SAP Applications to run SAP HANA.Disclaimer: The articles and individual documents published in the SUSEBest Practices series were contributed voluntarily by SUSE employees andby third parties. If not stated otherwise inside the document, the articles areintended only to be one example of how a particular action could be taken. Also, SUSE cannot verify either that the actions described in the arti-cles do what they claim to do or that they do not have unintended consequences. All information found in this article has been compiled with ut-most attention to detail. However, this does not guarantee complete accuracy. Therefore, we need to specifically state that neither SUSE LLC, its affil-iates, the authors, nor the translators may be held liable for possible errorsor the consequences thereof.Publication Date: 2020-09-23Contents21Introduction 42SUSE Linux Enterprise Security Hardening Settings for HANA 93SAP HANA Firewall 284SUSE Remote Disk Encryption 355Minimal Operating System Package Selection 356Security Updates 377Outlook 408About the Authors 419Further Information and References 4110Documentation Updates 4211Legal Notice 42Operating System Security Hardening Guide for SAP HANA for SUSE Linux Enterprise Server 15
123GNU Free Documentation License 43Operating System Security Hardening Guide for SAP HANA for SUSE Linux Enterprise Server 15
1 IntroductionIT security is an essential topic for any organization. Newspapers report frequently about new ITsecurity incidents such as hacked websites, successful Denial-of-Service attacks, or stolen userdata like passwords, bank account numbers and other sensitive data.In addition to the publicly reported attacks, there are also a large number of incidents that arenot reported to the public. In particular, these cases are often related to espionage, where theaffected party has no interest to report an incident. Security experts agree that, for protectingsensitive data, an organization must have a comprehensive security concept in place, taking alleventualities into account that can potentially lead into security risks. This starts with propersetup policies, like password and data protection policies for users and system administrators.It continues with a protected IT environment using for example firewalls, VPNs, and SSL incommunication protocols. And it ends with hardened servers, intrusion detection systems, dataencrypting and automated security reporting. Additionally, many organizations perform securityaudits on a regular basis to ensure a maximum of security in their IT yAuditsApplicationandOSSecurityPatchStrategyFIGURE 1: ELEMENTS OF A CORPORATE IT SECURITY4Operating System Security Hardening Guide for SAP HANA for SUSE Linux Enterprise Server 15
Comprehensive security concepts usually pay high attention to database systems, since databas-es belong to the most critical components in any IT environment. Database systems that potentially store sensitive data are by nature very popular targets for hackers and must therefore beprotected. SAP HANA systems typically store business related information and are considered asbeing business critical. This is especially the case for ERP systems using SAP HANA. In addition,many other SAP applications using SAP HANA, like BW systems, may store sensitive data.1.1Security for SAP HANASAP takes the security topic very seriously. For SAP HANA, there is a comprehensive securityguide available. This guide describes in detail how to protect HANA from a database perspective.It can be accessed at http://help.sap.com/hana/SAP HANA Security Guide en.pdf . The guide al-so refers to security concepts for other connecting layers that are separate from the SAP HANAsystem, for example the network and storage layer. However, these topics are described onlygenerically. There is no specific guidance on how to apply these recommendations on the operating system level.1.2Security for SUSE Linux Enterprise ServerThe security of the underlying operating system is at least as important as the security of the SAPHANA database. Many hacker attacks target the operating system to gain access and sufficientprivileges to attack the running database application. SUSE Linux Enterprise Server is the rec-ommended and supported operating system for SAP HANA. SUSE has a long-running history inIT security for Linux operating systems. The company offers a comprehensive security packagefor SUSE Linux Enterprise Server to protect systems from all kind of security incidents. Thispackage consists of the following components:Security certificationsSUSE Linux Enterprise Server 12 has been awarded many important security certifications,such as the FIPS (Federal Information Processing Standard) 140-2 validation, or the Common Criteria EAL4 certificate. Currently we are in the process of achieving the samefor SUSE Linux Enterprise Server 15. For details visit ns/.Security updates and patches5Operating System Security Hardening Guide for SAP HANA for SUSE Linux Enterprise Server 15
SUSE constantly provides security updates and patches for their SUSE Linux Enterpriseoperating systems and guarantees highest security standards during the entire product lifecycle.DocumentationSUSE has published a Hardening Guide and a Security Guide that describe the securityconcepts and features of SUSE Linux Enterprise Server 15. These guides provide genericsecurity and hardening information valid for all workloads, not just for SAP HANA. Formore details ty.htmlSecurity patchesand updatesover the whole product lifecycleAppArmorfor fine-grained security tuningIntrusion Detectionusing AIDELinux Audit SystemCAPP-compliant auditing systemSecurity Certificationslike FIPS, EAL4 , etc.firewalldEasy to administer OS firewallOS Security Guidecovering all security topics moreFIGURE 2: SECURITY COMPONENTS OF SUSE LINUX ENTERPRISE SERVER1.3About This DocumentTo further improve the security level specifically for SAP HANA, SUSE provides the documentat hand. It focuses on the security hardening of SUSE Linux Enterprise Server 15 running SAPHANA databases to ll the gap between the Security Guide for SUSE Linux Enterprise Server,6Operating System Security Hardening Guide for SAP HANA for SUSE Linux Enterprise Server 15
the Hardening Guide for SUSE Linux Enterprise Server, and the SAP HANA Security Guide.The Hardening Guide for SUSE Linux Enterprise Server contains some of the recommendationsfound here, but also additional recommendations. Most of the recommendations can be appliedto an SAP HANA installation after careful review and testing. SUSE collaborated with a largepilot customer to identify all relevant security settings and to avoid problems in real worldscenarios. Also, SUSE and SAP are constantly cooperating in the SAP Linux Lab to provide thebest compatibility with SAP HANA.Security Hardening Settings for HANASUSE Firewall for HANARemote Disk EncryptionMinimal OS Package SelectionSecurity Updates & PatchesFIGURE 3: THE FIVE MAIN TOPICS OF THE OS SECURITY HARDENING FOR HANAThe guide at hand provides detailed descriptions on the following topics:Security hardening settings for SAP HANA systemsThe Linux operating system provides many tweaks and settings to further improve theoperating system security and the security for the hosted applications. To be able to t forcertain application workloads, the default settings are not tuned for maximum security.7Operating System Security Hardening Guide for SAP HANA for SUSE Linux Enterprise Server 15
This guide describes how to tune the operating system for maximum security when runningSAP HANA specifically. In addition, it describes possible impacts, for example on systemadministration, and gives a prioritization of each setting.Local firewall for SAP HANASUSE has developed a dedicated local firewall for SAP HANA systems to improve the network security of SAP HANA. This is done by only selectively opening network ports onexternal network interfaces that are really needed either by SAP HANA or other services.All remaining network ports are closed. The firewall has a broad range of features and iseasy to configure. It is available as RPM package and can be downloaded from SUSE.Remote Disk EncryptionStarting with SUSE Linux Enterprise Server for SAP Applications 12 SP2, SUSE introduceda new feature called Remote Disk Encryption. Classical Disk Encryption - available foryears – always required a passphrase being entered during boot. That prevented its use inmany setups because each boot needed a manual step. Remote Disk Encryption removesthis manual step as it allows the encryption keys to be stored safely on a remote key serverand to be automatically used during system boot.Minimal package selectionThe fewer operating system packages an SAP HANA system has installed, the less possiblesecurity holes it should have. Following that principle, this guide describes which packagesare absolutely necessary and which packages can be safely discarded. As a positive sideeffect, a minimized number of packages also reduces the number of updates and patchesthat have to be applied to a system.Security updates & patchesO pen source software is frequently reviewed and tested for security vulnerabilities by opensource developers, security engineers from the open source community, security companies and, of course, by the hackers. When a vulnerability has been found and reported,it is published in security advisories and usually gets xed very quickly. SUSE constantlyprovides security updates and patches for all supported packages on SUSE Linux EnterpriseServer. This chapter explains which update and patch strategies are the best. It also detailshow to configure SUSE Linux Enterprise Server to frequently receive all relevant securityupdates.In short, this guide covers all important topics in detail that are relevant for the operating systemhardening of an SAP HANA system. Combining them with the other security features of SUSELinux Enterprise Server 15, like the security certifications and the constantly provided security8Operating System Security Hardening Guide for SAP HANA for SUSE Linux Enterprise Server 15
updates and patches, SAP HANA can run in a highly secure environment. This ensures thatthe implementation meets the security standards and corporate security concepts required byorganizations of all sizes.SAP HANA Security GuideApplication- Network and Communication Security- User and Role Management- Authentification and Single Sign-On- Authorization- Storage Security- etc.OS Security Hardening Guide for HANAOperatingSystem- OS Security Hardening Settings- Local Firewall for HANA- Remote Disk Encryption- Minimal OS Package Selection- Update & Patch Strategies- etc.FIGURE 4: SAP HANA AND OPERATING SYSTEM SECURITY2 SUSE Linux Enterprise Security Hardening Settingsfor HANA2.1Introduction to Linux Security HardeningSUSE Linux Enterprise Server already provides a high level of security with the standard in-stallation. However, the standard security settings are generic, because they have to t to allpossible Linux server workloads. Also, many security settings have impacts on the comfort ofthe system administration and possibly on the users of the system. Therefore, the SUSE LinuxEnterprise Server standard security settings provide a good tradeoff between compatibility withall workloads, administrative comfort and a secure operating system environment.SAP HANA is a very special workload with clearly defined requirements. For such a workloadit is possible to have a more restrictive security configuration compared to the standard configuration. The goal of this guide is to strengthen the security configuration without affecting thecompatibility with SAP HANA.9Operating System Security Hardening Guide for SAP HANA for SUSE Linux Enterprise Server 15
While security hardening results in higher security, it usually comes with the drawback of lessadministrative comfort and system functionality. This is a fact that every system administratorshould be aware of. However, a system configured more restrictively can also provide a bet-ter level of protection and a lower risk of successful attacks. In many cases, company securitypolicies, guidelines, or security audits force very high security standards which automaticallyresult in systems configured more restrictively. The Linux operating system has many tweaksand settings that can improve the overall security of the operating system and its applications.These settings can be summarized in the following categories:Authentication settingsDefine for example who is allowed to login, the exact password policy, etc.System access settingsDefine which users are allowed to access the system locally and remotely using differentlogin mechanisms (for example local logins via console TTY or remote logins via SSH)Network settingsDefine how certain layers of the network stack behave, for example the IP layer, or theTCP/UDP layerService permissionsDefine the permissions of certain system service, for example disabling 'at' jobsFile permissionsDefine the le access rights of certain security-critical system lesLogging & reportingChange the behavior of the system logging, syslog forwarding to a central syslog server,automatic creation of reports (such as security reports) and forwarding of security-relevantinformation via email10Operating System Security Hardening Guide for SAP HANA for SUSE Linux Enterprise Server 15
2.2Hardening Settings for SAP HANA SystemsImportantThe measures in this chapter are described for the x86 architecture (AMD64/Intel 64),but apply for the POWER architecture as well. Because of the differences in the hard-ware, it might be necessary to adapt them accordingly (different device names, etc.) Also,the graphical user interface is not covered. Running a GUI on a secure server should beavoided.The following hardening settings improve the security of SUSE Linux Enterprise Server systemsrunning an SAP HANA database. These settings are based on the recommendations of a securityaudit, which was performed on a SUSE Linux Enterprise Server standard installation, runningan SAP HANA database.NoteRead the SUSE Linux Enterprise Server Security Guide and the SUSE Linux EnterpriseServer Hardening Guide for additional measures (see https://documentation.suse.com/ )(Choose "SUSE Linux Enterprise Server" instead of "SUSE Linux Enterprise Server for SAPApplications".For each setting, the following details are provided:Description: Details of the settingProcedure: How to apply the settingImpact: Possible impact for system administrators or usersPriority: High, Medium, LowBased on the impact of a particular setting, a system administrator or a security engineer candecide if the loss of administrative comfort is worth the gain in security.The prioritization can be used to help decide which settings should be applied to meet securityrequirements. High priority settings should be applied where possible, whereas low prioritysettings can be treated as optional.11Operating System Security Hardening Guide for SAP HANA for SUSE Linux Enterprise Server 15
ImportantDisclaimer: We strongly recommend to execute all described hardening settings on a nonproductive (such as a DEV or QA) system rst. We also recommend to backup the systembefore doing any changes. If btrfs/snapper is being used, creating a snapshot of the root le system is advised. Furthermore, we recommend to test the functionality of SAP HANAand all related applications and services after applying the settings. Since SAP HANAinstallations, use cases, hardware and installed services are likely to be different fromthe test audit, it cannot be guaranteed that all settings work correctly. It even cannot becompletely excluded that they potentially have a negative impact on the functionalityof the system.If it is not possible to test the settings on a non-productive system, the changes should only bemade within a maintenance window. The maintenance window should provide enough time fora proper system functionality test, or for restoring the system if necessary.2.2.1Installing SUSE Security CheckerDescriptionThe SUSE security checker ( seccheck ) performs certain security checks, executed via cronjobs, on a regular basis, and generates reports. These reports are usually forwarded viaemail to root. More details about seccheck can be found in the le /usr/share/doc/packages/seccheck/README or at tml/book hardening/book hardening.html#sec.sec prot.general.seccheck.ImportantThe password check is not done because the password-cracking software tool johnis not available on SUSE Linux Enterprise Server. The check would fail silently.ProcedureInstall package seccheck :zypper in seccheckImpact12Operating System Security Hardening Guide for SAP HANA for SUSE Linux Enterprise Server 15
Daily and weekly reports via email to the root user.Requires a properly setup email forwarding.PriorityMedium2.2.2Configuring Mail Forwarding for Root UserDescriptionTo receive information about the security relevant changes and incidents, it is stronglyrecommended to enable email forwarding for the user root to a dedicated email accountfor the collection of system mails.Procedure1. Install 'Yast2-mail':zypper in yast2-mail2. Start the 'YaST' mail module:yast mail3. Choose 'Permanent' as connection type.4. Enter the address of the internal mail gateway as outgoing mail server and configureauthentication if required.5. Do NOT enable 'accept external SMTP connections'.6. Enter the email address to forward the root emails (this is typically a dedicated systemmail collection account).7. Save the settings.8. Test the settings with:mail rootsubject: testtest13Operating System Security Hardening Guide for SAP HANA for SUSE Linux Enterprise Server 15
.9. Verify that the email has been delivered with the command mailq .ImpactRequires an accessible SMTP server.Requires somebody who regularly checks the mails of the 'root' user.PriorityHigh2.2.3Forwarding Syslog Files to a Central Syslog ServerDescriptionLog les should be forwarded from an SAP HANA node to a central syslog server. Thisprevents syslog les from being manipulated by an attacker. In addition, it allows administrators to have a central view on the syslog les.ProcedureThis procedure explains a basic syslog forwarding setup. For a more sophisticated setupconsult the RSyslog manual at al .On the target syslog server (running SUSE Linux Enterprise Server 15)1. Edit /etc/rsyslog.d/remote.conf2. Uncomment the following lines in the 'UDP Syslog server' or 'TCP Syslog Server'block of the configuration le and enter the IP address and port of the interfacersyslogd shall listen:TCP example ModLoad imtcp.so UDPServerAddress ip InputTCPServerRun port UDP example ModLoad imudp.so UDPServerAddress ip 14Operating System Security Hardening Guide for SAP HANA for SUSE Linux Enterprise Server 15
UDPServerRun port 3. Restart rsyslog :systemctl restart rsyslog.serviceOn the SAP HANA node1. Edit /etc/rsyslog.d/remote.conf2. Uncomment the appropriate line (TCP or UDP) and replace 'remote-host' withthe address
2.1 Introduction to Linux Security Hardening SUSE Linux Enterprise Server already provides a high level of security with the standard in-stallation. However, the standard security settings are generic, because they have to t to all possible Linux server workloads. Also, many security settings have impacts on the comfort of the system administration and possibly on the users of the system .
Case Study: Laser Hardening By Markus A. Ruetering The hardening of materials by laser is a specialized and fast-growing field, as it offers improved wear resistance, . the industry — e.g., oven hardening, flame hardening, and induction hardening — mill - ing, shaping, and grinding are necessary after hardening. Hence, the necessary material
this study is IPv6-only hardening. Any other type of hardening (e.g. DC hardening, web server hardening, database hardening, etc.) are beyond the scope of this study. The services provided by the IPv6-capable servers do not rely on any IPv6 Extension header, or on any multicast traffic.
Thermal Methods of Hardening by Comparison FLAME HARDENING METHOD ADVANTAGES DISADVANTAGES 0,4% C 0,7% (Steel casting) Large parts Wall thickness 15 mm Localized hardening of functional surfaces Low technical complexity Poor reproducibility; Ledeburite hardening at high carbon content INDUCTIVE HARDENING LASER HARDENING Focus on Steel .
Operating system hardening for a Linux operating system can be automated and needs to be performed in high security environments. Automated hardening is needed in virtual environments with lots of instances. Also, for identical system environments deployment automation is essential. Automatic system hardening is a well-established administration procedure. The purpose of this work was to .
FLAME- /INDUCTION HARDENING. Temperature: 850-870 C (1560-1600 F). Cooling: freely in air. Surface hardness: 54-56 HRC. Hardening depth: 41 HRC at a depth of 3.5- 4 mm (0.14-0.16 inch) when flame hardening. Can be increased when induction hardening depend - ing on the coil and the power input. Flame or induction hardening can be done
The three important surface hardening methods from left to right are case hardening, nitriding, and induction-flame-hardening respectively . 4 13FTM22 Surface hardening is carried out at treating temperatures 50 C - 100 C above the material-specific hardening temperature. The heating can be done by flame, induction, laser- or electron beam.
Linux is capable of high-end security;however,the out-of-the-box configurations must be altered to meet the security needs of most businesses with an Internet presence.This chapter shows you the steps for securing a Linux system—called hardening the server—using both manual methods and open source security solutions.The hardening process focuses on the operating system,and is important .
Hardening Guide 9 CHAPTER 1 Introduction Scope of this Guide Below is a brief description of the type of information covered in this hardening guide. Chapter 1: Introduction This section covers hardening basics and prerequisite skills, identifies industry-accepted tools and guidelines, and defines the architectural scope of this document.
