Embed Size (px)
DESCRIPTION
SUSE Linux Enterprise Security Hardening Settings for SAP HANA SUSE Firewall for SAP HANA Minimal OS Package Selection
Citation preview
Operating System Security Hardening for SAP HANA
Peter SchinaglTechnical Architect Global SAP Alliance
Markus GürtlerArchitect & Technical Manager SAP Linux Lab
2
Corporate Security
3
SUSE Linux Enterprise ServerSecurity Components
AppArmorfor fine-grained security tuning
Security Certificationslike FIPS, EAL4+, etc.
Security patchesand updates
over the whole product lifecycle
SUSE Firewall2Easy to administer OS firewall
Intrusion Detectionusing AIDE
OS Security Guidecovering all security topics
Linux Audit SystemCAPP-compliant auditing system
+ more
4
Classification of the Hardening Guide
SUSESecurity Guide
OS SecurityHardening Guidefor SAP HANA
SAP HANASecurity Guide
Operating System genericSAP HANA specific
5
Content of the Security Guides
SAP HANA Security Guide
OS Security Hardening Guide for HANA
- Network and Communication Security- User and Role Management- Authentication and Single Sign-On
- Authorization- Storage Security- etc.
Application
OperatingSystem
SUSE Security Guide
- SUSE Security Features- Authentication- Local Security
- AppArmor & SELinux- The Linux Audit Framework- etc.
OperatingSystem
- OS Security Hardening Settings- Local Firewall for HANA- Minimal OS Package Selection
- Update & Patch Strategies- etc.
6
Customized OS Security Hardening for SAP HANA
Security Hardening Settings for HANA
SUSE Firewall for HANA
Minimal OS package selection
SUSE Security Updates
7
Security Hardening SetttingsOverview
• Covers all relevant security topics (see next slide)
• Provides for each setting✔ Detailed description
✔ Possible impact on the system
✔ Implementation priority
• Settings based on a professional Security Audit
• Implemented and tested by a large pilot customer
8
Security Hardening SetttingsCategories
• Authentication Settings→ User login restrictions, password policy, etc.
• System Access Settings→ Local and remote access restrictions
• Networking Settings→ i. e. behavior of the Linux IP stack
• Linux Service permissions→ i. e. disallow of 'at'-jobs
• File permissions→ Access rights of security-critical files
• Logging and Reporting→ Behavior of the system logging, security reports, etc.
9
Security Hardening SetttingsExamples
• Prohibit root login via ssh
• Setup password strengthening
• Adjust sysctl variables (i. e. network settings)
• Adjust default umask
• Change permissions of certain system files
• Forwarding of syslog files to a central syslog server
• Configure user login restrictions via access.conf
• etc.
10
Security Hardening SetttingsDetailed Example: Prohibit login as root via ssh
Description
By default, the user “root” is allowed to remotely log in via ssh. This has two disadvantages: First, root logins are logged, but cannot be associated with a particular user. This is especially a disadvantage if more than one system administrator makes changes on the system. Second, a stolen root password allows an attacker to login directly to the system. Instead of logging in as a normal user first, then doing “su” or a “sudo,” an attacker just requires the root password.
Procedure
Edit /etc/ssh/sshd.conf and set parameter
PermitRootLogin no
Impact
Root no longer can be used to login remotely, so that users are required to use “su” or “sudo” to gain root access when using ssh.
Priority: high
11
SUSE Firewall for SAP HANAOverview
• Local firewall dedicated for SAP HANA
• Predefined service definitions according to “SAP HANA Master Guide”
• Automatic calculation of ports according to SAP HANA Instance Numbers
• Supports multiple HANA systems & instances on one system
• Dropped packages can be logged via syslog
• Easy configuration→ via the file /etc/sysconfig/hana_firewall
• Available as RPM package
12
SUSE Firewall for SAP HANAExample of a Logical Network Diagram with External Firewalls
13
SUSE Firewall for SAP HANAExample of a Physical Network Diagram
14
SUSE Firewall for SAP HANATraffic Flow Example
15
Minimal OS Package SelectionOverview
• The fewer OS packages a HANA system has installed, the less possible security holes it might have
• Just enough Operating System (JeOS) approach not perfect for HANA
• Approached based on middle ground→ Installation patterns “Base System” + “Minimal System” + some additional packages
• Amount of packages reduced to ~550 from ~1200 (SLES standard installation)
• Described in SAP Note #1855805
16
Minimal OS Package SelectionComparison between package selections
Amount of installed packages0
200
400
600
800
1000
1200
1400
SLES Standard InstallationBase + Minimal + additional packagesBase + Minimal
17
SUSE Security Updates
• Security vulnerabilities are found almost every day; Most of them are reported & fixed very quickly
• SUSE constantly provides security updates & patches
• Security updates & patches can be received via the SUSE Linux Enterprise Server update channels
➔ We generally recommend to configure update channels
• Comparison between certain update & patch strategy➔ Best update & patch strategy: Selective installation of only
security updates on a regular basis + installation of remaining updates during maintenance windows
18
Availability of the Hardening Guide
• Download link→ www.suse.com/products/sles-for-sap/resource-library/
• About the Authors→ Developed by Markus Guertler (SUSE @ SAP Linux Lab) and Alexander Bergmann (SUSE Maintenance & Security Team)
• Outlook Additional and improved hardening settings Improvements of the firewall (i. e. automatic detection of installed HANA systems) Further reduction of the minimal set of packages
Unpublished Work of SUSE. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
