Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Configuring fapolicyd to allow only SAP HANA executables

Red Hat Enterprise Linux for SAP Solutions 9

Red Hat Customer Content Services

Abstract

Configure this policy to secure the environment for running SAP HANA against local and remote intrusion, exploitation, and malicious activity.

Making open source more inclusive
Copy link

Red Hat is committed to replacing problematic language in our code and documentation. We are beginning with these four terms: master, slave, blacklist, and whitelist. Due to the enormity of this endeavor, these changes will be gradually implemented over upcoming releases. For more details on making our language more inclusive, see our CTO Chris Wright’s message.

Providing feedback on Red Hat documentation
Copy link

We appreciate your feedback on our documentation. Let us know how we can improve it.

Submitting feedback through Jira (account required)

  1. Make sure you are logged in to the Jira website.
  2. Click on this link to provide feedback.
  3. Enter a descriptive title in the Summary field.
  4. Enter your suggestion for improvement in the Description field. Include links to the relevant parts of the documentation.
  5. Click Create at the bottom of the dialogue.

Chapter 1. Introduction to fapolicyd
Copy link

The fapolicyd software framework controls the execution of applications based on a user-defined policy. This is one of the most efficient ways to prevent running untrusted and possibly malicious applications on the system. For more information, refer to Blocking and allowing applications by using fapolicyd in the Security hardening guide for RHEL 9.

Note

The procedures described below put all detected SAP HANA executables into fapolicyd trust files, which contain all names, sizes, and checksums of trusted files. SAP HANA binaries and shell scripts can only be executed if they are contained in the fapolicyd trust files. So, if you execute SAP HANA binaries or shell scripts that are not contained in the fapolicyd trust files, undesirable effects, including corruption or loss of data, could happen. You must carefully test all the steps and do proper verification on a non-production system first.

You can perform the following steps to protect a SAP HANA installation:

  • Installing the fapolicyd package.
  • Setting the integrity checking to sha256 hashes.
  • Adding custom fapolicyd rules to protect shell scripts.
  • Marking the SAP HANA files as trusted.
  • Enabling the fapolicyd service.

2.1. Installing the fapolicyd package
Copy link

Procedure

  • Install the fapolicyd package: 

    # dnf install fapolicyd
    Copy to Clipboard Toggle word wrap

Verification

  • Use the following command to verify that the fapolicyd service is installed but not currently running: 

    # systemctl status fapolicyd
● fapolicyd.service - File Access Policy Daemon
   Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor preset: disabled)
   Active: inactive (dead) since Fri 2024-04-19 14:59:52 CEST; 1s ago
...
Apr 19 14:59:51 host01 fapolicyd[337927]: shutting down...
Apr 19 14:59:51 host01 systemd[1]: Stopping File Access Policy Daemon...
Apr 19 14:59:52 host01 systemd[1]: fapolicyd.service: Succeeded.Apr 19 14:59:52 host01 systemd[1]: Stopped File Access Policy Daemon.
    Copy to Clipboard Toggle word wrap

By default, fapolicyd verifies the file names when deciding if an application has to be blocked from execution. You can modify this setting to sha256 for a higher level of protection.

Prerequisites

  • The fapolicyd package is installed on your system.

Procedure

  1. Open the /etc/fapolicyd/fapolicyd.conf file in a text editor of your choice, for example: 

    # vi /etc/fapolicyd/fapolicyd.conf
    Copy to Clipboard Toggle word wrap

  2. Configure the integrity option and change the default value of none to sha256:integrity = sha256.

    For the change to become effective, you need to restart the fapolicyd service. Do not restart the fapolicyd now, as you have to make more changes to the fapolicyd configuration.

Verification

  • Verify the correct entry: 

    # fapolicyd-cli --check-config
Daemon config is OK
    Copy to Clipboard Toggle word wrap

The SAP HANA benchmark was tested on RHEL 9.2. While doing so, initially fapolicyd was disabled and then enabled to evaluate the performance implications of fapolicyd. To allow the tests to run, a total of 19,184 entries were added to the fapolicyd trust files. In 99% of the tests, the performance impact was 5% or less, with the vast majority of the tests experiencing a slowdown of 1-3%.

However, certain workloads may experience a higher performance penalty. Therefore, you must thoroughly evaluate performance within your specific environment to identify potential impacts accurately.

By default, fapolicyd blocks binary executable files and certain programs (e.g., Python) from being executed. To also protect shell scripts in the SAP HANA installation directories, you have to add new custom rules.

Prerequisites

  • The fapolicyd package is installed on your system.

Procedure

  1. Change to the directory /etc/fapolicyd/rules.d.

  2. Add a new file with a file name starting with 71 (proposed file name: 71-sap-shellscript.rules) so the rule is placed between the rules of the files 70-trusted-lang.rules and 72-shell.rules, with the following content: 

    # Deny shell script execution and sourcing under SAP HANA directories deny_audit perm=any all : ftype=text/x-shellscript dir=/hana/,/usr/sap/ trust=0
    Copy to Clipboard Toggle word wrap

  3. Set the ownership of the file to those of the other files in /etc/fapolicyd/rules.d: 

    # chown root:fapolicyd 71-sap-shellscript.rules
    Copy to Clipboard Toggle word wrap

  4. Use the following commands to confirm that new rules have been defined, and then load the new rules: 

    # fagenrules --check
/usr/sbin/fagenrules: Rules have changed and should be updated
# fagenrules --load
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that the rules are updated: 

    # fagenrules --check
/usr/sbin/fagenrules: No change
    Copy to Clipboard Toggle word wrap

2.4. Marking the SAP HANA files as trusted
Copy link

Prerequisite

  • The fapolicyd package is installed on your system.

Procedure

  1. Install the SAP HANA software if not already done.

  2. Use the following commands to add all the SAP HANA files to the fapolicyd trust database. We recommend using a separate trust file for each directory tree, for example, hana and usr_sap: 

    # fapolicyd-cli --file add /hana --trust-file hana
# fapolicyd-cli --file add /usr/sap --trust-file usr_sap
    Copy to Clipboard Toggle word wrap

    This creates two files, named hana and usr_sap, in the directory /etc/fapolicyd/trust.d, which contains entries for all files under /hana and /usr/sap.

  3. For an SAP HANA installation on a freshly installed RHEL system, the SAP HANA installer creates the directories /hana and /usr/sap, so we can trust that all the files in these directories are valid SAP files.

    In any other case, there might be files in those directories that the SAP HANA installer has not created.

    Therefore, you should carefully verify that all the files in the trust files /etc/fapolicyd/trust.d/hana and /etc/fapolicyd/trust.d/usr_sap are valid SAP files. One of the possible ways is explained below:

    1. Perform a fresh SAP HANA installation on another freshly installed RHEL system.
    2. Repeat step 2 on that system.
    3. Compare the resulting trust files of both systems.

2.5. Enabling the fapolicyd service
Copy link

Prerequisites

  • The fapolicyd package is installed and not currently running on your system.
  • You have completed all the previous steps.

Procedure

  • Enable and start the fapolicyd service: 

    # systemctl enable --now fapolicyd
    Copy to Clipboard Toggle word wrap
  • The fapolicyd service now protects the SAP HANA system. Scripts and binaries in /hana or /usr/sap that are not in the fapolicyd trust files are blocked, and non-root users cannot execute these files.

Verification

  1. Verify that the fapolicyd service is up and running: 

    # systemctl status fapolicyd
● fapolicyd.service - File Access Policy Daemon
     Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; preset: disabled)
     Active: active (running) since Thu 2024-03-14 16:38:32 IST; 18h ago
...
Mar 14 16:38:33 host01 fapolicyd[579216]: Trust database checks OK
Mar 14 16:38:33 host01 fapolicyd[579216]: Starting to listen for events
    Copy to Clipboard Toggle word wrap

  2. Verify that the non-root users, including the SAP HANA administrator user (example: h70adm), cannot execute any new scripts and binary programs in /hana and /usr/sap: 

    # cp -pi /usr/bin/date /hana/
# su - h70adm
h70adm@host01:/usr/sap/H70/HDB35> /hana/date
-sh: /hana/date: Operation not permitted
h70adm@host01:/usr/sap/H70/HDB35> cat > try-to-start-me.sh
#!/bin/bash
echo "I will not execute."
<ctrl>d
h70adm@host01:/usr/sap/H70/HDB35> chmod u+x try-to-start-me.sh
h70adm@host01:/usr/sap/H70/HDB35> ./try-to-start-me.sh
-sh: ./try-to-start-me.sh: Operation not permitted
h70adm@host01:/usr/sap/H70/HDB35> rm try-to-start-me.sh
h70adm@host01:/usr/sap/H70/HDB35> exit
# rm /hana/date
rm: remove regular file '/hana/date'? y
    Copy to Clipboard Toggle word wrap

Prerequisites

  • The fapolicyd package is installed on your system.
  • You have verified that there are no new executables in the SAP HANA software directories, so you do not accidentally add software from unknown sources. For more information, refer to Marking the SAP HANA files as trusted.

Procedure

  1. Stop fapolicyd before performing the SAP HANA software update: 

    # systemctl stop fapolicyd
    Copy to Clipboard Toggle word wrap
  2. Create a backup of the existing fapolicyd trust files /etc/fapolicyd/trust.d/hana and /etc/fapolicyd/trust.d/usr_sap, and then remove these files.
  3. Perform the SAP HANA software update.
  4. Repeat procedure section’s step 2 of Marking the SAP HANA files as trusted, to recreate the fapolicyd trust files for SAP HANA.

  5. Start fapolicyd: 

    # systemctl start fapolicyd
    Copy to Clipboard Toggle word wrap

For diagnosing issues related to fapolicyd, you can:

  • check the file /var/log/fapolicyd-access.log for fapolicyd access statistics, and/or,
  • run fapolicyd in debug mode.

For more information on diagnosing fapolicyd related issues, refer to Troubleshooting problems related to fapolicyd.

Chapter 5. Additional information
Copy link

  • After adding more files to the fapolicyd trust file, use the following command to update the fapolicyd database: 

    # fapolicyd-cli --update
    Copy to Clipboard Toggle word wrap

  • After removing entries from the fapolicyd trust file, you have to restart fapolicyd instead: 

    # systemctl restart fapolicyd
    Copy to Clipboard Toggle word wrap

Legal Notice
Copy link

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top