Chapter 2. Protecting SAP HANA installation by using fapolicyd
You can perform the following steps to protect a SAP HANA installation:
-
Installing the
fapolicyd
package. -
Setting the integrity checking to
SHA-256
hashes. -
Adding custom
fapolicyd
rules to protect shell scripts. - Marking the SAP HANA files as trusted.
-
Enabling the
fapolicyd
service.
2.1. Installing the fapolicyd package
Procedure
Install the
fapolicyd
package:# dnf install fapolicyd
Verification
Use the following command to verify that the
fapolicyd
service is installed but not currently running:# systemctl status fapolicyd ● fapolicyd.service - File Access Policy Daemon Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor preset: disabled) Active: inactive (dead) since Fri 2024-04-19 14:59:52 CEST; 1s ago ... Apr 19 14:59:51 host01 fapolicyd[337927]: shutting down... Apr 19 14:59:51 host01 systemd[1]: Stopping File Access Policy Daemon... Apr 19 14:59:52 host01 systemd[1]: fapolicyd.service: Succeeded. Apr 19 14:59:52 host01 systemd[1]: Stopped File Access Policy Daemon.
2.2. Setting the integrity checking to SHA-256 hashes
By default, fapolicyd
verifies the file names while deciding if an application has to be blocked from execution. You can modify this setting to SHA-256
for a higher level of protection.
Prerequisites
-
The
fapolicyd
package is installed on your system.
Procedure
Open the
/etc/fapolicyd/fapolicyd.conf
file in a text editor of your choice, for example:# vi /etc/fapolicyd/fapolicyd.conf
Configure the integrity option and change the default value of
none
tosha-256
:integrity = sha-256
For the change to become effective, you need to restart the fapolicyd
service. But you must not restart the fapolicyd
now, as you have to make more changes to the fapolicyd
configuration.
Verification
Verify the correct entry:
# fapolicyd-cli --check-config Daemon config is OK
The SAP HANA benchmark was tested on RHEL 9.2. While doing so, initially fapolicyd
was disabled and then enabled to evaluate the performance implications of fapolicyd
. To allow the tests to run, a total of 19,184 entries were added to the fapolicyd
trust files. In 99% of the tests, the performance impact was 5% or less, with the vast majority of the tests experiencing a slowdown of 1-3%.
Please note that certain workloads may experience a higher performance penalty. Therefore, you must thoroughly evaluate performance within your specific environment to observe potential impacts accurately.
2.3. Adding custom fapolicyd rules to protect shell scripts
By default, fapolicyd
blocks binary executable files and certain programs (e.g., Python) from being executed. To also protect shell scripts in the SAP HANA installation directories, you have to add new custom rules.
Prerequisites
-
The
fapolicyd
package is installed on your system.
Procedure
-
Open the directory
/etc/fapolicyd/rules.d
. Add a new file with a file name starting with 71 (proposed file name:
71-sap-shellscript.rules
) so the rule is placed between the rules of the files70-trusted-lang.rules
and72-shell.rules
, with the following content:# Deny shell script execution and sourcing under SAP HANA directories deny_audit perm=any all : ftype=text/x-shellscript dir=/hana/,/usr/sap/ trust=0
Set the ownership of the file to those of the other files in
/etc/fapolicyd/rules.d
:# chown root:fapolicyd 71-sap-shellscript.rules
Use the following commands to confirm that new rules have been defined, and then load the new rules:
# fagenrules --check /usr/sbin/fagenrules: Rules have changed and should be updated # fagenrules --load
Verification
Verify that the rules are updated:
# fagenrules --check /usr/sbin/fagenrules: No change
2.4. Marking the SAP HANA files as trusted
Prerequisite
-
The
fapolicyd
package is installed on your system.
Procedure
- Install the SAP HANA software if not already done.
Use the following commands to add all the SAP HANA files to the
fapolicyd
trust database. We recommend using a separate trust file for each directory tree, for example,hana
andusr_sap
:# fapolicyd-cli --file add /hana --trust-file hana # fapolicyd-cli --file add /usr/sap --trust-file usr_sap
This creates two files, named
hana
andusr_sap
, in the directory/etc/fapolicyd/trust.d
, which contains entries for all files under/hana
and/usr/sap
.For an SAP HANA installation on a freshly installed RHEL system, the SAP HANA installer creates the directories
/hana
and/usr/sap
, so we can trust that all the files in these directories are valid SAP files.In any other case, there might be files in those directories that the SAP HANA installer has not created.
Therefore, you should carefully verify that all the files in the trust files
/etc/fapolicyd/trust.d/hana
and/etc/fapolicyd/trust.d/usr_sap
are valid SAP files. One of the possible ways is explained below:- Perform a fresh SAP HANA installation on another freshly installed RHEL system.
- Repeat step 2 on that system.
- Compare the resulting trust files of both systems.
2.5. Enabling the fapolicyd service
Prerequisites
-
The
fapolicyd
package is installed and not currently running on your system. - You have completed all the previous steps.
Procedure
Enable and start the
fapolicyd
service:# systemctl enable --now fapolicyd
The
fapolicyd
service now protects the SAP HANA system. Scripts and binaries in/hana
or/usr/sap
that are not in thefapolicyd
trust files are blocked, and non-root users cannot execute these files.
Verification
Verify that the
fapolicyd
service is up and running:# systemctl status fapolicyd ● fapolicyd.service - File Access Policy Daemon Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; preset: disabled) Active: active (running) since Thu 2024-03-14 16:38:32 IST; 18h ago ... Mar 14 16:38:33 host01 fapolicyd[579216]: Trust database checks OK Mar 14 16:38:33 host01 fapolicyd[579216]: Starting to listen for events
Verify that the non-root users, including the SAP HANA administrator user (example:
h70adm
), cannot execute any new scripts and binary programs in/hana
and/usr/sap
:# cp -pi /usr/bin/date /hana/ # su - h70adm h70adm@host01:/usr/sap/H70/HDB35> /hana/date -sh: /hana/date: Operation not permitted h70adm@host01:/usr/sap/H70/HDB35> cat > try-to-start-me.sh #!/bin/bash echo "I will not execute." <ctrl>d h70adm@host01:/usr/sap/H70/HDB35> chmod u+x try-to-start-me.sh h70adm@host01:/usr/sap/H70/HDB35> ./try-to-start-me.sh -sh: ./try-to-start-me.sh: Operation not permitted h70adm@host01:/usr/sap/H70/HDB35> rm try-to-start-me.sh h70adm@host01:/usr/sap/H70/HDB35> exit # rm /hana/date rm: remove regular file '/hana/date'? y