Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 2. Protecting SAP HANA installation by using fapolicyd

You can perform the following steps to protect a SAP HANA installation:

  • Installing the fapolicyd package.
  • Setting the integrity checking to sha256 hashes.
  • Adding custom fapolicyd rules to protect shell scripts.
  • Marking the SAP HANA files as trusted.
  • Enabling the fapolicyd service.

2.1. Installing the fapolicyd package
Copy link

Procedure

  • Install the fapolicyd package: 

    # dnf install fapolicyd
    Copy to Clipboard Toggle word wrap

Verification

  • Use the following command to verify that the fapolicyd service is installed but not currently running: 

    # systemctl status fapolicyd
● fapolicyd.service - File Access Policy Daemon
   Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor preset: disabled)
   Active: inactive (dead) since Fri 2024-04-19 14:59:52 CEST; 1s ago
...
Apr 19 14:59:51 host01 fapolicyd[337927]: shutting down...
Apr 19 14:59:51 host01 systemd[1]: Stopping File Access Policy Daemon...
Apr 19 14:59:52 host01 systemd[1]: fapolicyd.service: Succeeded.Apr 19 14:59:52 host01 systemd[1]: Stopped File Access Policy Daemon.
    Copy to Clipboard Toggle word wrap

By default, fapolicyd verifies the file names when deciding if an application has to be blocked from execution. You can modify this setting to sha256 for a higher level of protection.

Prerequisites

  • The fapolicyd package is installed on your system.

Procedure

  1. Open the /etc/fapolicyd/fapolicyd.conf file in a text editor of your choice, for example: 

    # vi /etc/fapolicyd/fapolicyd.conf
    Copy to Clipboard Toggle word wrap

  2. Configure the integrity option and change the default value of none to sha256:integrity = sha256.

    For the change to become effective, you need to restart the fapolicyd service. Do not restart the fapolicyd now, as you have to make more changes to the fapolicyd configuration.

Verification

  • Verify the correct entry: 

    # fapolicyd-cli --check-config
Daemon config is OK
    Copy to Clipboard Toggle word wrap

The SAP HANA benchmark was tested on RHEL 9.2. While doing so, initially fapolicyd was disabled and then enabled to evaluate the performance implications of fapolicyd. To allow the tests to run, a total of 19,184 entries were added to the fapolicyd trust files. In 99% of the tests, the performance impact was 5% or less, with the vast majority of the tests experiencing a slowdown of 1-3%.

However, certain workloads may experience a higher performance penalty. Therefore, you must thoroughly evaluate performance within your specific environment to identify potential impacts accurately.

By default, fapolicyd blocks binary executable files and certain programs (e.g., Python) from being executed. To also protect shell scripts in the SAP HANA installation directories, you have to add new custom rules.

Prerequisites

  • The fapolicyd package is installed on your system.

Procedure

  1. Change to the directory /etc/fapolicyd/rules.d.

  2. Add a new file with a file name starting with 71 (proposed file name: 71-sap-shellscript.rules) so the rule is placed between the rules of the files 70-trusted-lang.rules and 72-shell.rules, with the following content: 

    # Deny shell script execution and sourcing under SAP HANA directories deny_audit perm=any all : ftype=text/x-shellscript dir=/hana/,/usr/sap/ trust=0
    Copy to Clipboard Toggle word wrap

  3. Set the ownership of the file to those of the other files in /etc/fapolicyd/rules.d: 

    # chown root:fapolicyd 71-sap-shellscript.rules
    Copy to Clipboard Toggle word wrap

  4. Use the following commands to confirm that new rules have been defined, and then load the new rules: 

    # fagenrules --check
/usr/sbin/fagenrules: Rules have changed and should be updated
# fagenrules --load
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that the rules are updated: 

    # fagenrules --check
/usr/sbin/fagenrules: No change
    Copy to Clipboard Toggle word wrap

2.4. Marking the SAP HANA files as trusted
Copy link

Prerequisite

  • The fapolicyd package is installed on your system.

Procedure

  1. Install the SAP HANA software if not already done.

  2. Use the following commands to add all the SAP HANA files to the fapolicyd trust database. We recommend using a separate trust file for each directory tree, for example, hana and usr_sap: 

    # fapolicyd-cli --file add /hana --trust-file hana
# fapolicyd-cli --file add /usr/sap --trust-file usr_sap
    Copy to Clipboard Toggle word wrap

    This creates two files, named hana and usr_sap, in the directory /etc/fapolicyd/trust.d, which contains entries for all files under /hana and /usr/sap.

  3. For an SAP HANA installation on a freshly installed RHEL system, the SAP HANA installer creates the directories /hana and /usr/sap, so we can trust that all the files in these directories are valid SAP files.

    In any other case, there might be files in those directories that the SAP HANA installer has not created.

    Therefore, you should carefully verify that all the files in the trust files /etc/fapolicyd/trust.d/hana and /etc/fapolicyd/trust.d/usr_sap are valid SAP files. One of the possible ways is explained below:

    1. Perform a fresh SAP HANA installation on another freshly installed RHEL system.
    2. Repeat step 2 on that system.
    3. Compare the resulting trust files of both systems.

2.5. Enabling the fapolicyd service
Copy link

Prerequisites

  • The fapolicyd package is installed and not currently running on your system.
  • You have completed all the previous steps.

Procedure

  • Enable and start the fapolicyd service: 

    # systemctl enable --now fapolicyd
    Copy to Clipboard Toggle word wrap
  • The fapolicyd service now protects the SAP HANA system. Scripts and binaries in /hana or /usr/sap that are not in the fapolicyd trust files are blocked, and non-root users cannot execute these files.

Verification

  1. Verify that the fapolicyd service is up and running: 

    # systemctl status fapolicyd
● fapolicyd.service - File Access Policy Daemon
     Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; preset: disabled)
     Active: active (running) since Thu 2024-03-14 16:38:32 IST; 18h ago
...
Mar 14 16:38:33 host01 fapolicyd[579216]: Trust database checks OK
Mar 14 16:38:33 host01 fapolicyd[579216]: Starting to listen for events
    Copy to Clipboard Toggle word wrap

  2. Verify that the non-root users, including the SAP HANA administrator user (example: h70adm), cannot execute any new scripts and binary programs in /hana and /usr/sap: 

    # cp -pi /usr/bin/date /hana/
# su - h70adm
h70adm@host01:/usr/sap/H70/HDB35> /hana/date
-sh: /hana/date: Operation not permitted
h70adm@host01:/usr/sap/H70/HDB35> cat > try-to-start-me.sh
#!/bin/bash
echo "I will not execute."
<ctrl>d
h70adm@host01:/usr/sap/H70/HDB35> chmod u+x try-to-start-me.sh
h70adm@host01:/usr/sap/H70/HDB35> ./try-to-start-me.sh
-sh: ./try-to-start-me.sh: Operation not permitted
h70adm@host01:/usr/sap/H70/HDB35> rm try-to-start-me.sh
h70adm@host01:/usr/sap/H70/HDB35> exit
# rm /hana/date
rm: remove regular file '/hana/date'? y
    Copy to Clipboard Toggle word wrap
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat