Skip to Content

SLES10 AppArmor – How to create Security Profiles for SAP – Part 1

Security is a often discussed topic in IT. In one of my former Blogs I did some research on the SELinux capabilities of RHEL5 and how they could be used with SAP. In this blog series I’d like to draw your attention to another Security Technology, namely AppArmor from Novell. The AppArmor technology was introduced with the SUSE Linux Enterprise Server 10. AppArmor and SELinux have different security approaches and goals as well which makes it almost impossible to compare them. Both have their advantages and challenges. In the blog of this series we will not discuss them in detail. We’ll learn how we can create a security profile for a SAP Netweaver 7.0 Java only system just by using YaST2. We start with a very short introduction of AppArmor and directly start the hands tasks immediately.
 <br />Novell AppArmor
You’ll find the 100+ pages Novell AppArmor Administration Guide in the package apparmor-admin_en. If it is installed, change to the directory /usr/share/doc/manual/apparmor-admin_en/ and print the SLES-aaadmin_en.pdf file yourself. There is no need to read this guide from the first to the last page, but having this comprehensive guide at hand is much more comfortable if you want to look up something quickly. A very short summary of what AppArmor is, is taken from the first chapter of this document: “Novell AppArmor provides immunization technologies that protect applications from the inherent vulnerabilities they possess.”. Thus, an AppArmor security policy for SAP does not protect the SAP application itself nor even the data of the application from other applications necessarily. Nevertheless, such a policy will enforce file accesses in a way, that a SAP executable is only allowed to access certain files which the executable needs to access. Speaking of executables is due to the fact, that AppArmor enforce access restrictions to executables only. As a result, we cannot create a huge SAP security profile, but we have to create several ones for each executable which is used.

Before we can start, we have to modify the auditd settings to be able to generate SAP profiles. The AppArmor “Add Profile Wizard” is using the audit.log to scan what a executable is doing. The auditd does rotate the audit.log every time the files reaches a size of 5MB. If such a rotation happened the AppArmor “Add Profile Wizard” is currently not able to generate a profile any longer. We have to ensure that no rotation is happening. This can either be achieved by increasing the size when a rotation happens of deactivating the rotation itself. Both settings can be changed in the file /etc/audit.log. Please make sure to reload or restart the audit daemon after changing the configuration file via /etc/init.d/auditd {reload restart}. Now the system is prepared, so lets start.
sapstartsrv/ folder, the read permission should be given to /proc// because the pid of a running sapstartsrv does change with every restart.<br /> <br />Another general rule would be to grant the sapstartsrv read access to all files in the profile folder. YaST2 suggests read access to the /sapmnt/SID/profile/DEFAULT.PFL, but it is save to change such suggestions to /sapmnt/SID/profile/ instead. Write access to /tmp/.sapstream50113 can be granted through ‘#include The sapstartsrv profile  /proc//cmdline r, <br />  /proc//stat r,
  /proc/uptime r,
  /sapmnt/SID/profile/* r,
  /usr/sap/SID/SCS01/exe/enserver r,
  /usr/sap/SID/SCS01/exe/* mr,
  /usr/sap/SID/SCS01/exe/* mr,
  /usr/sap/SID/SCS01/exe/* mr,
  /usr/sap/SID/SCS01/exe/ mr,
  /usr/sap/SID/SCS01/exe/ mr,
  /usr/sap/SID/SCS01/exe/msg_server r,
  /usr/sap/SID/SCS01/exe/sapstartsrv ixr,
  /usr/sap/SID/SCS01/log/SLOG01 r,
  /usr/sap/SID/SCS01/work/available.log rw,
  /usr/sap/SID/SCS01/work/sapstart.log r,
  /usr/sap/SID/SCS01/work/sapstartsrv.* w,
In the next Part we will have a look at the other important binaries like saposcol the database itself the message and the enqueue server. In the third blog we will have a close look on the jlaunch processes and what is needed to handle them.

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply