Skip to content

anvilsecure/hanalyzer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

280 Commits
.github/workflows
.github/workflows
 
 
.vscode
.vscode
 
 
checks
checks
 
 
cmd
cmd
 
 
config
config
 
 
db
db
 
 
logger
logger
 
 
pictures
pictures
 
 
presentation
presentation
 
 
ssh
ssh
 
 
utils
utils
 
 
.gitignore
.gitignore
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
demo.gif
demo.gif
 
 
gitleaks.toml
gitleaks.toml
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

gitleaks badge

Goal

This tool was designed to analyze configuration of SAP HANA instances and compare it with official security guidelines.

In the following demo the .env file contains the following line
export HANA_DB_PASSWORD=_myVerySecr3tPassw0rd_

Demo

Once you ran the tool, you can open the output file with a browser, and you'll get the following HTML report.

Initial screen Example of issue

Install

Build it locally or download the correct version from the Releases page.
To build it you can run the following commands (the executable will be in the build folder)

$ git clone https://github.com/anvilsecure/hanalyzer.git
$ cd hanalyzer
$ make

Cross Compile

To cross compile the executables for every architecture and every OS it was used a Makefile with no external dependency to increase the reusability.

Makefile

Building the realease for the detected architecture and OS

$ make
/Library/Developer/CommandLineTools/usr/bin/make build/darwin/arm64
Building for darwin/arm64...
GOOS=darwin, GOARCH=arm64, OUTPUT_NAME=hanalyzer_darwin_arm64

It is also possible to compile the binary file for different platforms:

  • MacOS arm64: make darwin/arm64
  • Linux amd64: make linux/amd64
  • Windows amd64: make windows/amd64

How to use it

Modes

There are two possible mode of analysis

  • querying the DB (36 checks)
  • invoking commands via SSH on the DB server (1 check)

If possible we try to perform checks by querying the DB, to avoid requiring SSH access. The only check that was not possible to implement via query is Encryption Key of the SAP HANA Secure User Store.

$ hanalyzer -h
Tool to analyze SAP Hana database configuration against official SAP guidelines.
Usage:
  hanalyzer [command]
Available Commands:
  completion  Generate the autocompletion script for the specified shell
  help        Help about any command
  query       Perform checks by querying the DB.
  ssh         Use ssh to perform the following checks on the DB server:
                        - Encryption Key of the SAP HANA Secure User Store
Flags:
  -h, --help   help for hanalyzer
Use "hanalyzer [command] --help" for more information about a command.

Query mode

Most of the checks are performed via DB queries.

The DB password must be exported to environment variable HANA_DB_PASSWORD to avoid passing it via CLI arguments

$ hanalyzer query --help
Perform checks by querying the DB.

Usage:
  hanalyzer query [flags]

Flags:
      --conf string            Provide configuration file (required if --host, --db-port, --db-username, --db-password, and --sid are not provided by CLI)
      --db-port int            Database port (default 39015)
      --db-username string     Database username
  -h, --help                   help for query
      --host string            Database host
      --output-folder string   Output folder
      --sid string             Instance SID

You can use a configuration file (--conf <file.yml>) or provide the required parameters via flag (Query mode examples).

SSH mode

One check is performed by issuing a command via SSH.

  • The SSH password must be exported to environment variable HANA_SSH_PASSWORD to avoid passing it via CLI arguments
  • By default the connection uses ~/.ssh/known_hosts to check the host key
    • It is possible to use flag --ignore-host-key to ignore security checks on the host key (potentially dangerous)
  • It supports public key authentication with --priv-key
    • TODO For the time being it does not support password protected private keys.
$ hanalyzer ssh --help                                                 
Use SSH to perform the following checks on the DB server:
                        - Encryption Key of the SAP HANA Secure User Store

Usage:
  hanalyzer ssh [flags]

Flags:
      --conf string            Provide configuration file (required if --host, --ssh-port, --ssh-username, and --ssh-password are not provided by CLI)
  -h, --help                   help for ssh
      --host string            Database host
      --ignore-host-key        Ignore host key error
      --output-folder string   Output folder
      --priv-key string        SSH private key
      --ssh-port int           SSH username (default 22)
      --ssh-username string    SSH username

You can use a configuration file (--conf <file.yml>) or provide the required parameters via flag (SSH mode examples).

Examples

Query mode examples

Using a configuration file

$ hanalyzer query --conf .\conf.yml
Check: CheckSystemUser
User SYSTEM is ACTIVE (USER_DEACTIVATED=FALSE).
Last successful connection was in date 2024-07-19 15:19:46.
-----------
Check: CheckPasswordLifetime
The following users have password lifetime disabled(IS_PASSWORD_LIFETIME_CHECK_ENABLED=FALSE).
  - SYS
  - SYSTEM
  - SAPDBCTRL
  - TEL_ADMIN
-----------
Check: SystemPrivileges
Please review the following entities (users/roles) because they might have too high privileges:
[I] Breakdown per grantee
......

Using CLI parameters

$ hanalyzer query --host <hostname/IP_address> --sid <SID> --db-username <DBUsername>
Check: CheckSystemUser
User SYSTEM is ACTIVE (USER_DEACTIVATED=FALSE).
Last successful connection was in date 2024-07-19 15:19:46.
-----------
Check: CheckPasswordLifetime
The following users have password lifetime disabled(IS_PASSWORD_LIFETIME_CHECK_ENABLED=FALSE).
  - SYS
  - SYSTEM
  - SAPDBCTRL
  - TEL_ADMIN
-----------
Check: SystemPrivileges
Please review the following entities (users/roles) because they might have too high privileges:
[I] Breakdown per grantee
......

SSH mode examples

Using a configuration file

$ hanalyzer ssh --conf .\conf.yml
Check: CheckSystemUser
Check: EncryptionKeySAPHANASecureUserStore
Encryption key (SSFS_HDB.KEY) found, Secure User Store is correctly encrypted.
-----------

Using CLI parameters

$ hanalyzer ssh --host <hostname/IP_address> --ssh-username <DBUsername>
Check: EncryptionKeySAPHANASecureUserStore
Encryption key (SSFS_HDB.KEY) found, Secure User Store is correctly encrypted.

Using a public key authentication

$ ./hanalyzer ssh --host <hostname/IP_address> --ssh-username <DBUsername> --output-folder 00_hanatest --priv-key ~/.ssh/id_rsa
[INFO] 20250428_165106 Writing output data to file: /home/user/hana/00_hanatest/output.json

[INFO] 20250428_165106 HTML file generated successfully: /home/user/hana/00_hanatest/output.html

Configuration file

In the project root create the following conf.yml file

host: HOST_NAME
sid: DB_SID
database:
  port: PORT
  username: USERNAME (e.g., system)
  password: PASSWORD
ssh:
  port: PORT
  username: USERNAME (e.g., hxeadm)
  password: PASSWORD
  private_key: /Users/johndoe/.ssh/id_rsa
  ignore_host_key: true

Roadmap

  • Add sudo support for SSH commands
  • Improve HTML output
    • Dark mode
  • Git actions to automatically compile releases
  • Bundle JS dependencies with the code, to provide full-offline experience
  • SSH Authentication
    • Add public key authentication
    • It is used InsecureIgnoreHostKey; add
      • Interactive way to accept the host key fingerprint (custom HostKeyCallback)
      • Option to provide the expected host key or to read the known_hosts file
      • Add "insecure" flag to explicitly disable host key checks

SAP HANA Database Checklists and Recommendations

Recommendations for Database Users, Roles, and Privileges

  • SYSTEM User (porting from @gvb)
  • Password Lifetime of Database Users (porting from @gvb)
  • System Privileges
  • System Privileges: Critical Combinations (porting from @gvb)
  • System Privilege: DATA ADMIN (porting from @gvb)
  • System Privilege: DEVELOPMENT (porting from @gvb)
  • Analytic Privilege: _SYS_BI_CP_ALL (porting from @gvb)
  • Debug Privileges (porting from @gvb)
  • Predefined Catalog Role CONTENT_ADMIN (porting from @gvb)
  • Predefined Catalog Role MODELING
  • Predefined Catalog Role SAP_INTERNAL_HANA_SUPPORT
  • Predefined Repository Roles
  • User Parameter CLIENT (porting from @gvb)
  • Related Information

Recommendations for File System and Operating System

  • Operating System Users (add as caveat manual check)
  • OS File System Permissions (porting from @gvb)
  • OS Security Patches (add as caveat manual check)
  • OS sudo Configuration (add as caveat manual check)

Recommendations for Auditing Configuration

  • Auditing (porting from @gvb)
  • Audit Trail Target: syslog (add as caveat manual check)
  • Audit Trail Target: CSV Text File

Recommendations for Network Configuration

  • Open Ports (add as caveat manual check)
  • Internal Host Name Resolution in Single-Host System
  • Internal Host Name Resolution in Multiple-Host System
  • Host Name Resolution in System Replication

Recommendations for Data Encryption

  • Instance SSFS Master Key
  • System PKI SSFS Master Key
  • Root Encryption Keys
  • Encryption Key of the SAP HANA Secure User Store (hdbuserstore)
  • Data and Log Volume Encryption

Recommendations for Trace and Dump Files

  • Trace Files
  • Dump Files

Recommendations for Tenant Database Management

  • SAML-Based User Authentication
  • Configuration Blacklist
  • Restricted Features

Notes

IF using a VM, after the setup process you will encounter the following error

Free and used memory in the system
==================================
Before collection
-------------------------------------------------------------------------
             total       used       free     shared    buffers     cached
Mem:           11G        10G       1.5G        68M       2.0M       2.4G
-/+ buffers/cache:       7.8G       3.9G
Swap:         4.0G         0B       4.0G
After  collection
-------------------------------------------------------------------------
             total       used       free     shared    buffers     cached
Mem:           11G        10G       1.6G        68M       2.0M       2.6G
-/+ buffers/cache:       7.5G       4.3G
Swap:         4.0G         0B       4.0G

Please wait while XSA starts.  This may take a while...OK
Change XSA_ADMIN user password on SystemDB database...
Change XSA_DEV user password on SystemDB database...
* 10: authentication failed SQLSTATE: 28000
Password already changed.  However, the new password you specified is invalid.

This is solved here

HDB start
XSA reset-certificate
 
hdbsql -u system -n hxehost:39013
alter user XSA_ADMIN activate user now;
alter user XSA_ADMIN password "<PASSWORD>";
alter user XSA_DEV activate user now; 
alter user XSA_DEV password "<PASSWORD>";

Caveat!! For the setup script to work you need the same password for

  • Master password
  • SYSTEM
  • XSA_ADMIN
  • XSA_DEV

Before setup startup the host and let it start all the processes, otherwise it could be possible that the setup script will not be able to connect to every process.

!! VMs expose port 39015

About

Tool to audit SAP Hana DB based on https://help.sap.com/docs/SAP_HANA_PLATFORM/742945a940f240f4a2a0e39f93d3e2d4/45955420940c4e80a1379bc7270cead6.html?locale=en-US

Topics

checklist security audit sap-hana

Resources

Readme
Activity
Custom properties

Stars

12 stars

Watchers

3 watching

Forks

3 forks
Report repository

Releases 1

1.0.0 Latest
Apr 27, 2025

Packages

No packages published

Contributors 2

  •  
  •  

Languages