Avantra Hardening Guide

By default, Avantra can be configured to use HTTP or HTTPS. In a productive environment, we strongly recommend you ensure that your WebUI (XANGUI) configuration is set to use the secure port via HTTPS. You can also specify the TSL cipher suites that can be used for web UI communication. Finally, in a multi-network set up with multiple interfaces, ensure that your WebUI is only accessible from the required interface.

Managing your Web UI configuration

By default, Avantra can be configured to use HTTP or HTTPS. In a productive environment, we strongly recommend you ensure that any insecure (HTTP) requests to your Web UI are dropped or, at least, auto-redirected to the secure version (HTTPS).

Disable the HTTP port by removing it from the configuration file. If it must be left enabled, then we recommend enabling redirection of HTTP to HTTPS by default.

Managing your Web UI configuration

By default, Avantra comes with a pre-installed X.509 certificate with the common name "xandria". In all cases we strongly recommend you replace this and add your own X.509 server certificate to your installation to secure all web interface communications.

Replace the default X.509 certificate with your own CA-signed certificate.

Replacing the Web UI certificate with your own certificate

It is important to ensure that the service user in use to run the Avantra OS services for Server/UI and Agent has no other permissions except for running the services. E.g. not in the administrator or SUDO group. Your user should have read, write, and execute permissions on the Avantra install directory and group membership for any other directories to which access is required.

Restrict the OS service user to the minimal required permission to run.

We strongly recommend utilizing the operating system hardening guide as provided by your operating system provider e.g. SUSE, RHEL, Windows, or other. These guides will cover topics such as firewalls, audit logs, and more.

Frequently review the OS hardening guide for your chosen OS and implement its recommendations.

Avantra supports the configuration of external identity providers via SAML or active directory. We recommend using an external identity provider as it allows for tight integration into corporate systems for processes such as Joiners, Movers, and Leavers (JML) as well as supporting two-factor authentication (2FA). We strongly encourage using concepts such as 2FA via an external identity provider.

Configure an external identity provider, ideally, with 2FA enabled.

Avantra is designed as a complete management platform that includes powerful features that allow for the execution of scripts and commands on remote systems for automation. Depending on your environment you may not want to allow the execution of OS-level commands in your environment.

Ensure that you apply the hardening recommendation AHG-A-01 to significantly restrict the access permissions of the OS user in use to run the Agent services. This agent should ONLY have the permissions to run the agent as well as access to run any scripts or commands required for your specific scenarios. This protection should mitigate this risk.

Avantra is designed as a complete management platform that includes powerful features that allow for the execution of queries and commands on remote databases (as part of checks or automation). Depending on your environment you may not want to allow the execution of write-capable SQL commands in your environment.

Ensure that you apply the hardening recommendation AHG-A-02 to significantly restrict the access permissions of the database user in use to monitor your managed database objects. This user should ONLY have the permissions required for your specific scenarios (usually read-only and no access to production data). This protection should mitigate this risk.

Your Avantra installation should be protected from other users of your OS. The only user requiring access to read, write or execute Avantra files should be the Avantra service user running your OS services.

Ensure that the permissions within the Avantra installation directory are restricted for groups and other users.

Avantra supports HTTPS communication between the UI and the server. This is, for most customers, not a concern as the UI mostly resides on the same host as the server and so all communications are internal. However, you can set Avantra to use the secure communications option a5s (HTTPS) (instead of a5 (HTTP)). The flags are called "Network.master-ui-protocol" and "ui-master-protocol" and can be found in "Administration" → "Settings" → "Avantra Master" and "Administration" → "Settings" → "Avantra UI".

Set the flag "Network.master-ui-protocol" to a5s in the Avantra server settings under "Administration" → "Settings" → "Avantra Master". Set the flag "ui-master-protocol" to a5s in the Avantra UI server settings under "Administration" → "Settings" → "Avantra UI".

Avantra supports TLS versions 1.0 → 1.3 for agent communications and these can be enabled/disabled based on your organizational policies. We encourage customers to configure these settings to match corporate policies.

Set the flags "Network.tls-cipher-suites" and "Network.tls-enabled-client-protocols" to appropriate values in the Avantra server settings under "Administration" → "Settings" → "Master".

Avantra has six different log levels:

Unless needed for support or problem-solving purposes, we recommend running with minimal log level to reduce information captured in your log files at the OS level.

There is also a monitoring parameter that can be set on your agents to turn off logging "TraceLevel" and the value should be set to 0

By default, Avantra will lock a user account after 3 failed login attempts for a period of 5 minutes. This behavior can be changed to match your organizational requirements using the flags below in the Avantra UI server settings under "Administration" → "Settings" → "Avantra UI".

Match the values for the above flags to your organizations' requirements in this space.

By default, Avantra can use a "remember me" option at login to allow users to speed up future login attempts. This behavior can be disabled to prevent misuse using the flag "remember-me" under the Avantra UI server settings under "Administration" → "Settings" → "Avantra UI".

Set the flag "remember-me" to "no" under the Avantra UI server settings under "Administration" → "Settings" → "Avantra UI".

By default, Avantra has a password reset functionality enabled for local accounts via an email sent to the user. To disable this, use the flag "reset-password" under the Avantra UI server settings under "Settings" → "Avantra UI". Note that this disables all password resets for local accounts including administrator accounts.

Set the flag "reset-password" to "no" under the Avantra UI server settings under "Administration" → "Settings" → "Avantra UI".

Avantra can mandate complex password use for local Avantra accounts (as opposed to Identity provider accounts) and this is configurable within the Avantra UI. You can find this under "Administration" → "Settings" → "Password Policy".

Set the appropriate Password Policy to match your organizational requirements.

The Avantra logbook keeps a record of all activity within your Avantra system and is very useful when undertaking audits and clarifying who completed actions. It is enabled by default but the settings should be verified to match your organizational requirements.

Review and update the Avantra Logbook settings under "Administration" → "Settings" → "Logbook".

The Avantra server has a statistics and server-health overview webpage enabled on port 9058. This page gives you information about the health of your Avantra server such as DB connection pool info, JVM heap sizes, remote connection to managed agents, and much more. This web server is hosted directly by the Avantra service independent of the Avantra UI (XANGUI). In a hardened environment, this web service should be disabled unless needed for support purposes.

Disabled the web service on this port by setting the flag "Web.http-server" to "off" under "Administration" → "Settings" → "Avantra Master".

Now in the Avantra web application, customers can manually add specific security headers into the config file to be implemented further on, and this action will ensure protection from click-jacking, XSS attacks, MIME sniffing, etc. For more information on HTTP security headers, follow this link.

The following new configurations can be configured in xangui.cfg:

It is important to ensure that the service user in use to run the Avantra OS services for Server/UI and Agent has no other permissions except for running the services. E.g. not in the administrator or SUDO group. Your user should have read, write, and execute permissions on the Avantra install directory and group membership for any other directories to which access is required.

Restrict the OS service user to the minimal required permission to run.

It is important to ensure that the service user in use to monitor and manage your managed databases has no other permissions except for what is required to successfully monitor and manage that object. E.g. no access to production schemas or to query/update data within the database.

Restrict the user permissions for database management to the minimal required permission to run i.e. no access to production data and no grant permissions.

It is important to ensure that the service user in use to monitor and manage your managed objects has no other permissions except for what is required to successfully monitor and manage that object.

Restrict the user permissions for object management to the minimal required permission to run i.e. no access to production data and no administrator rights.

If you serve multiple customers or you have multiple networks containing SAP systems, consider setting up one or more Agents per network to serve as a gateway. While the gateway has no security function in itself, its usage allows you to tighten firewall rules and lock down the routes of communication between the server and the remote agents.

Map out the network topology and employ Agents as Gateways when crossing network boundaries or to concentrate network traffic from a specific location.

The Avantra server only needs to access the wider internet in a few situations. These situations are predictable and configurable either via outbound firewall rules in your network or by using a proxy. Common situations are listed below. The suggested endpoints can be further restricted based on your individual set up e.g. specific regional API endpoints for a cloud provider. To completely restrict the endpoints, we recommend setting up your Avantra server, observe the outbound requests, and lockdown to match those endpoints.

Restrict outbound network connectivity based on your required scenarios and configure a proxy if required.

The Avantra server requires a limited number of inbound connections. These situations are predictable and configurable either via inbound network firewall rules in your network or by using a reverse proxy or load balancer.

Restrict inbound network connectivity based on your required scenarios and configure a load balancer in front of your Avantra if external access is required either directly to the UI or via the Mobile App.