Avantra Hardening Guide

We strongly recommend regularly reviewing your Avantra installation landscape and applying appropriate hardening measures. Each enterprise or managed service provider has its own approach to system hardening and our recommendations should be appended to those approaches.

The items mentioned in this guide are designed to be appended to your existing hardening practices. This is not a complete system hardening guide.

This guide will be updated periodically and should be regularly reviewed by your operations team and security experts to ensure you continue to run a hardened environment.

Avantra Server

Secure the WebUI port and bind address

AHG-S-01

Description

By default, Avantra can be configured to use HTTP or HTTPS. In a productive environment, we strongly recommend you ensure that your WebUI (XANGUI) configuration is set to use the secure port via HTTPS. You can also specify the TSL cipher suites that can be used for web UI communication. Finally, in a multi-network set up with multiple interfaces, ensure that your WebUI is only accessible from the required interface.

Recommendation
  • Enable the HTTPS (secure) port in your installation on an unprivileged port (e.g. 8443) (see helpful link below).

  • Avoid using HTTP (see helpful link below).

  • Bind the Avantra WebUI to only the required network interface (see helpful link below).

  • Within the Avantra server settings, bind the Avantra server to only the required network interface (Administration-Settings-Avantra Master-Network.bind-address)

Disable HTTP completely or redirect HTTP to HTTPS

AHG-S-02

Description

By default, Avantra can be configured to use HTTP or HTTPS. In a productive environment, we strongly recommend you ensure that any insecure (HTTP) requests to your Web UI are dropped or, at least, auto-redirected to the secure version (HTTPS).

Recommendation

Disable the HTTP port by removing it from the configuration file. If it must be left enabled, then we recommend enabling redirection of HTTP to HTTPS by default.

X.509 Web Certificate

AHG-S-03

Description

By default, Avantra comes with a pre-installed X.509 certificate with the common name "xandria". In all cases we strongly recommend you replace this and add your own X.509 server certificate to your installation to secure all web interface communications.

Recommendation

Replace the default X.509 certificate with your own CA-signed certificate.

OS permissions for the Avantra services user

AHG-S-04

Description

It is important to ensure that the service user in use to run the Avantra OS services for Server/UI and Agent has no other permissions except for running the services. E.g. not in the administrator or SUDO group. Your user should have read, write, and execute permissions on the Avantra install directory and group membership for any other directories to which access is required.

Please note, we strongly discourage the use of root as Avantra agent OS user. Instead, customers should work with sudo to allow list only the commands required. E.g. if you plan to automate OS patching within unix, then allow the service user to run that command only using sudo rather than adding them to the sudoers

Recommendation

Restrict the OS service user to the minimal required permission to run.

OS Hardening

AHG-S-05

Description

We strongly recommend utilizing the operating system hardening guide as provided by your operating system provider e.g. SUSE, RHEL, Windows, or other. These guides will cover topics such as firewalls, audit logs, and more.

Recommendation

Frequently review the OS hardening guide for your chosen OS and implement its recommendations.

User authentication

AHG-S-06

Description

Avantra supports the configuration of external identity providers via SAML or active directory. We recommend using an external identity provider as it allows for tight integration into corporate systems for processes such as Joiners, Movers, and Leavers (JML) as well as supporting two-factor authentication (2FA). We strongly encourage using concepts such as 2FA via an external identity provider.

Recommendation

Configure an external identity provider, ideally, with 2FA enabled.

OS-level code execution for managed systems

AHG-S-07

Description

Avantra is designed as a complete management platform that includes powerful features that allow for the execution of scripts and commands on remote systems for automation. Depending on your environment you may not want to allow the execution of OS-level commands in your environment.

Recommendation

Ensure that you apply the hardening recommendation AHG-A-01 to significantly restrict the access permissions of the OS user in use to run the Agent services. This agent should ONLY have the permissions to run the agent as well as access to run any scripts or commands required for your specific scenarios. This protection should mitigate this risk.

Optional (extra hardening) recommendation for validated environments that require complete hardening, you can switch off any capability to execute OS-level commands within the Avantra server settings. Please bear in mind that this is a global flag and will reduce the capabilities in this space. The flag is called "Security.EnableOSCodeExec" and can be found in "Administration" → "Settings" → "Master".

Database write-query execution for managed systems

AHG-S-08

Description

Avantra is designed as a complete management platform that includes powerful features that allow for the execution of queries and commands on remote databases (as part of checks or automation). Depending on your environment you may not want to allow the execution of write-capable SQL commands in your environment.

Recommendation

Ensure that you apply the hardening recommendation AHG-A-02 to significantly restrict the access permissions of the database user in use to monitor your managed database objects. This user should ONLY have the permissions required for your specific scenarios (usually read-only and no access to production data). This protection should mitigate this risk.

Optional (extra hardening) recommendation for validated environments that require complete hardening, you can switch off any capability to execute database write commands within the Avantra server settings. Please bear in mind that this is a global flag and will reduce the capabilities in this space. The flag is called "Security.RUNJSAllowDBWrite" and can be found in "Administration" → "Settings" → "Master".

Restrict permissions on Avantra files

AHG-S-09

Description

Your Avantra installation should be protected from other users of your OS. The only user requiring access to read, write or execute Avantra files should be the Avantra service user running your OS services.

Recommendation

Ensure that the permissions within the Avantra installation directory are restricted for groups and other users.

If it is not possible to limit access to the Avantra directory, be sure to restrict ownership to the credential encryption key

Example Unix commands
// Replace <avantraOSuser> with your
sudo chown -R <avantraOSuser>:<avantraOSGroup> /opt/avantra
sudo chmod -R go-rwx /opt/avantra

Secure communications between the UI and server

AHG-S-10

Description

Avantra supports HTTPS communication between the UI and the server. This is, for most customers, not a concern as the UI mostly resides on the same host as the server and so all communications are internal. However, you can set Avantra to use the secure communications option a5s (HTTPS) (instead of a5 (HTTP)). The flags are called "Network.master-ui-protocol" and "ui-master-protocol" and can be found in "Administration" → "Settings" → "Avantra Master" and "Administration" → "Settings" → "Avantra UI".

Please note, switching to a5s for communication between your server and UI (if your UI and server are on the same host) may have a small impact on performance owing to the HTTPS overhead. While this is generally not an issue with modern system sizes and resources, it is worth being aware of.

Recommendation

Set the flag "Network.master-ui-protocol" to a5s in the Avantra server settings under "Administration" → "Settings" → "Avantra Master". Set the flag "ui-master-protocol" to a5s in the Avantra UI server settings under "Administration" → "Settings" → "Avantra UI".

Set TLS cipher suites and protocols

AHG-S-11

Description

Avantra supports TLS versions 1.0 → 1.3 for agent communications and these can be enabled/disabled based on your organizational policies. We encourage customers to configure these settings to match corporate policies.

Recommendation

Set the flags "Network.tls-cipher-suites" and "Network.tls-enabled-client-protocols" to appropriate values in the Avantra server settings under "Administration" → "Settings" → "Master".

Reduce log level

AHG-S-12

Description

Avantra has six different log levels:

  • Trace

  • Debug

  • Info

  • Warning

  • Error

  • Fatal

Unless needed for support or problem-solving purposes, we recommend running with minimal log level to reduce information captured in your log files at the OS level.

Recommendation
  • Set the flag "global.log-level" to "OFF" in the Avantra server settings under "Administration" → "Settings" → "Avantra Master".

  • Set the flag "LogLevel" to "Fatal" in the Avantra UI server settings under "Administration" → "Settings" → "Avantra UI".

There is also a monitoring parameter that can be set on your agents to turn off logging "TraceLevel" and the value should be set to 0

Failed login attempt restrictions

AHG-S-13

Description

By default, Avantra will lock a user account after 3 failed login attempts for a period of 5 minutes. This behavior can be changed to match your organizational requirements using the flags below in the Avantra UI server settings under "Administration" → "Settings" → "Avantra UI".

  • logon.lockTimeMinutes

  • logon.maxFailedLoginTries

Recommendation

Match the values for the above flags to your organizations' requirements in this space.

Disable browser credential caching

AHG-S-14

Description

By default, Avantra can use a "remember me" option at login to allow users to speed up future login attempts. This behavior can be disabled to prevent misuse using the flag "remember-me" under the Avantra UI server settings under "Administration" → "Settings" → "Avantra UI".

Recommendation

Set the flag "remember-me" to "no" under the Avantra UI server settings under "Administration" → "Settings" → "Avantra UI".

Disable password reset processes

AHG-S-15

Description

By default, Avantra has a password reset functionality enabled for local accounts via an email sent to the user. To disable this, use the flag "reset-password" under the Avantra UI server settings under "Settings" → "Avantra UI". Note that this disables all password resets for local accounts including administrator accounts.

Recommendation

Set the flag "reset-password" to "no" under the Avantra UI server settings under "Administration" → "Settings" → "Avantra UI".

Set a default password policy for local accounts

AHG-S-16

Description

Avantra can mandate complex password use for local Avantra accounts (as opposed to Identity provider accounts) and this is configurable within the Avantra UI. You can find this under "Administration" → "Settings" → "Password Policy".

Recommendation

Set the appropriate Password Policy to match your organizational requirements.

Review the Avantra Logbook settings

AHG-S-17

Description

The Avantra logbook keeps a record of all activity within your Avantra system and is very useful when undertaking audits and clarifying who completed actions. It is enabled by default but the settings should be verified to match your organizational requirements.

Recommendation

Review and update the Avantra Logbook settings under "Administration" → "Settings" → "Logbook".

Disable the Avantra Server statistics Web page

AHG-S-18

Description

The Avantra server has a statistics and server-health overview webpage enabled on port 9058. This page gives you information about the health of your Avantra server such as DB connection pool info, JVM heap sizes, remote connection to managed agents, and much more. This web server is hosted directly by the Avantra service independent of the Avantra UI (XANGUI). In a hardened environment, this web service should be disabled unless needed for support purposes.

Recommendation

Disabled the web service on this port by setting the flag "Web.http-server" to "off" under "Administration" → "Settings" → "Avantra Master".

Apply secure web application headers

AHG-S-19

Description

Now in the Avantra web application, customers can manually add specific security headers into the config file to be implemented further on, and this action will ensure protection from click-jacking, XSS attacks, MIME sniffing, etc. For more information on HTTP security headers, follow this link.

Recommendation

The following new configurations can be configured in xangui.cfg:

X_FRAME_OPTIONS=deny|sameorigin|allow-from
CONTENT_SECURITY_POLICY=...
X_PERMITTED_CROSS_DOMAIN_POLICIES=none
X_CONTENT_TYPE_OPTIONS=nosniff
REFERRER_POLICY=no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|same-origin|strict-origin|strict-origin-when-cross-origin|unsafe-url

For more information about the values that CONTENT_SECURITY_POLICY can take, follow this link

This setting could cause the issues with SAML and UI timeout, therefore, it must be explicitly defined in xangui.cfg if wanted and thoroughly tested before being used in a productive Avantra system.

Avantra Agents

OS permissions for the Avantra service user(s)

AHG-A-01

Description

It is important to ensure that the service user in use to run the Avantra OS services for Server/UI and Agent has no other permissions except for running the services. E.g. not in the administrator or SUDO group. Your user should have read, write, and execute permissions on the Avantra install directory and group membership for any other directories to which access is required.

Recommendation

Restrict the OS service user to the minimal required permission to run.

Database permissions for any database management user(s)

AHG-A-02

Description

It is important to ensure that the service user in use to monitor and manage your managed databases has no other permissions except for what is required to successfully monitor and manage that object. E.g. no access to production schemas or to query/update data within the database.

Recommendation

Restrict the user permissions for database management to the minimal required permission to run i.e. no access to production data and no grant permissions.

Monitored system permissions for any management user(s)

AHG-A-03

Description

It is important to ensure that the service user in use to monitor and manage your managed objects has no other permissions except for what is required to successfully monitor and manage that object.

Recommendation

Restrict the user permissions for object management to the minimal required permission to run i.e. no access to production data and no administrator rights.

Use Agents as Gateways for a multi-tenant or multi-network setup

AHG-A-04

Description

If you serve multiple customers or you have multiple networks containing SAP systems, consider setting up one or more Agents per network to serve as a gateway. While the gateway has no security function in itself, its usage allows you to tighten firewall rules and lock down the routes of communication between the server and the remote agents.

Recommendation

Map out the network topology and employ Agents as Gateways when crossing network boundaries or to concentrate network traffic from a specific location.

Network communications & External Access

Restrict Avantra Server access to the internet

AHG-N-01

Description

The Avantra server only needs to access the wider internet in a few situations. These situations are predictable and configurable either via outbound firewall rules in your network or by using a proxy. Common situations are listed below. The suggested endpoints can be further restricted based on your individual set up e.g. specific regional API endpoints for a cloud provider. To completely restrict the endpoints, we recommend setting up your Avantra server, observe the outbound requests, and lockdown to match those endpoints.

  • Avantra Activation Server communication

    • api.avantra.com:443

  • ServiceNow outbound integrations

    • *.service-now.com:443

  • Integrations with cloud provider APIs (GCP, Azure, AWS, etc.)

    • GCP

      • *.googleapis.com:443

    • AWS

      • *.aws.amazon.com:443

    • Azure

      • management.azure.com:443

    • SAP

      • api.sap.com:443

      • *.hana.ondemand.com:443

      • apps.support.sap.com:443

  • Mobile Application notifications via Google Firebase

    • accounts.google.com:443

    • oauth2.googleapis.com:443

    • www.googleapis.com:443

  • 3rd Party API endpoints for e.g. notifications

    • As per your own requirements

  • OS Updates

    • As per your own requirements

Recommendation

Restrict outbound network connectivity based on your required scenarios and configure a proxy if required.

Restrict incoming network communications

AHG-N-02

Description

The Avantra server requires a limited number of inbound connections. These situations are predictable and configurable either via inbound network firewall rules in your network or by using a reverse proxy or load balancer.

  • Agent communications

    • TCP inbound to the server (port 9050)

  • Web UI (usually 8443)

    • User Interface

      • /xn/*

    • GraphQL REST API (Mobile App)

      • /xn/api/graphql

      • /xn/api/auth/login

    • SOAP API

      • /xn/ws

Recommendation

Restrict inbound network connectivity based on your required scenarios and configure a load balancer in front of your Avantra if external access is required either directly to the UI or via the Mobile App.