From SAP HANA clusters on SUSE to container hosts on RHEL and monitoring probes on CentOS Stream, our Linux estate underpins mission-critical banking, analytics, and security services. You will spearhead the effort to eradicate exploits, enforce CIS controls, and automate kernel, package, and agent patching—ensuring every server meets stringent uptime and compliance targets.
Responsibilities
- Comprehensive Patch Orchestration: Use zypper, yum/dnf, apt, or Landscape/Satellite to stage, test, and deploy kernel and package updates across 2 000+ Linux nodes, including HA pairs and production SAP stacks.
- Threat Mitigation: Address SSH hardening (strong ciphers/Kex, two-factor auth), privilege-escalation paths (sudo, setuid, polkit), TLS/SSL weaknesses, RCE flaws, and DoS vectors; implement mitigations such as SELinux, AppArmor, and systemd sandboxing.
- Baseline & Compliance: Apply and periodically audit CIS/DISA STIG baselines via Ansible, Chef, or OpenSCAP; remediate deviations and document evidence for auditors.
- Tooling & Automation: Develop Bash/Python playbooks for package inventory, kernel-live-patching (kpatch/ksplice), and post-update functional checks; integrate with Jenkins/GitLab CI pipelines for continuous compliance.
- Container & Cloud Security: Scan Docker/Podman images (Trivy, Clair), remediate vulnerable layers, and harden Kubernetes/OpenShift nodes; collaborate with DevOps on image-signing and runtime policies.
- Collaboration & Scheduling: Liaise with SAP Basis, database, and infra teams to coordinate maintenance windows, mitigate performance impact, and optimise reboot sequencing.
- Metrics & Reporting: Produce monthly scorecards on CVE closure rates, patch compliance, and kernel-panic incidents; drive root-cause analysis for any post-patch instability.
- Research & Innovation: Pilot OS-trend technologies (e.g., eBPF for runtime security, immutable-OS models like Fedora CoreOS) and recommend adoption paths.
Must Have
- Expert command of SUSE, RHEL, and/or Debian/Ubuntu hardening and patch lifecycles.
- Fluency with vulnerability-assessment platforms (OpenVAS, Qualys, Nessus) and CVE/CVSS analysis.
- Strong scripting skills (Bash plus Python or Go) and experience automating via Ansible or similar.
- Knowledge of kernel parameters, system-call filtering, and secure-boot concepts.
- Ability to read security advisories, evaluate exploit PoCs, and translate them into actionable fixes.
Nice to have
- RHCE, SLES Certified Engineer, or LFCS/LFCE credentials.
- Familiarity with container-security tools (Falco, SELinux in enforcing mode, seccomp profiles).
- Experience with cloud-native hosts (AWS Linux 2, Azure Linux) and infrastructure-as-code pipelines (Terraform, Pulumi).
- Exposure to SIEM integrations (Elastic, Splunk) for log forwarding and rule tuning.
- Understanding of PCI-DSS or SWIFT CSP requirements in financial environments.
What's great in the job?
You’ll be the guardian of our open-source core, empowered to innovate with cutting-edge tooling and open-source contributions. Performance bonuses tie directly to quantified risk reduction, while flexible hours, remote-friendly culture, and a clear technical-lead track let you grow without sacrificing balance.
