Marc, Be sure to install Remedy as a non-root user, which is documented by BMC. That will address some of your security concerns. Also on the DB side make sure that ARAdmin only has access to the ARSystem database or whatever else it needs, rather than sa access.
Also with arcache, if your server is secure, and you set the permissions so only Remedy admins can run it, it's not a huge deal. Shawn Pierson -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Marc Simmons Sent: Monday, July 23, 2007 1:31 PM To: arslist@ARSLIST.ORG Subject: Re: Remedy and Security ** Axton, Thanks for the imput. I'm actually looking to provide more guidance to our server security team. When I showed them how to create a user from the command line using arcache (an admin user at that) and then access their system they lost their minds. When I created a form and workflow and showed them that I could access their system as root (the owner of the processes) using $PROCESS$ there were strokes, seizures etc. So now they have asked me what else they need to look for, I was hoping that someone in the list new of a white paper or other document that layed out a security plan for Remedy Servers. Thanks, Marc Simmons On 7/20/07, Axton <[EMAIL PROTECTED]> wrote: Some other things to consider: - allowing back ticks in run process commands - run process directory and access - sql injection - relative security of data on the wire (no/weak/strong encryption) - web: xss vulnerabilities - form/field/active link permissions - server hardening - network architecture for related components - protocol implementation (malformed packets causing DoS, etc.); they do exist Patch is probably the incorrect term, you are probably looking to properly configure the system. Only BMC can provide patches, usually in the form of a stripped binary. Axton Grams On 7/20/07, Marc Simmons <[EMAIL PROTECTED]> wrote: > ** > > Hi List, > > Does anyone know of a white paper that details the security risks with > Remedy (ie arcache, arreload, encryption) etc and how to "patch" those > holes. I know that there are bits and pieces of information in the > admin/config guides etc. I was just hoping that there would be a doc that > consolidated all of that information. > > Thanks > -- > Marc Simmons > Remedy Administrator > > "Everyday above ground is a good day... the rest is a choice!" > __20060125_______________________This posting was submitted > with HTML in it___ ________________________________________________________________________ _______ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are" -- Marc Simmons Remedy Administrator "Everyday above ground is a good day... the rest is a choice!" __20060125_______________________This posting was submitted with HTML in it___ Private and confidential as detailed <a href="http://www.sug.com/disclaimers/default.htm#Mail">here</a>. If you cannot access hyperlink, please e-mail sender. _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"