Marc,
Be sure to install Remedy as a non-root user, which is documented by
BMC. That will address some of your security concerns. Also on the DB
side make sure that ARAdmin only has access to the ARSystem database or
whatever else it needs, rather than sa access.
Also with arcache, if your server is secure, and you set the permissions
so only Remedy admins can run it, it's not a huge deal.
Shawn Pierson
-----Original Message-----
From: Action Request System discussion list(ARSList)
[mailto:[EMAIL PROTECTED] On Behalf Of Marc Simmons
Sent: Monday, July 23, 2007 1:31 PM
To: arslist@ARSLIST.ORG
Subject: Re: Remedy and Security
**
Axton,
Thanks for the imput. I'm actually looking to provide more
guidance to our server security team. When I showed them how to create
a user from the command line using arcache (an admin user at that) and
then access their system they lost their minds. When I created a form
and workflow and showed them that I could access their system as root
(the owner of the processes) using $PROCESS$ there were strokes,
seizures etc. So now they have asked me what else they need to look
for, I was hoping that someone in the list new of a white paper or other
document that layed out a security plan for Remedy Servers.
Thanks,
Marc Simmons
On 7/20/07, Axton <[EMAIL PROTECTED]> wrote:
Some other things to consider:
- allowing back ticks in run process commands
- run process directory and access
- sql injection
- relative security of data on the wire (no/weak/strong
encryption)
- web: xss vulnerabilities
- form/field/active link permissions
- server hardening
- network architecture for related components
- protocol implementation (malformed packets causing
DoS, etc.); they do exist
Patch is probably the incorrect term, you are probably
looking to
properly configure the system. Only BMC can provide
patches, usually
in the form of a stripped binary.
Axton Grams
On 7/20/07, Marc Simmons <[EMAIL PROTECTED]> wrote:
> **
>
> Hi List,
>
> Does anyone know of a white paper that details the
security risks with
> Remedy (ie arcache, arreload, encryption) etc and how
to "patch" those
> holes. I know that there are bits and pieces of
information in the
> admin/config guides etc. I was just hoping that there
would be a doc that
> consolidated all of that information.
>
> Thanks
> --
> Marc Simmons
> Remedy Administrator
>
> "Everyday above ground is a good day... the rest is a
choice!"
> __20060125_______________________This posting was
submitted
> with HTML in it___
________________________________________________________________________
_______
UNSUBSCRIBE or access ARSlist Archives at
www.arslist.org ARSlist:"Where the Answers Are"
--
Marc Simmons
Remedy Administrator
"Everyday above ground is a good day... the rest is a choice!"
__20060125_______________________This posting was submitted with HTML in
it___
Private and confidential as detailed <a
href="http://www.sug.com/disclaimers/default.htm#Mail";>here</a>. If you cannot
access hyperlink, please e-mail sender.
_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the
Answers Are"
