Gary, We're using Windows right now, so it's not a problem for us, but this was back before Sarbanes Oxley existed, and part of fixing that was to install as a non-root user. Still, we could easily have a Remedy admin type in the work log "I typed "rm -rf /opt/arsystem" by accident" and end up wiping everything out. It was never that bad, but even with the reinstall and the clamping down of the Remedy user's rights, I had to change the escape character that Perl used for the command line apps.
Also, this was on version 4.0 of Remedy, so this may not be such a problem anymore. Shawn -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Opela, Gary L Contr OC-ALC/ITMA Sent: Monday, July 23, 2007 1:54 PM To: arslist@ARSLIST.ORG Subject: Re: Remedy and Security ** Shawn, if you are having problems like this, you really need to check the permissions on your directories. You need to do a thorough audit of them and make sure that they only have write access when absolutely required. Also, make sure that the parent folders do not have write access on the directories, or you could potentially have that user delete files within that folder. With the proper setup, you should not have anything to worry about from the points you've mentioned. I've participated in a thorough SOX audit on a UNIX remedy system before, and we passed with flying colors. It focused primarily on security permissions, and the ability to create user accounts without permissions, the two points you stated below. ________________________________ From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Pierson, Shawn Sent: Monday, July 23, 2007 1:48 PM To: arslist@ARSLIST.ORG Subject: Re: Remedy and Security The problem is that with that you can still run a command to delete the Remedy directory, for example. One company I worked at had command line notifications going out via a run process from the work log. At times when unix issues were being worked on, we would have weird problems with our server sometimes, such as files being deleted or overwritten. I found out that it came from a run process, and came up with a nonsensical word like "PERLFISH22" or something similar to use as an escape character rather than quotes. There are better ways to do it, but I was pretty inexperienced at the time and it worked. You have to keep Remedy from running random commands by accident. I would just love to see what the person that came after me thought when they saw it. Shawn Pierson -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Opela, Gary L Contr OC-ALC/ITMA Sent: Monday, July 23, 2007 1:37 PM To: arslist@ARSLIST.ORG Subject: Re: Remedy and Security ** I believe to avoid access the system as root via $PROCESS$, you just install/run remedy as a non-root account, then anything that the remedy system does to interact with the server (ie: opening up shell windows, etc), will open up with the permissions of the process that is running remedy. I'm assuming you are talking about a UNIX environment. ________________________________ From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Marc Simmons Sent: Monday, July 23, 2007 1:31 PM To: arslist@ARSLIST.ORG Subject: Re: Remedy and Security ** Axton, Thanks for the imput. I'm actually looking to provide more guidance to our server security team. When I showed them how to create a user from the command line using arcache (an admin user at that) and then access their system they lost their minds. When I created a form and workflow and showed them that I could access their system as root (the owner of the processes) using $PROCESS$ there were strokes, seizures etc. So now they have asked me what else they need to look for, I was hoping that someone in the list new of a white paper or other document that layed out a security plan for Remedy Servers. Thanks, Marc Simmons On 7/20/07, Axton <[EMAIL PROTECTED]> wrote: Some other things to consider: - allowing back ticks in run process commands - run process directory and access - sql injection - relative security of data on the wire (no/weak/strong encryption) - web: xss vulnerabilities - form/field/active link permissions - server hardening - network architecture for related components - protocol implementation (malformed packets causing DoS, etc.); they do exist Patch is probably the incorrect term, you are probably looking to properly configure the system. Only BMC can provide patches, usually in the form of a stripped binary. Axton Grams On 7/20/07, Marc Simmons <[EMAIL PROTECTED]> wrote: > ** > > Hi List, > > Does anyone know of a white paper that details the security risks with > Remedy (ie arcache, arreload, encryption) etc and how to "patch" those > holes. I know that there are bits and pieces of information in the > admin/config guides etc. I was just hoping that there would be a doc that > consolidated all of that information. > > Thanks > -- > Marc Simmons > Remedy Administrator > > "Everyday above ground is a good day... the rest is a choice!" > __20060125_______________________This posting was submitted > with HTML in it___ ________________________________________________________________________ _______ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are" -- Marc Simmons Remedy Administrator "Everyday above ground is a good day... the rest is a choice!" __20060125_______________________This posting was submitted with HTML in it___ __20060125_______________________This posting was submitted with HTML in it___ Private and confidential as detailed here <http://www.sug.com/disclaimers/default.htm#Mail> . If you cannot access hyperlink, please e-mail sender. __20060125_______________________This posting was submitted with HTML in it___ __20060125_______________________This posting was submitted with HTML in it___ Private and confidential as detailed <a href="http://www.sug.com/disclaimers/default.htm#Mail">here</a>. If you cannot access hyperlink, please e-mail sender. _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"