Gary,
We're using Windows right now, so it's not a problem for us, but this
was back before Sarbanes Oxley existed, and part of fixing that was to
install as a non-root user. Still, we could easily have a Remedy admin
type in the work log "I typed "rm -rf /opt/arsystem" by accident" and
end up wiping everything out. It was never that bad, but even with the
reinstall and the clamping down of the Remedy user's rights, I had to
change the escape character that Perl used for the command line apps.
Also, this was on version 4.0 of Remedy, so this may not be such a
problem anymore.
Shawn
-----Original Message-----
From: Action Request System discussion list(ARSList)
[mailto:[EMAIL PROTECTED] On Behalf Of Opela, Gary L Contr
OC-ALC/ITMA
Sent: Monday, July 23, 2007 1:54 PM
To: arslist@ARSLIST.ORG
Subject: Re: Remedy and Security
**
Shawn, if you are having problems like this, you really need to
check the permissions on your directories. You need to do a thorough
audit of them and make sure that they only have write access when
absolutely required.
Also, make sure that the parent folders do not have write access
on the directories, or you could potentially have that user delete files
within that folder. With the proper setup, you should not have anything
to worry about from the points you've mentioned.
I've participated in a thorough SOX audit on a UNIX remedy
system before, and we passed with flying colors. It focused primarily on
security permissions, and the ability to create user accounts without
permissions, the two points you stated below.
________________________________
From: Action Request System discussion list(ARSList)
[mailto:[EMAIL PROTECTED] On Behalf Of Pierson, Shawn
Sent: Monday, July 23, 2007 1:48 PM
To: arslist@ARSLIST.ORG
Subject: Re: Remedy and Security
The problem is that with that you can still run a command to
delete the Remedy directory, for example. One company I worked at had
command line notifications going out via a run process from the work
log. At times when unix issues were being worked on, we would have
weird problems with our server sometimes, such as files being deleted or
overwritten. I found out that it came from a run process, and came up
with a nonsensical word like "PERLFISH22" or something similar to use as
an escape character rather than quotes. There are better ways to do it,
but I was pretty inexperienced at the time and it worked. You have to
keep Remedy from running random commands by accident. I would just love
to see what the person that came after me thought when they saw it.
Shawn Pierson
-----Original Message-----
From: Action Request System discussion list(ARSList)
[mailto:[EMAIL PROTECTED] On Behalf Of Opela, Gary L Contr
OC-ALC/ITMA
Sent: Monday, July 23, 2007 1:37 PM
To: arslist@ARSLIST.ORG
Subject: Re: Remedy and Security
**
I believe to avoid access the system as root via
$PROCESS$, you just install/run remedy as a non-root account, then
anything that the remedy system does to interact with the server (ie:
opening up shell windows, etc), will open up with the permissions of the
process that is running remedy. I'm assuming you are talking about a
UNIX environment.
________________________________
From: Action Request System discussion list(ARSList)
[mailto:[EMAIL PROTECTED] On Behalf Of Marc Simmons
Sent: Monday, July 23, 2007 1:31 PM
To: arslist@ARSLIST.ORG
Subject: Re: Remedy and Security
**
Axton,
Thanks for the imput. I'm actually looking to provide
more guidance to our server security team. When I showed them how to
create a user from the command line using arcache (an admin user at
that) and then access their system they lost their minds. When I
created a form and workflow and showed them that I could access their
system as root (the owner of the processes) using $PROCESS$ there were
strokes, seizures etc. So now they have asked me what else they need to
look for, I was hoping that someone in the list new of a white paper or
other document that layed out a security plan for Remedy Servers.
Thanks,
Marc Simmons
On 7/20/07, Axton <[EMAIL PROTECTED]> wrote:
Some other things to consider:
- allowing back ticks in run process commands
- run process directory and access
- sql injection
- relative security of data on the wire (no/weak/strong
encryption)
- web: xss vulnerabilities
- form/field/active link permissions
- server hardening
- network architecture for related components
- protocol implementation (malformed packets causing
DoS, etc.); they do exist
Patch is probably the incorrect term, you are probably
looking to
properly configure the system. Only BMC can provide
patches, usually
in the form of a stripped binary.
Axton Grams
On 7/20/07, Marc Simmons <[EMAIL PROTECTED]> wrote:
> **
>
> Hi List,
>
> Does anyone know of a white paper that details the
security risks with
> Remedy (ie arcache, arreload, encryption) etc and how
to "patch" those
> holes. I know that there are bits and pieces of
information in the
> admin/config guides etc. I was just hoping that there
would be a doc that
> consolidated all of that information.
>
> Thanks
> --
> Marc Simmons
> Remedy Administrator
>
> "Everyday above ground is a good day... the rest is a
choice!"
> __20060125_______________________This posting was
submitted
> with HTML in it___
________________________________________________________________________
_______
UNSUBSCRIBE or access ARSlist Archives at
www.arslist.org ARSlist:"Where the Answers Are"
--
Marc Simmons
Remedy Administrator
"Everyday above ground is a good day... the rest is a
choice!" __20060125_______________________This posting was submitted
with HTML in it___
__20060125_______________________This posting was
submitted with HTML in it___
Private and confidential as detailed here
<http://www.sug.com/disclaimers/default.htm#Mail> . If you cannot access
hyperlink, please e-mail sender.
__20060125_______________________This posting was submitted with
HTML in it___ __20060125_______________________This posting was
submitted with HTML in it___
Private and confidential as detailed <a
href="http://www.sug.com/disclaimers/default.htm#Mail";>here</a>. If you cannot
access hyperlink, please e-mail sender.
_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the
Answers Are"
