I believe to avoid access the system as root via $PROCESS$, you just install/run remedy as a non-root account, then anything that the remedy system does to interact with the server (ie: opening up shell windows, etc), will open up with the permissions of the process that is running remedy. I'm assuming you are talking about a UNIX environment.
________________________________ From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Marc Simmons Sent: Monday, July 23, 2007 1:31 PM To: [email protected] Subject: Re: Remedy and Security ** Axton, Thanks for the imput. I'm actually looking to provide more guidance to our server security team. When I showed them how to create a user from the command line using arcache (an admin user at that) and then access their system they lost their minds. When I created a form and workflow and showed them that I could access their system as root (the owner of the processes) using $PROCESS$ there were strokes, seizures etc. So now they have asked me what else they need to look for, I was hoping that someone in the list new of a white paper or other document that layed out a security plan for Remedy Servers. Thanks, Marc Simmons On 7/20/07, Axton <[EMAIL PROTECTED]> wrote: Some other things to consider: - allowing back ticks in run process commands - run process directory and access - sql injection - relative security of data on the wire (no/weak/strong encryption) - web: xss vulnerabilities - form/field/active link permissions - server hardening - network architecture for related components - protocol implementation (malformed packets causing DoS, etc.); they do exist Patch is probably the incorrect term, you are probably looking to properly configure the system. Only BMC can provide patches, usually in the form of a stripped binary. Axton Grams On 7/20/07, Marc Simmons <[EMAIL PROTECTED]> wrote: > ** > > Hi List, > > Does anyone know of a white paper that details the security risks with > Remedy (ie arcache, arreload, encryption) etc and how to "patch" those > holes. I know that there are bits and pieces of information in the > admin/config guides etc. I was just hoping that there would be a doc that > consolidated all of that information. > > Thanks > -- > Marc Simmons > Remedy Administrator > > "Everyday above ground is a good day... the rest is a choice!" > __20060125_______________________This posting was submitted > with HTML in it___ ________________________________________________________________________ _______ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are" -- Marc Simmons Remedy Administrator "Everyday above ground is a good day... the rest is a choice!" __20060125_______________________This posting was submitted with HTML in it___ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"
