The problem is that with that you can still run a command to delete the
Remedy directory, for example. One company I worked at had command line
notifications going out via a run process from the work log. At times
when unix issues were being worked on, we would have weird problems with
our server sometimes, such as files being deleted or overwritten. I
found out that it came from a run process, and came up with a
nonsensical word like "PERLFISH22" or something similar to use as an
escape character rather than quotes. There are better ways to do it,
but I was pretty inexperienced at the time and it worked. You have to
keep Remedy from running random commands by accident. I would just love
to see what the person that came after me thought when they saw it.
Shawn Pierson
-----Original Message-----
From: Action Request System discussion list(ARSList)
[mailto:[EMAIL PROTECTED] On Behalf Of Opela, Gary L Contr
OC-ALC/ITMA
Sent: Monday, July 23, 2007 1:37 PM
To: [email protected]
Subject: Re: Remedy and Security
**
I believe to avoid access the system as root via $PROCESS$, you
just install/run remedy as a non-root account, then anything that the
remedy system does to interact with the server (ie: opening up shell
windows, etc), will open up with the permissions of the process that is
running remedy. I'm assuming you are talking about a UNIX environment.
________________________________
From: Action Request System discussion list(ARSList)
[mailto:[EMAIL PROTECTED] On Behalf Of Marc Simmons
Sent: Monday, July 23, 2007 1:31 PM
To: [email protected]
Subject: Re: Remedy and Security
**
Axton,
Thanks for the imput. I'm actually looking to provide more
guidance to our server security team. When I showed them how to create
a user from the command line using arcache (an admin user at that) and
then access their system they lost their minds. When I created a form
and workflow and showed them that I could access their system as root
(the owner of the processes) using $PROCESS$ there were strokes,
seizures etc. So now they have asked me what else they need to look
for, I was hoping that someone in the list new of a white paper or other
document that layed out a security plan for Remedy Servers.
Thanks,
Marc Simmons
On 7/20/07, Axton <[EMAIL PROTECTED]> wrote:
Some other things to consider:
- allowing back ticks in run process commands
- run process directory and access
- sql injection
- relative security of data on the wire (no/weak/strong
encryption)
- web: xss vulnerabilities
- form/field/active link permissions
- server hardening
- network architecture for related components
- protocol implementation (malformed packets causing DoS, etc.);
they do exist
Patch is probably the incorrect term, you are probably looking
to
properly configure the system. Only BMC can provide patches,
usually
in the form of a stripped binary.
Axton Grams
On 7/20/07, Marc Simmons <[EMAIL PROTECTED]> wrote:
> **
>
> Hi List,
>
> Does anyone know of a white paper that details the security
risks with
> Remedy (ie arcache, arreload, encryption) etc and how to
"patch" those
> holes. I know that there are bits and pieces of information
in the
> admin/config guides etc. I was just hoping that there would
be a doc that
> consolidated all of that information.
>
> Thanks
> --
> Marc Simmons
> Remedy Administrator
>
> "Everyday above ground is a good day... the rest is a choice!"
> __20060125_______________________This posting was submitted
> with HTML in it___
________________________________________________________________________
_______
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
ARSlist:"Where the Answers Are"
--
Marc Simmons
Remedy Administrator
"Everyday above ground is a good day... the rest is a choice!"
__20060125_______________________This posting was submitted with HTML in
it___
__20060125_______________________This posting was submitted with
HTML in it___
Private and confidential as detailed <a
href="http://www.sug.com/disclaimers/default.htm#Mail";>here</a>. If you cannot
access hyperlink, please e-mail sender.
_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the
Answers Are"
