Re: Remedy and Security

[Axton]

Some ar.conf settings:

Allow-Backquote-In-Process-String
Allows the server to run a process with a backquote in the process
name or in its arguments. Valid values are T and F. The default is F.

Disable-Client-Operation
The following client types can be restricted:
14—arreload

15—arcache

Disable-User-Cache-Utilities
Prevents unauthorized users from attempting to use User Cache
commands. Valid values for this option are T and F. The default is F
(cache utilities are enabled). If the parameter is set to T, then the
arreload and arcache utilities are disabled for the AR System server.

Plugin-Disable-Remote
Specifies whether the plug-in service will accept calls from a remote
server. Valid values are T and F. If the option is set to T, the
plug-in service accepts calls only from an AR System server running on
the local machine. The default is F (allow calls from a remote
server).

If you are on a pre-7 server, there is also a hard coded password for
the following accounts:
- Remedy Application Server
- MidTier User
both of which have admin rights.

Active-Link-Dir
The directory where active link server run processes are stored. Only
commands located in the specified directory can be run. This is a
security feature that makes sure clients or API programs can use only
a safe set of server processes.

Active-Link-Shell
(UNIX only) A shell that will be the parent of any active link server
process. This parameter causes the server to start the shell with the
specified process as a parameter. This is a security feature. The
specified shell might be a security shell that verifies a path, or
runs with a user ID other than the one that the server uses. For
example, if the server runs as root and an administrator specified a
shell that runs as a lower user privilege, an active link will invoke
the shell that runs as a user, instead of as root.

Axton Grams

On 7/23/07, Marc Simmons <[EMAIL PROTECTED]> wrote:

**
Axton,

Thanks for the imput.  I'm actually looking to provide more guidance to our
server security team.  When I showed them how to create a user from the
command line using arcache (an admin user at that) and then access their
system they lost their minds.  When I created a form and workflow and showed
them that I could access their system as root (the owner of the processes)
using $PROCESS$ there were strokes, seizures etc.  So now they have asked me
what else they need to look for, I was hoping that someone in the list new
of a white paper or other document that layed out a security plan for Remedy
Servers.

Thanks,
Marc Simmons


On 7/20/07, Axton <[EMAIL PROTECTED]> wrote:
>
> Some other things to consider:
> - allowing back ticks in run process commands
> - run process directory and access
> - sql injection
> - relative security of data on the wire (no/weak/strong encryption)
> - web: xss vulnerabilities
> - form/field/active link permissions
> - server hardening
> - network architecture for related components
> - protocol implementation (malformed packets causing DoS, etc.); they do
exist
>
> Patch is probably the incorrect term, you are probably looking to
> properly configure the system.  Only BMC can provide patches, usually
> in the form of a stripped binary.
>
> Axton Grams
>
> On 7/20/07, Marc Simmons <[EMAIL PROTECTED]> wrote:
> > **
> >
> > Hi List,
> >
> > Does anyone know of a white paper that details the security risks with
> > Remedy (ie arcache, arreload, encryption) etc and how to "patch" those
> > holes.  I know that there are bits and pieces of information in the
> > admin/config guides etc.  I was just hoping that there would be a doc
that
> > consolidated all of that information.
> >
> > Thanks
> > --
> > Marc Simmons
> > Remedy Administrator
> >
> > "Everyday above ground is a good day... the rest is a choice!"
> > __20060125_______________________This posting was
submitted
> > with HTML in it___
>
>
_______________________________________________________________________________
> UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where
the Answers Are"
>



--

Marc Simmons
Remedy Administrator

"Everyday above ground is a good day... the rest is a choice!"
__20060125_______________________This posting was submitted
with HTML in it___

_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers 
Are"