Thanks to all for the GREAT input. Maybe I compile all of this information into that "white paper" I've been looking for... :-)
Marc On 7/23/07, Axton <[EMAIL PROTECTED]> wrote:
Some ar.conf settings: Allow-Backquote-In-Process-String Allows the server to run a process with a backquote in the process name or in its arguments. Valid values are T and F. The default is F. Disable-Client-Operation The following client types can be restricted: 14—arreload 15—arcache Disable-User-Cache-Utilities Prevents unauthorized users from attempting to use User Cache commands. Valid values for this option are T and F. The default is F (cache utilities are enabled). If the parameter is set to T, then the arreload and arcache utilities are disabled for the AR System server. Plugin-Disable-Remote Specifies whether the plug-in service will accept calls from a remote server. Valid values are T and F. If the option is set to T, the plug-in service accepts calls only from an AR System server running on the local machine. The default is F (allow calls from a remote server). If you are on a pre-7 server, there is also a hard coded password for the following accounts: - Remedy Application Server - MidTier User both of which have admin rights. Active-Link-Dir The directory where active link server run processes are stored. Only commands located in the specified directory can be run. This is a security feature that makes sure clients or API programs can use only a safe set of server processes. Active-Link-Shell (UNIX only) A shell that will be the parent of any active link server process. This parameter causes the server to start the shell with the specified process as a parameter. This is a security feature. The specified shell might be a security shell that verifies a path, or runs with a user ID other than the one that the server uses. For example, if the server runs as root and an administrator specified a shell that runs as a lower user privilege, an active link will invoke the shell that runs as a user, instead of as root. Axton Grams On 7/23/07, Marc Simmons <[EMAIL PROTECTED]> wrote: > ** > Axton, > > Thanks for the imput. I'm actually looking to provide more guidance to our > server security team. When I showed them how to create a user from the > command line using arcache (an admin user at that) and then access their > system they lost their minds. When I created a form and workflow and showed > them that I could access their system as root (the owner of the processes) > using $PROCESS$ there were strokes, seizures etc. So now they have asked me > what else they need to look for, I was hoping that someone in the list new > of a white paper or other document that layed out a security plan for Remedy > Servers. > > Thanks, > Marc Simmons > > > On 7/20/07, Axton <[EMAIL PROTECTED]> wrote: > > > > Some other things to consider: > > - allowing back ticks in run process commands > > - run process directory and access > > - sql injection > > - relative security of data on the wire (no/weak/strong encryption) > > - web: xss vulnerabilities > > - form/field/active link permissions > > - server hardening > > - network architecture for related components > > - protocol implementation (malformed packets causing DoS, etc.); they do > exist > > > > Patch is probably the incorrect term, you are probably looking to > > properly configure the system. Only BMC can provide patches, usually > > in the form of a stripped binary. > > > > Axton Grams > > > > On 7/20/07, Marc Simmons <[EMAIL PROTECTED]> wrote: > > > ** > > > > > > Hi List, > > > > > > Does anyone know of a white paper that details the security risks with > > > Remedy (ie arcache, arreload, encryption) etc and how to "patch" those > > > holes. I know that there are bits and pieces of information in the > > > admin/config guides etc. I was just hoping that there would be a doc > that > > > consolidated all of that information. > > > > > > Thanks > > > -- > > > Marc Simmons > > > Remedy Administrator > > > > > > "Everyday above ground is a good day... the rest is a choice!" > > > __20060125_______________________This posting was > submitted > > > with HTML in it___ > > > > > _______________________________________________________________________________ > > UNSUBSCRIBE or access ARSlist Archives at www.arslist.orgARSlist:"Where > the Answers Are" > > > > > > -- > > Marc Simmons > Remedy Administrator > > "Everyday above ground is a good day... the rest is a choice!" > __20060125_______________________This posting was submitted > with HTML in it___ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"
-- Marc Simmons Remedy Administrator "Everyday above ground is a good day... the rest is a choice!" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"
