If you would like to author some content, there is a good home for it at: http://arswiki.org/wiki/Securing_ARS
Just needs more content. I started this a while back, but there were a number of topics mentioned that would definitely fit into this article. Axton Grams On 7/24/07, Marc Simmons <[EMAIL PROTECTED]> wrote:
** Thanks to all for the GREAT input. Maybe I compile all of this information into that "white paper" I've been looking for... :-) Marc On 7/23/07, Axton <[EMAIL PROTECTED]> wrote: > Some ar.conf settings: > > Allow-Backquote-In-Process-String > Allows the server to run a process with a backquote in the process > name or in its arguments. Valid values are T and F. The default is F. > > Disable-Client-Operation > The following client types can be restricted: > 14—arreload > 15—arcache > > Disable-User-Cache-Utilities > Prevents unauthorized users from attempting to use User Cache > commands. Valid values for this option are T and F. The default is F > (cache utilities are enabled). If the parameter is set to T, then the > arreload and arcache utilities are disabled for the AR System server. > > Plugin-Disable-Remote > Specifies whether the plug-in service will accept calls from a remote > server. Valid values are T and F. If the option is set to T, the > plug-in service accepts calls only from an AR System server running on > the local machine. The default is F (allow calls from a remote > server). > > If you are on a pre-7 server, there is also a hard coded password for > the following accounts: > - Remedy Application Server > - MidTier User > both of which have admin rights. > > Active-Link-Dir > The directory where active link server run processes are stored. Only > commands located in the specified directory can be run. This is a > security feature that makes sure clients or API programs can use only > a safe set of server processes. > > Active-Link-Shell > (UNIX only) A shell that will be the parent of any active link server > process. This parameter causes the server to start the shell with the > specified process as a parameter. This is a security feature. The > specified shell might be a security shell that verifies a path, or > runs with a user ID other than the one that the server uses. For > example, if the server runs as root and an administrator specified a > shell that runs as a lower user privilege, an active link will invoke > the shell that runs as a user, instead of as root. > > Axton Grams > > On 7/23/07, Marc Simmons <[EMAIL PROTECTED]> wrote: > > ** > > Axton, > > > > Thanks for the imput. I'm actually looking to provide more guidance to our > > server security team. When I showed them how to create a user from the > > command line using arcache (an admin user at that) and then access their > > system they lost their minds. When I created a form and workflow and showed > > them that I could access their system as root (the owner of the processes) > > using $PROCESS$ there were strokes, seizures etc. So now they have asked me > > what else they need to look for, I was hoping that someone in the list new > > of a white paper or other document that layed out a security plan for Remedy > > Servers. > > > > Thanks, > > Marc Simmons > > > > > > On 7/20/07, Axton <[EMAIL PROTECTED]> wrote: > > > > > > Some other things to consider: > > > - allowing back ticks in run process commands > > > - run process directory and access > > > - sql injection > > > - relative security of data on the wire (no/weak/strong encryption) > > > - web: xss vulnerabilities > > > - form/field/active link permissions > > > - server hardening > > > - network architecture for related components > > > - protocol implementation (malformed packets causing DoS, etc.); they do > > exist > > > > > > Patch is probably the incorrect term, you are probably looking to > > > properly configure the system. Only BMC can provide patches, usually > > > in the form of a stripped binary. > > > > > > Axton Grams > > > > > > On 7/20/07, Marc Simmons < [EMAIL PROTECTED]> wrote: > > > > ** > > > > > > > > Hi List, > > > > > > > > Does anyone know of a white paper that details the security risks with > > > > Remedy (ie arcache, arreload, encryption) etc and how to "patch" those > > > > holes. I know that there are bits and pieces of information in the > > > > admin/config guides etc. I was just hoping that there would be a doc > > that > > > > consolidated all of that information. > > > > > > > > Thanks > > > > -- > > > > Marc Simmons > > > > Remedy Administrator > > > > > > > > "Everyday above ground is a good day... the rest is a choice!" > > > > __20060125_______________________This posting was > > submitted > > > > with HTML in it___ > > > > > > > > _______________________________________________________________________________ > > > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where > > the Answers Are" > > > > > > > > > > > -- > > > > Marc Simmons > > Remedy Administrator > > > > "Everyday above ground is a good day... the rest is a choice!" > > __20060125_______________________This posting was submitted > > with HTML in it___ > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are" > -- Marc Simmons Remedy Administrator "Everyday above ground is a good day... the rest is a choice!" __20060125_______________________This posting was submitted with HTML in it___
_______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"
