Hello Anton,

Thank you for your reply. I'll try to be a little more detailed.

Our OTRS installation is publicly accesible. So our customers can log into the webinterface to check old tickets, read FAQ's and post followups.
We use the config items to keep track of what kind of hardware and stuff the customer has , so basic CMDB stuff. We now have passwords stored in documents on our internal lan. This is not verry userfriendly , and i want to store login data in the description or the notes field of the config item.

The thing i'm worried about is that when OTRS has a security weakness the passwords of our customers are at risk if the "atacker" could get his hands on the database. So if the database would be encrypted , that would cover that part of the security.
Some other tips on how people secure their installation (like modsecurity to proxy the apache requests and protect agains sql injections and stuff).

I would love to hear other people opinion on this, i can imagine others face the same question..

Greets,

Mayk



Anton Gubar'kov wrote:
Hello, Mayk.

Could you be more specific about threats you'ку trying to defy in your OTRS installation? AFAIK, there is no granular access control for ConfigItems in OTRS::ITSM. You can open the whole CMDB to your agent, or not open at all. Using encryption for access control is very cumbersome. You have to keep as many encrypted versions of sensitive information as there are authorized users - 1 version per user each encrypted with user's public key.
You can encrypt text info (logins and passwords) with GPG or OpenSSL and put encrypted text into config item note noting the user name, whose public key was used for encryption.

Anton.

2008/11/12 Mayk Backus <mayk@mayk.org>

Hi all,

 

I have a question on securing OTRS. We use the config items to track systems of our customers. Verry usefull i find it to have the login data of systems on a notes field. Before i spend hours writing all the login data in the config items i'm wondering if this is a big security risk.

 

Are there means of protecting the data ? Is the data encrypted, or can i encrypt this ? Are there other safeguerds to take for example modsecurity ?

 

All information is welcome.

 

Kind Regards,

 

Mayk Backus


 


_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs


_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs