From 6587f6ba7d047ddc1686c080090afe7d53365bd4 Mon Sep 17 00:00:00 2001 From: Ivan Kohler Date: Tue, 24 Apr 2012 11:35:56 -0700 Subject: first pass RT4 merge, RT#13852 --- rt/docs/security.pod | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 rt/docs/security.pod (limited to 'rt/docs/security.pod') diff --git a/rt/docs/security.pod b/rt/docs/security.pod new file mode 100644 index 000000000..b8650e05d --- /dev/null +++ b/rt/docs/security.pod @@ -0,0 +1,77 @@ +=head1 RT Security + +=head2 Reporting security vulnerabilities in RT + +If you believe you've discovered a security issue in RT, please send an +email to with a detailed description of the +issue, and a secure means to respond to you (such as your PGP public +key). + +More information is available at L. + +=head2 Security tips for running RT + +=over + +=item * + +Protect your RT installation by making it only accessible via SSL. This +will protect against users' passwords being sniffed as they go over the +wire, as well as helping prevent phishing attacks. If you use SSL, you +will need to install some additional Perl libraries so that C +can connect. You can use the C<--enable-ssl-mailgate> command to +configure to automate the installation of these dependencies. This is +documented further in step 10 of the README. + +You should use a certificate signed by a reputable authority, or at very +least a certificate signed by a consistent local CA, which you configure +your local systems to trust. If your SSL certificate is self-signed, it +does little to prevent phishing, as users are trained to accept the +unauthorized certificate. See also the C<--no-verify-ssl> flag to +C. + +=item * + +Be sure to change the password for the C user of RT. The default +password is C. This can be changed via the RT web interface +at: Preferences > About me + + +=item * + +Be sure to protect your F file if it contains database +credentials or other sensitive information. This file only needs to be +readable by RT and your web server. One way to accomplish this is to +make the file readable only by root and the group that RT runs as, and +then make sure your web server is a member of that group. Advanced +configuration may be required if other users have the ability to run +CGIs or access the server where RT is running. + + +=item * + +Be sure to protect your database. If it does not need to talk to the +world, then don't allow it to listen for remote connections. With MySQL +this can be accomplished via C. If you use your +database for other things and must allow remote connections, be sure to +use a strong, hard to guess password for RT. + + +=item * + +Apache, lighttpd, and most other web servers support name based virtual +hosts. When possible, configure RT as a name based virtual host to +raise the bar against DNS rebinding attacks. If you see RT when you +visit http://your.servers.ipaddress.here, it means you are likely not +getting this additional protection. + + +=item * + +Use groups to organize RT permissions. Granting permissions per-user +makes them, in general, more easily over-granted and forgotten, and more +likely to diverge from each other, forming a maintenance hassle. + +=back + +=cut -- cgit v1.2.1 From c24d6e2242ae0e026684b8f95decf156aba6e75e Mon Sep 17 00:00:00 2001 From: Ivan Kohler Date: Thu, 7 Jun 2012 16:55:45 -0700 Subject: rt 4.0.6 --- rt/docs/security.pod | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'rt/docs/security.pod') diff --git a/rt/docs/security.pod b/rt/docs/security.pod index b8650e05d..620f8687c 100644 --- a/rt/docs/security.pod +++ b/rt/docs/security.pod @@ -9,6 +9,21 @@ key). More information is available at L. + +=head2 RT's security process + +After a security vulnerability is reported to Best Practical and +verified, we attempt to resolve it in as timely a fashion as possible. +Best Practical support customers will be notified before we disclose the +information to the public. All security announcements will be sent to +C, which includes +C and C. + +As the tests for security vulnerabilities are often nearly identical to +working exploits, sensitive tests will be embargoed for a period of six +months before being added to the public RT repository. + + =head2 Security tips for running RT =over -- cgit v1.2.1