Type: Security Review
Affects Version/s: 3.0.5, 3.1.0
Fix Version/s: None
I noticed in a "ps -ef | grep hyperic" that hyperic was running a perl script to monitor Sybase with the password available in the command-line sequence. The Sybase monitoring looked great otherwise (in my limited experience), but this feature comes at a price of reduced security.
Not sure if there is any easy way to fix this in the current version, but if this item can be addressed in newer versions of Hyperic, that would be great.
Yes this is definitely an issue. Unfortunately any sybase exec that you do non-interactively will have this problem.
I guess we can solve this giving the user an optional command to provide which would return the password at runtime. But there would still be the issue of isql -P<passwd> to run sp_sysmon which is run in a separate process. I wish sp_sysmon returned an actual resultset via jdbc then this wouldn't be an issue at all.
Could you just create a user that only has read access on all the sys tables?
I could run sp_sysmon as that user instead of sa.
Any suggestions are welcome.