Peegee
08-09-2011, 05:52 PM
Our security auditor is an idiot, how do I give him the information he wants? - Server Fault (http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants)
A security auditor for our servers has demanded the following within two weeks:
A list of current user names and plain-text passwords for all user accounts on all servers
A list of all password changes for the past six months, again in plain-text
A list of "every file added to the server from remote devices" in the past six months
The public and private keys of any SSH keys
An email sent to him every time a user changes their password, containing the plain text password
We're running Red Hat Linux 5/6 and CentOS 5 boxes with LDAP authentication.
As far as I'm aware, everything on that list is ether impossible or incredibly difficult to get, but if I don't provide this information we lose access to our payments platform, and any income we might have got while we move away. Any suggestions for how I can solve or fake this information?
Email from the guy:
I have over 10 years experience in security auditing and a full understanding of the redhat security methods, so I suggest you check your facts about what is and isn't possible. You say no company could possibly have this information but I have performed hundreds of audits where this information has been readily available. All [generic credit card processing provider] clients are required to conform with our new security policies and this audit is intended to ensure those policies have been implemented* correctly.
It's going to take me the rest of the day to rest from lulzing and recovering to read the responses. Thoughts?
A security auditor for our servers has demanded the following within two weeks:
A list of current user names and plain-text passwords for all user accounts on all servers
A list of all password changes for the past six months, again in plain-text
A list of "every file added to the server from remote devices" in the past six months
The public and private keys of any SSH keys
An email sent to him every time a user changes their password, containing the plain text password
We're running Red Hat Linux 5/6 and CentOS 5 boxes with LDAP authentication.
As far as I'm aware, everything on that list is ether impossible or incredibly difficult to get, but if I don't provide this information we lose access to our payments platform, and any income we might have got while we move away. Any suggestions for how I can solve or fake this information?
Email from the guy:
I have over 10 years experience in security auditing and a full understanding of the redhat security methods, so I suggest you check your facts about what is and isn't possible. You say no company could possibly have this information but I have performed hundreds of audits where this information has been readily available. All [generic credit card processing provider] clients are required to conform with our new security policies and this audit is intended to ensure those policies have been implemented* correctly.
It's going to take me the rest of the day to rest from lulzing and recovering to read the responses. Thoughts?