At 07:53 -0500 on 11/03/2005, Shmuel Metz (Seymour J.) wrote about
Re: Module description:
In <[EMAIL PROTECTED]>, on 11/02/2005
at 08:46 PM, "Robert A. Rosenberg" <[EMAIL PROTECTED]> said:
It is not a security breach if you are using Shadow Tables (where the
Password is NOT in the /etc/passwd file).
But does the auditor know that?
I do no know the knowledge level of the auditor or know the reasoning
behind the request. My reply was predicated on the request being to
see if the passwords were being stored in the file or if that field
was only a shadow table placeholder. The simplest way to tell the
difference is to view the table and see what is in the password field
(ie: An encrypted password or a token).
If the intent was to see which method of password storage was used,
then access to the file FOR THAT PURPOSE is not an exposure/breach.
OTOH, other data in there could be of value to an audit (such as what
the user's groups are [ie: Too much access], etc.).
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
