Unicenter security exposure? - logging invalid userids

Unicenter security exposure? - logging invalid userids

Post by Andrew Rowle » Sat, 18 Oct 1997 04:00:00



I have a system with CA-Unicenter on it. I am concerned that when there is
an invalid login attempt, Unicenter displays the userid on the console and
records it in it's logs. The log files are world readable. I would like the
attempts recorded, but without the userid if it is not valid.

The way I see it, if the userid is invalid it is quite possible that it
contains the password of the user, and that the next login will have the
correct userid. In the worst case, the message will have both the userid
and password in it eg. on my keyboard backslash is right above enter - if I
hit them together the cursor goes to the next line but it is still reading
the userid.

I have raised it with CA but they don't seem to think it is a problem. I
would like some references or even just the weight of opinion to say that
this is a security exposure and not just a customer being difficult.
Alternatively, reassure me that I am worrying about nothing.

Andrew Rowley

 
 
 

Unicenter security exposure? - logging invalid userids

Post by Alex Ramire » Sat, 18 Oct 1997 04:00:00


There are very few (if any) good reasons to let the systems logs
be world readable, take out those permissions if you think this is
a security problem for you.

Obviously having a pair username+password in plain text in a
world-readable file IS a security problem, the magnitude is another
matter entirely.

Sometimes it is useful to have all invalid login attemps recorded, even
if the user id was not valid, many many people will try login as
guest when trying to break in.

Just my $.02.


> I have a system with CA-Unicenter on it. I am concerned that when there is
> an invalid login attempt, Unicenter displays the userid on the console and
> records it in it's logs. The log files are world readable. I would like the
> attempts recorded, but without the userid if it is not valid.

> The way I see it, if the userid is invalid it is quite possible that it
> contains the password of the user, and that the next login will have the
> correct userid.

--
Alex Ramirez-Bellido
Computer Architecture Department
Universitat Politecnica de Catalunya

http://jedip4.upc.es/~alex

"Remember 2+2=5, for extremely large values of 2"

 
 
 

1. Unicenter security exposure - recording invalid userids

I have a system with CA-Unicenter on it. I am concerned that when there is
an invalid login attempt, Unicenter displays the userid on the console and
records it in it's logs. The log files are world readable. I would like the
attempts recorded, but without the userid if it is not valid.

The way I see it, if the userid is invalid it is quite possible that it
contains the password of the user, and that the next login will have the
correct userid. In the worst case, the message will have both the userid
and password in it eg. on my keyboard backslash is right above enter - if I
hit them together the cursor goes to the next line but it is still reading
the userid.

I have raised it with CA but they don't seem to think it is a problem. I
would like some references or even just the weight of opinion to say that
this is a security exposure and not just a customer being difficult.
Alternatively, reassure me that I am worrying about nothing.

Andrew Rowley

2. Securing telnet

3. What are the security exposures from the current www clients?

4. dos2ux/ux2dos?

5. ELF a security exposure?

6. minicom and ISP

7. What is the security exposure with ftp scripts?

8. Still having name problems

9. security exposure?

10. Unicenter security an Oxymoron

11. unicenter: security by changing exec call?

12. Unicenter Security an Oxymoron

13. CA-Unicenter Security