by Ken Paquet » Sat, 17 Dec 1994 12:15:10
Thanks
---------------------------------------------------------------------------
Ken Paquette; IBM Microelectronics Division; Distributed Computing Services
IBMMAIL: USIB1X62; X.400 c=us; a=ibmx400; p=ibmmail; s=paquette; g=paquetk
1. Unicenter security exposure? - logging invalid userids
I have a system with CA-Unicenter on it. I am concerned that when there is
an invalid login attempt, Unicenter displays the userid on the console and
records it in it's logs. The log files are world readable. I would like the
attempts recorded, but without the userid if it is not valid.
The way I see it, if the userid is invalid it is quite possible that it
contains the password of the user, and that the next login will have the
correct userid. In the worst case, the message will have both the userid
and password in it eg. on my keyboard backslash is right above enter - if I
hit them together the cursor goes to the next line but it is still reading
the userid.
I have raised it with CA but they don't seem to think it is a problem. I
would like some references or even just the weight of opinion to say that
this is a security exposure and not just a customer being difficult.
Alternatively, reassure me that I am worrying about nothing.
Andrew Rowley
2. Mouse help for absolute newbie
3. Unicenter security exposure - recording invalid userids
4. Setting up "dual identity" for a laptop??
7. What is the security exposure with ftp scripts?
10. client exposure
11. I am looking for Linux Security FAQ and Security related sites
12. SECURITY/WWW: The Linux Security Home Page
13. Current options for commerce over WWW?