by I have a system with CA-Unicenter on it. I am concerned that when there is
an invalid login attempt, Unicenter displays the userid on the console and
records it in it's logs. The log files are world readable. I would like the
attempts recorded, but without the userid if it is not valid.
The way I see it, if the userid is invalid it is quite possible that it
contains the password of the user, and that the next login will have the
correct userid. In the worst case, the message will have both the userid
and password in it eg. on my keyboard backslash is right above enter - if I
hit them together the cursor goes to the next line but it is still reading
the userid.
I have raised it with CA but they don't seem to think it is a problem. I
would like some references or even just the weight of opinion to say that
this is a security exposure and not just a customer being difficult.
Alternatively, reassure me that I am worrying about nothing.
Andrew Rowley