Unicenter security exposure - recording invalid userids

Unicenter security exposure - recording invalid userids

Post by Andrew Rowle » Tue, 14 Oct 1997 04:00:00



I have a system with CA-Unicenter on it. I am concerned that when there is
an invalid login attempt, Unicenter displays the userid on the console and
records it in it's logs. The log files are world readable. I would like the
attempts recorded, but without the userid if it is not valid.

The way I see it, if the userid is invalid it is quite possible that it
contains the password of the user, and that the next login will have the
correct userid. In the worst case, the message will have both the userid
and password in it eg. on my keyboard backslash is right above enter - if I
hit them together the cursor goes to the next line but it is still reading
the userid.

I have raised it with CA but they don't seem to think it is a problem. I
would like some references or even just the weight of opinion to say that
this is a security exposure and not just a customer being difficult.
Alternatively, reassure me that I am worrying about nothing.

Andrew Rowley

 
 
 

1. Unicenter security exposure? - logging invalid userids

I have a system with CA-Unicenter on it. I am concerned that when there is
an invalid login attempt, Unicenter displays the userid on the console and
records it in it's logs. The log files are world readable. I would like the
attempts recorded, but without the userid if it is not valid.

The way I see it, if the userid is invalid it is quite possible that it
contains the password of the user, and that the next login will have the
correct userid. In the worst case, the message will have both the userid
and password in it eg. on my keyboard backslash is right above enter - if I
hit them together the cursor goes to the next line but it is still reading
the userid.

I have raised it with CA but they don't seem to think it is a problem. I
would like some references or even just the weight of opinion to say that
this is a security exposure and not just a customer being difficult.
Alternatively, reassure me that I am worrying about nothing.

Andrew Rowley

2. ipchains Won't do "ACCEPT" for Single Address

3. What are the security exposures from the current www clients?

4. problem: lpr printing to remote host

5. ELF a security exposure?

6. mgetty+pppd+Apache - I can't get my Dial Up server to work!

7. What is the security exposure with ftp scripts?

8. Solstice Adminsuite Help

9. security exposure?

10. Unicenter security an Oxymoron

11. unicenter: security by changing exec call?

12. Unicenter Security an Oxymoron

13. CA-Unicenter Security