(off-topic) Broadly accepted standards for (not?) logging credentials
Christopher J. Ruwe
cjr at mail.cruwe.de
Wed Aug 21 13:38:22 UTC 2019
Hi,
sorry for being severely off-topic. However, the freebsd-*@s are
always my last resort when I simply do not know who to ask.
>From my understanding (and several colleagues I asked concur) it is
absolutely verboten / tabu / you name it to ever log credentials in
clear-text, even with debug-flags on etc. The specific case is logging
the credentials of a remote storage filer in a console session, but
that should not matter.
Debug sessions may be shared with non-privileged personnel, are
switched on for just this one time, I promise, and then forgotten, and
slowly, but certainly and irrevocably, credentials leak unto the
point when a secret is no secret anymore, but essentially public
domain.
I have a support call open with a vendor where the other side does not
agree. If it is not I who is too conservative (which I hope), does
anybody know of any well-known and battle-proven document from an
authoritative source (RFCs, IEEE, ...) with which to beat people
until they promise not to log secrets?
Thanks and cheers,
--
Christopher J. Ruwe
More information about the freebsd-questions
mailing list