Date: Wed, 21 Aug 2019 13:38:10 +0000 From: "Christopher J. Ruwe" <cjr@mail.cruwe.de> To: freebsd-questions@freebsd.org Subject: (off-topic) Broadly accepted standards for (not?) logging credentials Message-ID: <460ffc8a5bcb5d429b92a51915f071b38b439f0b.camel@mail.cruwe.de>
next in thread | raw e-mail | index | archive | help
Hi, sorry for being severely off-topic. However, the freebsd-*@s are always my last resort when I simply do not know who to ask. >From my understanding (and several colleagues I asked concur) it is absolutely verboten / tabu / you name it to ever log credentials in clear-text, even with debug-flags on etc. The specific case is logging the credentials of a remote storage filer in a console session, but that should not matter. Debug sessions may be shared with non-privileged personnel, are switched on for just this one time, I promise, and then forgotten, and slowly, but certainly and irrevocably, credentials leak unto the point when a secret is no secret anymore, but essentially public domain. I have a support call open with a vendor where the other side does not agree. If it is not I who is too conservative (which I hope), does anybody know of any well-known and battle-proven document from an authoritative source (RFCs, IEEE, ...) with which to beat people until they promise not to log secrets? Thanks and cheers, -- Christopher J. Ruwe
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?460ffc8a5bcb5d429b92a51915f071b38b439f0b.camel>