[Openstack-security] Credentials in clear text
Bryan D. Payne
bdpayne at acm.org
Mon Apr 21 23:41:03 UTC 2014
This would be a nice hardening step, but if you have sudo on the box
there's a lot of things you can do see. This is just the tip of the
iceberg. For example, access to the backend db? Access to traffic on the
network / unix sockets / etc? Access to logs.
I am not aware of any current efforts to mask this information from the
config files. But that doesn't mean it's not happening. If someone is
aware of such an effort, I'd certainly be interested in learning more about
it.
Cheers,
-bryan
On Mon, Apr 21, 2014 at 4:26 PM, Adam Lawson <alawson at aqorn.com> wrote:
> Have .conf files containing credentials and tokens been addressed or being
> addressed? Seems there are a lot of keys to the kingdom clearly visible to
> staff who have access to systems for day-to-day admin work but
> don't/shouldn't be able to view them. If they have sudo access, they have
> everything they need to get where they don't belong. Really strikes me as
> an obvious audit issue...
>
>
> *Adam Lawson*
> AQORN, Inc.
> 427 North Tatnall Street
> Ste. 58461
> Wilmington, Delaware 19801-2230
> Toll-free: (844) 4-AQORN-NOW
> Direct: +1 (302) 268-6914
>
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140421/ee53d5a1/attachment.html>
More information about the Openstack-security
mailing list